From bd25755d2a6f72961e4dd8925e324596978c4f6a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Mar 2021 06:59:27 +0000 Subject: [PATCH 01/50] Rename ssl_populate_transform() -> ssl_tls12_populate_transform() In TLS 1.2 specific code, the internal helper functions ssl_populate_transform() builds an SSL transform structure, representing a specific record protection mechanism. In preparation for a subsequent commit which will introduce a similar helper function specific to TLS 1.3, this commmit renames ssl_populate_transform() to ssl_tls12_populate_transform(). Signed-off-by: Hanno Becker --- library/ssl_misc.h | 3 ++- library/ssl_tls.c | 48 +++++++++++++++++++++++----------------------- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cc19f4723bc7..ca92d6893e7d 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -740,7 +740,8 @@ struct mbedtls_ssl_transform #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) /* We need the Hello random bytes in order to re-derive keys from the - * Master Secret and other session info, see ssl_populate_transform() */ + * Master Secret and other session info, + * see ssl_tls12_populate_transform() */ unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */ #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ }; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fe3b5e2e6410..33f4e601c306 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -665,14 +665,14 @@ typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *, * - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg */ -static int ssl_populate_transform( mbedtls_ssl_transform *transform, +static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, int ciphersuite, const unsigned char master[48], -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ + defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) int encrypt_then_mac, -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && + MBEDTLS_SSL_SOME_SUITES_USE_MAC */ ssl_tls_prf_t tls_prf, const unsigned char randbytes[64], int minor_ver, @@ -1328,22 +1328,22 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } /* Populate transform structure */ - ret = ssl_populate_transform( ssl->transform_negotiate, - ssl->session_negotiate->ciphersuite, - ssl->session_negotiate->master, -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - ssl->session_negotiate->encrypt_then_mac, -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ - ssl->handshake->tls_prf, - ssl->handshake->randbytes, - ssl->minor_ver, - ssl->conf->endpoint, - ssl ); + ret = ssl_tls12_populate_transform( ssl->transform_negotiate, + ssl->session_negotiate->ciphersuite, + ssl->session_negotiate->master, +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ + defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + ssl->session_negotiate->encrypt_then_mac, +#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && + MBEDTLS_SSL_SOME_SUITES_USE_MAC */ + ssl->handshake->tls_prf, + ssl->handshake->randbytes, + ssl->minor_ver, + ssl->conf->endpoint, + ssl ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls12_populate_transform", ret ); return( ret ); } @@ -5775,14 +5775,14 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ret = ssl_populate_transform( ssl->transform, + ret = ssl_tls12_populate_transform( ssl->transform, ssl->session->ciphersuite, ssl->session->master, -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ + defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) ssl->session->encrypt_then_mac, -#endif -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && + MBEDTLS_SSL_SOME_SUITES_USE_MAC */ ssl_tls12prf_from_cs( ssl->session->ciphersuite ), p, /* currently pointing to randbytes */ MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */ From c94060c6417468bd0c5fd091f3a3aa4217bbb4bd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Mar 2021 07:50:44 +0000 Subject: [PATCH 02/50] Add TLS 1.3 specific key to SSL transform conversion function This commit adds the TLS 1.3 specific internal function ``` mbedtls_ssl_tls13_populate_transform() ``` which creates an instance of the SSL transform structure `mbedtls_ssl_transform` representing a TLS 1.3 record protection mechanism. It is analogous to the existing internal helper function ``` ssl_tls12_populate_transform() ``` which creates transform structures representing record protection mechanisms in TLS 1.2 and earlier. Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 108 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 33 ++++++++++++ 2 files changed, 141 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index f1c8a12d8662..28313130f70f 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -699,4 +699,112 @@ int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, return( ret ); } +int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, + int endpoint, + int ciphersuite, + mbedtls_ssl_key_set const *traffic_keys, + mbedtls_ssl_context *ssl /* DEBUG ONLY */ ) +{ + int ret; + mbedtls_cipher_info_t const *cipher_info; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + unsigned char const *key_enc; + unsigned char const *iv_enc; + unsigned char const *key_dec; + unsigned char const *iv_dec; + +#if !defined(MBEDTLS_DEBUG_C) + ssl = NULL; /* make sure we don't use it except for those cases */ + (void) ssl; +#endif + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); + + cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); + if( cipher_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* + * Setup cipher contexts in target transform + */ + + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, + cipher_info ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); + return( ret ); + } + + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, + cipher_info ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); + return( ret ); + } + +#if defined(MBEDTLS_SSL_SRV_C) + if( endpoint == MBEDTLS_SSL_IS_SERVER ) + { + key_enc = traffic_keys->server_write_key; + key_dec = traffic_keys->client_write_key; + iv_enc = traffic_keys->server_write_iv; + iv_dec = traffic_keys->client_write_iv; + } + else +#endif /* MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_CLI_C) + if( endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + key_enc = traffic_keys->client_write_key; + key_dec = traffic_keys->server_write_key; + iv_enc = traffic_keys->client_write_iv; + iv_dec = traffic_keys->server_write_iv; + } + else +#endif /* MBEDTLS_SSL_CLI_C */ + { + /* should not happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len ); + memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len ); + + if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, + key_enc, cipher_info->key_bitlen, + MBEDTLS_ENCRYPT ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + return( ret ); + } + + if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, + key_dec, cipher_info->key_bitlen, + MBEDTLS_DECRYPT ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + return( ret ); + } + + /* + * Setup other fields in SSL transform + */ + + if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 ) + transform->taglen = 8; + else + transform->taglen = 16; + + transform->ivlen = traffic_keys->iv_len; + transform->maclen = 0; + transform->fixed_ivlen = transform->ivlen; + transform->minlen = transform->taglen + 1; + transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4; + + return( 0 ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 3b96998aedea..ca892b166553 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -498,4 +498,37 @@ int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, unsigned char const *transcript, unsigned char *result ); +/** + * \bref Setup an SSL transform structure representing the + * record protection mechanism used by TLS 1.3 + * + * \param transform The SSL transform structure to be created. This must have + * been initialized through mbedtls_ssl_transform_init() and + * not used in any other way prior to calling this function. + * In particular, this function does not clean up the + * transform structure prior to installing the new keys. + * \param endpoint Indicates whether the transform is for the client + * (value #MBEDTLS_SSL_IS_CLIENT) or the server + * (value #MBEDTLS_SSL_IS_SERVER). + * \param ciphersuite The numerical identifier for the ciphersuite to use. + * This must be one of the identifiers listed in + * ssl_ciphersuites.h. + * \param traffic_keys The key material to use. No reference is stored in + * the SSL transform being generated, and the caller + * should destroy the key material afterwards. + * \param ssl (Debug-only) The SSL context to use for debug output + * in case of failure. This parameter is only needed if + * #MBEDTLS_DEBUG_C is set, and is ignored otherwise. + * + * \return \c 0 on success. In this case, \p transform is ready to + * be used with mbedtls_ssl_transform_decrypt() and + * mbedtls_ssl_transform_encrypt(). + * \return A negative error code on failure. + */ +int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, + int endpoint, + int ciphersuite, + mbedtls_ssl_key_set const *traffic_keys, + mbedtls_ssl_context *ssl ); + #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 79e2d1b6f6eb5c07370afe20c20af00a727a190b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Mar 2021 11:42:19 +0000 Subject: [PATCH 03/50] Fix AEAD additional data computation for TLS 1.3 The AEAD additional data (AAD) is computed differently in TLS 1.3 compared to TLS 1.2, but this change hasn't yet been reflected in the codee, rendering the current implementation of ``` mbedtls_ssl_{encrypt,decrypt}_buf() ``` not standard compliant. This commit fixes this by adjusting the AAD extraction function ssl_extract_add_data_from_record() and its call-sites. Please see the documentation of the code for an explanation of how the AAD has changed from TLS 1.2 to TLS 1.3. Signed-off-by: Hanno Becker --- library/ssl_msg.c | 53 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 12 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 76cc2b17d46c..cf2eab56bfc2 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -384,7 +384,8 @@ static int ssl_parse_inner_plaintext( unsigned char const *content, static void ssl_extract_add_data_from_record( unsigned char* add_data, size_t *add_data_len, mbedtls_record *rec, - unsigned minor_ver ) + unsigned minor_ver, + size_t taglen ) { /* Quoting RFC 5246 (TLS 1.2): * @@ -403,15 +404,37 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, * * For TLS 1.3, the record sequence number is dropped from the AAD * and encoded within the nonce of the AEAD operation instead. + * Moreover, the additional data involves the length of the TLS + * ciphertext, not the TLS plaintext as in earlier versions. + * Quoting RFC 8446 (TLS 1.3): + * + * additional_data = TLSCiphertext.opaque_type || + * TLSCiphertext.legacy_record_version || + * TLSCiphertext.length + * + * We pass the tag length to this function in order to compute the + * ciphertext length from the inner plaintext length rec->data_len via + * + * TLSCiphertext.length = TLSInnerPlaintext.length + taglen. + * */ unsigned char *cur = add_data; + size_t ad_len_field = rec->data_len; #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 ) + if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + /* In TLS 1.3, the AAD contains the length of the TLSCiphertext, + * which differs from the length of the TLSInnerPlaintext + * by the length of the authentication tag. */ + ad_len_field += taglen; + } + else #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ { ((void) minor_ver); + ((void) taglen); memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); cur += sizeof( rec->ctr ); } @@ -431,15 +454,15 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, *cur = rec->cid_len; cur++; - cur[0] = ( rec->data_len >> 8 ) & 0xFF; - cur[1] = ( rec->data_len >> 0 ) & 0xFF; + cur[0] = ( ad_len_field >> 8 ) & 0xFF; + cur[1] = ( ad_len_field >> 0 ) & 0xFF; cur += 2; } else #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ { - cur[0] = ( rec->data_len >> 8 ) & 0xFF; - cur[1] = ( rec->data_len >> 0 ) & 0xFF; + cur[0] = ( ad_len_field >> 8 ) & 0xFF; + cur[1] = ( ad_len_field >> 0 ) & 0xFF; cur += 2; } @@ -646,7 +669,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, unsigned char mac[MBEDTLS_SSL_MAC_ADD]; ssl_extract_add_data_from_record( add_data, &add_data_len, rec, - transform->minor_ver ); + transform->minor_ver, + transform->taglen ); mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, add_data_len ); @@ -743,7 +767,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * This depends on the TLS version. */ ssl_extract_add_data_from_record( add_data, &add_data_len, rec, - transform->minor_ver ); + transform->minor_ver, + transform->taglen ); MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)", iv, transform->ivlen ); @@ -897,7 +922,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, } ssl_extract_add_data_from_record( add_data, &add_data_len, - rec, transform->minor_ver ); + rec, transform->minor_ver, + transform->taglen ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, @@ -1304,7 +1330,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * This depends on the TLS version. */ ssl_extract_add_data_from_record( add_data, &add_data_len, rec, - transform->minor_ver ); + transform->minor_ver, + transform->taglen ); MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", add_data, add_data_len ); @@ -1414,7 +1441,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * Further, we still know that data_len > minlen */ rec->data_len -= transform->maclen; ssl_extract_add_data_from_record( add_data, &add_data_len, rec, - transform->minor_ver ); + transform->minor_ver, + transform->taglen ); /* Calculate expected MAC. */ MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, @@ -1606,7 +1634,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, */ rec->data_len -= transform->maclen; ssl_extract_add_data_from_record( add_data, &add_data_len, rec, - transform->minor_ver ); + transform->minor_ver, + transform->taglen ); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* From a77d005d39e78b55231311d034f2187eae8d5929 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Mar 2021 15:16:33 +0000 Subject: [PATCH 04/50] Add known answer tests for TLS 1.3 record protection This commit adds four known answer tests for TLS 1.3 record protection from the following sources: - RFC 8448 "Example Handshake Traces for TLS 1.3" - tls13.ulfheim.net "The New Illustrated TLS Connection" It extends the test coverage of the existing record protection tests in the following ways: - The existing record protection tests hand-craft record transform structures; the new tests use the function mbedtls_ssl_tls13_populate_transform() from library source to create an TLS 1.3 transform from raw key material and connection information. - The existing record protection tests only check that encryption and decryption are inverse to each other; as such, they don't catch non-compliant implementations of encryption and decryption which happen to be inverse to each other. By adding a known answer test for TLS 1.3 record protection, can gain confidence that our implementation is indeed standards-compliant. Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 55 ++++++++++++++++++ tests/suites/test_suite_ssl.function | 86 ++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 5d92469ad7c0..efedd061540c 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -6021,6 +6021,61 @@ SSL TLS 1.3 Key schedule: Handshake secrets derivation helper # Vector from RFC 8448 ssl_tls1_3_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" +SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 +# - Server App Key: 0b6d22c8ff68097ea871c672073773bf +# - Server App IV: 1b13dd9f8d8f17091d34b349 +# - Client App Key: 49134b95328f279f0183860589ac6707 +# - Client App IV: bc4dd5f7b98acff85466261d +# - App data payload: 70696e67 +# - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" + +SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 +# - Server App Key: 0b6d22c8ff68097ea871c672073773bf +# - Server App IV: 1b13dd9f8d8f17091d34b349 +# - Client App Key: 49134b95328f279f0183860589ac6707 +# - Client App IV: bc4dd5f7b98acff85466261d +# - App data payload: 706f6e67 +# - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" + +SSL TLS 1.3 Record Encryption RFC 8448 Example #1 +# Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3 +# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56 +# - Server App IV: cf 78 2b 88 dd 83 54 9a ad f1 e9 84 +# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51 +# - Client App IV: 5b 78 92 3d ee 08 57 90 33 e5 23 d9 +# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f +# 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f +# 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f +# 30 31 +# - Complete record: 17 03 03 00 43 a2 3f 70 54 b6 2c 94 d0 af fa fe +# 82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f +# 2b 98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b +# 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 +# 3a ee bb 21 69 49 15 e4 +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" + +SSL TLS 1.3 Record Encryption RFC 8448 Example #2 +# Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3 +# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56 +# - Server App IV: cf 78 2b 88 dd 83 54 9a ad f1 e9 84 +# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51 +# - Client App IV: 5b 78 92 3d ee 08 57 90 33 e5 23 d9 +# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f +# 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f +# 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f +# 30 31 +# - Complete record: 17 03 03 00 43 2e 93 7e 11 ef 4a c7 40 e5 38 ad +# 36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36 +# e3 0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8 +# fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 +# 0d d0 32 e1 67 c2 95 5d +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" + +SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE +ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE + SSL TLS 1.3 Key schedule: Application secrets derivation helper # Vector from RFC 8448 ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 081e8a45a689..a83d6e2befbd 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3943,6 +3943,92 @@ void ssl_tls1_3_create_psk_binder( int hash_alg, } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_record_protection( int ciphersuite, + int endpoint, + int ctr, + data_t *server_write_key, + data_t *server_write_iv, + data_t *client_write_key, + data_t *client_write_iv, + data_t *plaintext, + data_t *ciphertext ) +{ + mbedtls_ssl_key_set keys; + mbedtls_ssl_transform transform_send; + mbedtls_ssl_transform transform_recv; + mbedtls_record rec; + unsigned char *buf = NULL; + int other_endpoint; + + TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT || + endpoint == MBEDTLS_SSL_IS_SERVER ); + + if( endpoint == MBEDTLS_SSL_IS_SERVER ) + other_endpoint = MBEDTLS_SSL_IS_CLIENT; + if( endpoint == MBEDTLS_SSL_IS_CLIENT ) + other_endpoint = MBEDTLS_SSL_IS_SERVER; + + TEST_ASSERT( server_write_key->len == client_write_key->len ); + TEST_ASSERT( server_write_iv->len == client_write_iv->len ); + + memcpy( keys.client_write_key, + client_write_key->x, client_write_key->len ); + memcpy( keys.client_write_iv, + client_write_iv->x, client_write_iv->len ); + memcpy( keys.server_write_key, + server_write_key->x, server_write_key->len ); + memcpy( keys.server_write_iv, + server_write_iv->x, server_write_iv->len ); + + keys.key_len = server_write_key->len; + keys.iv_len = server_write_iv->len; + + mbedtls_ssl_transform_init( &transform_recv ); + mbedtls_ssl_transform_init( &transform_send ); + + TEST_ASSERT( mbedtls_ssl_tls13_populate_transform( + &transform_send, endpoint, + ciphersuite, &keys, NULL ) == 0 ); + TEST_ASSERT( mbedtls_ssl_tls13_populate_transform( + &transform_recv, other_endpoint, + ciphersuite, &keys, NULL ) == 0 ); + + ASSERT_ALLOC( buf, ciphertext->len ); + rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; + mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3, + MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_TRANSPORT_STREAM, + rec.ver ); + + /* Copy plaintext into record structure */ + rec.buf = buf; + rec.buf_len = ciphertext->len; + rec.data_offset = 0; + TEST_ASSERT( plaintext->len <= ciphertext->len ); + memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len ); + rec.data_len = plaintext->len; +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + rec.cid_len = 0; +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + + memset( &rec.ctr[0], 0, 8 ); + rec.ctr[7] = ctr; + + TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec, + NULL, NULL ) == 0 ); + ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len, + ciphertext->x, ciphertext->len ); + + TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 ); + ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len, + plaintext->x, plaintext->len ); + + mbedtls_ssl_transform_free( &transform_send ); + mbedtls_ssl_transform_free( &transform_recv ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ void ssl_tls1_3_key_evolution( int hash_alg, data_t *secret, From 80e760e00642836a19e7c05efad3ac34a57230be Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Mar 2021 06:00:21 +0000 Subject: [PATCH 05/50] Fix memory leak in TLS 1.3 record protection unit test Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.function | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a83d6e2befbd..554e7b86e23f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4024,6 +4024,7 @@ void ssl_tls1_3_record_protection( int ciphersuite, ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len, plaintext->x, plaintext->len ); + mbedtls_free( buf ); mbedtls_ssl_transform_free( &transform_send ); mbedtls_ssl_transform_free( &transform_recv ); } From 7887a77c2507bfbddd2238a0a1a06f9b19d7f64e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 20 Apr 2021 05:27:57 +0100 Subject: [PATCH 06/50] Match parameter check in TLS 1.3 populate transform to 1.2 version Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 28313130f70f..0977cabb3411 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -719,12 +719,19 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, #endif ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); + if( ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found", + ciphersuite ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); if( cipher_info == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found", + ciphersuite_info->cipher ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ) } /* From edd5bf0a95d05d72c405be84011ea9638d2b966d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 20 Apr 2021 05:32:16 +0100 Subject: [PATCH 07/50] Fix and document minimum length of record ciphertext in TLS 1.3 Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 0977cabb3411..8270009c763e 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -808,9 +808,15 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, transform->ivlen = traffic_keys->iv_len; transform->maclen = 0; transform->fixed_ivlen = transform->ivlen; - transform->minlen = transform->taglen + 1; transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4; + /* We add the true record content type (1 Byte) to the plaintext and + * then pad to the configured granularity. The mimimum length of the + * type-extended and padded plaintext is therefore the padding + * granularity. */ + transform->minlen = + transform->taglen + MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY; + return( 0 ); } From 41537452f495a7ee448a7bd4d0d5f566341263d6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 20 Apr 2021 05:35:28 +0100 Subject: [PATCH 08/50] Add comment regarding the wire-version used in TLS 1.3 records Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 554e7b86e23f..2e09907228d7 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3996,6 +3996,8 @@ void ssl_tls1_3_record_protection( int ciphersuite, ASSERT_ALLOC( buf, ciphertext->len ); rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; + + /* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */ mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, MBEDTLS_SSL_TRANSPORT_STREAM, From f62a730e80ebdc976d32b1d0f52078273ee1fb7f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 05:21:28 +0100 Subject: [PATCH 09/50] Add missing semicolon in TLS 1.3 transform generation code Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 8270009c763e..91384f281f26 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -731,7 +731,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, { MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found", ciphersuite_info->cipher ) ); - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } /* From c0da10dc3a491a4aab41503c12921e11fe7b9fb7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Apr 2021 05:32:23 +0100 Subject: [PATCH 10/50] Remove TLS 1.3 specific code from TLS <= 1.2 transform generator Signed-off-by: Hanno Becker --- library/ssl_tls.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 33f4e601c306..88a3e745ef93 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -714,6 +714,15 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) ); #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform + * generation separate. This should never happen. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * Get various info structures */ @@ -806,19 +815,10 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * sequence number). */ transform->ivlen = 12; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) - { + if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) transform->fixed_ivlen = 12; - } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - { - if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) - transform->fixed_ivlen = 12; - else - transform->fixed_ivlen = 4; - } + transform->fixed_ivlen = 4; /* Minimum length of encrypted record */ explicit_ivlen = transform->ivlen - transform->fixed_ivlen; From dfba065d80adc007e81288e3655de82dfefb56d5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 1 Aug 2021 19:16:57 +0100 Subject: [PATCH 11/50] Adjust ssl_tls13_keys.c to consolidated CID/1.3 padding granularity Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 91384f281f26..902f99ea8147 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -815,7 +815,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, * type-extended and padded plaintext is therefore the padding * granularity. */ transform->minlen = - transform->taglen + MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY; + transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; return( 0 ); } From 1f91878281cdb680c98f33a3312d1fce56f45eba Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 1 Aug 2021 19:18:28 +0100 Subject: [PATCH 12/50] Specify padding granularity in TLS 1.3 record protection KATs Still check that encryption and decryption are inverse to each other if the granularity does not match the one used in the KAT. Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 12 ++++++++---- tests/suites/test_suite_ssl.function | 17 +++++++++++++---- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index efedd061540c..04f6e1d34455 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -6028,7 +6028,8 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - Client App IV: bc4dd5f7b98acff85466261d # - App data payload: 70696e67 # - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" +# - Padding used: No (== granularity 1) +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - Server App Key: 0b6d22c8ff68097ea871c672073773bf @@ -6037,7 +6038,8 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - Client App IV: bc4dd5f7b98acff85466261d # - App data payload: 706f6e67 # - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" +# - Padding used: No (== granularity 1) +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3 @@ -6054,7 +6056,8 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # 2b 98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b # 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 # 3a ee bb 21 69 49 15 e4 -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" +# - Padding used: No (== granularity 1) +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3 @@ -6071,7 +6074,8 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # e3 0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8 # fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 # 0d d0 32 e1 67 c2 95 5d -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" +# - Padding used: No (== granularity 1) +ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 2e09907228d7..6d8a9e86715e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3947,6 +3947,7 @@ void ssl_tls1_3_create_psk_binder( int hash_alg, void ssl_tls1_3_record_protection( int ciphersuite, int endpoint, int ctr, + int padding_used, data_t *server_write_key, data_t *server_write_iv, data_t *client_write_key, @@ -3959,6 +3960,7 @@ void ssl_tls1_3_record_protection( int ciphersuite, mbedtls_ssl_transform transform_recv; mbedtls_record rec; unsigned char *buf = NULL; + size_t buf_len; int other_endpoint; TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT || @@ -3994,7 +3996,10 @@ void ssl_tls1_3_record_protection( int ciphersuite, &transform_recv, other_endpoint, ciphersuite, &keys, NULL ) == 0 ); - ASSERT_ALLOC( buf, ciphertext->len ); + /* Make sure we have enough space in the buffer even if + * we use more padding than the KAT. */ + buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; + ASSERT_ALLOC( buf, buf_len ); rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; /* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */ @@ -4005,7 +4010,7 @@ void ssl_tls1_3_record_protection( int ciphersuite, /* Copy plaintext into record structure */ rec.buf = buf; - rec.buf_len = ciphertext->len; + rec.buf_len = buf_len; rec.data_offset = 0; TEST_ASSERT( plaintext->len <= ciphertext->len ); memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len ); @@ -4019,8 +4024,12 @@ void ssl_tls1_3_record_protection( int ciphersuite, TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec, NULL, NULL ) == 0 ); - ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len, - ciphertext->x, ciphertext->len ); + + if( padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY ) + { + ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len, + ciphertext->x, ciphertext->len ); + } TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 ); ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len, From 6c53ecc01db4212da1a8715afe1abc599a9c6f0d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 1 Aug 2021 19:20:10 +0100 Subject: [PATCH 13/50] all.sh: Run basic TLS 1.3 with and without record padding Signed-off-by: Hanno Becker --- tests/scripts/all.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f8e43c871441..5d2710cadc94 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2437,11 +2437,22 @@ component_build_armcc () { } component_test_tls13_experimental () { - msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled" + msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, without padding" scripts/config.pl set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled" + msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, without padding" + make test +} + +component_test_tls13_experimental_with_padding () { + msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, with padding" + scripts/config.pl set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, with padding" make test } From d7e4b2ce4267c681a72e31faa2611b3250ee1541 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sun, 1 Aug 2021 20:13:06 +0100 Subject: [PATCH 14/50] Remove duplicated test from SSL test suite Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 04f6e1d34455..25eefb3ab9fd 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -6077,9 +6077,6 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # - Padding used: No (== granularity 1) ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" -SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE -ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE - SSL TLS 1.3 Key schedule: Application secrets derivation helper # Vector from RFC 8448 ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" From b0302c4c7bdc684c5307040e9e8d8c314e245c48 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 3 Aug 2021 09:39:42 +0100 Subject: [PATCH 15/50] Move messaging related session reset into separate helper function - Improves readability - Will be useful when we introduce MPS as an alternative msg layer. - Will be useful when we need to reset the messaging layer upon receipt of a HelloRetryRequest in TLS 1.3. Signed-off-by: Hanno Becker --- library/ssl_tls.c | 90 +++++++++++++++++++++++++---------------------- 1 file changed, 47 insertions(+), 43 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fe3b5e2e6410..c43f92a37600 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3231,9 +3231,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, * If partial is non-zero, keep data in the input buffer and client ID. * (Use when a DTLS client reconnects from the same port.) */ -int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) +static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, + int partial ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) size_t in_buf_len = ssl->in_buf_len; size_t out_buf_len = ssl->out_buf_len; @@ -3242,73 +3242,77 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; #endif -#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \ - !defined(MBEDTLS_SSL_SRV_C) - ((void) partial); +#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C) + partial = 0; #endif - ssl->state = MBEDTLS_SSL_HELLO_REQUEST; - /* Cancel any possibly running timer */ mbedtls_ssl_set_timer( ssl, 0 ); -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; - ssl->renego_records_seen = 0; - - ssl->verify_data_len = 0; - memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); - memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); -#endif - ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; - - ssl->in_offt = NULL; mbedtls_ssl_reset_in_out_pointers( ssl ); + /* Reset incoming message parsing */ + ssl->in_offt = NULL; + ssl->nb_zero = 0; ssl->in_msgtype = 0; - ssl->in_msglen = 0; + ssl->in_msglen = 0; + ssl->in_hslen = 0; + ssl->keep_current_message = 0; + ssl->transform_in = NULL; + #if defined(MBEDTLS_SSL_PROTO_DTLS) ssl->next_record_offset = 0; ssl->in_epoch = 0; #endif -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - mbedtls_ssl_dtls_replay_reset( ssl ); -#endif - - ssl->in_hslen = 0; - ssl->nb_zero = 0; - - ssl->keep_current_message = 0; - - ssl->out_msgtype = 0; - ssl->out_msglen = 0; - ssl->out_left = 0; - - memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); - - ssl->transform_in = NULL; - ssl->transform_out = NULL; - - ssl->session_in = NULL; - ssl->session_out = NULL; - memset( ssl->out_buf, 0, out_buf_len ); - -#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) + /* Keep current datagram if partial == 1 */ if( partial == 0 ) -#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ { ssl->in_left = 0; memset( ssl->in_buf, 0, in_buf_len ); } + /* Reset outgoing message writing */ + ssl->out_msgtype = 0; + ssl->out_msglen = 0; + ssl->out_left = 0; + memset( ssl->out_buf, 0, out_buf_len ); + memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); + ssl->transform_out = NULL; + +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) + mbedtls_ssl_dtls_replay_reset( ssl ); +#endif + if( ssl->transform ) { mbedtls_ssl_transform_free( ssl->transform ); mbedtls_free( ssl->transform ); ssl->transform = NULL; } +} + +int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ssl->state = MBEDTLS_SSL_HELLO_REQUEST; + + ssl_session_reset_msg_layer( ssl, partial ); + + /* Reset renegotiation state */ +#if defined(MBEDTLS_SSL_RENEGOTIATION) + ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; + ssl->renego_records_seen = 0; + ssl->verify_data_len = 0; + memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); + memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); +#endif + ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; + + ssl->session_in = NULL; + ssl->session_out = NULL; if( ssl->session ) { mbedtls_ssl_session_free( ssl->session ); From f3cce8b0e1bb5df423e4c4bf46ac1cd5d5387300 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 7 Aug 2021 14:29:49 +0100 Subject: [PATCH 16/50] Add handshake message writing variant that doesn't update checksum The helper `mbedtls_ssl_write_handshake_msg` writes a handshake message and updates the handshake transcript. With TLS 1.3, we need finer control over the checksum: updating at message granularity is not sufficient. To allow for manual maintenance of the checksum in those cases, refine `mbedtls_ssl_write_handshake_msg()` into `mbedtls_ssl_write_handshake_msg_ext()` which takes a parameter determining whether the checksum should be updated. Signed-off-by: Hanno Becker --- library/ssl_misc.h | 8 +++++++- library/ssl_msg.c | 5 +++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cc19f4723bc7..e4966f0198e8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -971,7 +971,13 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, unsigned update_hs_digest ); int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ); -int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl, + int update_checksum ); +static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */ ) ); +} + int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ); int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 76cc2b17d46c..fe26eaaf291a 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2360,7 +2360,8 @@ void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) * (including handshake headers but excluding record headers) * - ssl->out_msg: the record contents (handshake headers + content) */ -int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) +int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl, + int update_checksum ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const size_t hs_len = ssl->out_msglen - 4; @@ -2469,7 +2470,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_PROTO_DTLS */ /* Update running hashes of handshake messages seen */ - if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) + if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0 ) ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen ); } From 41934dd20a71fc474f0bd4f6cb754b09b48bd52f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 7 Aug 2021 19:13:43 +0100 Subject: [PATCH 17/50] Share preparatory code between client and server handshake steps Signed-off-by: Hanno Becker --- library/ssl_cli.c | 15 --------------- library/ssl_srv.c | 15 --------------- library/ssl_tls.c | 32 ++++++++++++++++++++++++++++++-- 3 files changed, 30 insertions(+), 32 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e0a1c24ec1d7..59c546042907 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -4210,23 +4210,8 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) { int ret = 0; - if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); - if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) - return( ret ); - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) - { - if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) - return( ret ); - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* Change state now, so that it is right in mbedtls_ssl_read_record(), used * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d82ec0471f1e..3d6739342db7 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4258,23 +4258,8 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) { int ret = 0; - if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); - if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) - return( ret ); - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) - { - if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) - return( ret ); - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - switch( ssl->state ) { case MBEDTLS_SSL_HELLO_REQUEST: diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bb5ddc470eeb..bf87fe56dc1a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5076,12 +5076,40 @@ int mbedtls_ssl_session_load( mbedtls_ssl_session *session, /* * Perform a single step of the SSL handshake */ +static int ssl_prepare_handshake_step( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) + return( ret ); + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) + { + if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) + return( ret ); + } +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + + return( ret ); +} + int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) { - int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ssl == NULL || ssl->conf == NULL ) + if( ssl == NULL || + ssl->conf == NULL || + ssl->handshake == NULL || + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + ret = ssl_prepare_handshake_step( ssl ); + if( ret != 0 ) + return( ret ); #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) From b6bbbb174da33a860b5556e989e334f8d7eee7b3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 09:00:14 +0100 Subject: [PATCH 18/50] Fix typo in documentation of ssl->transform_out Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 221cee33799f..639e3d962a82 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1329,7 +1329,7 @@ struct mbedtls_ssl_context * Record layer transformations */ mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) */ - mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (in) */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (out) */ mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params */ mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation */ From 0e719ff34144a71d60e1c4e14d63565cb15673bf Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 09:24:08 +0100 Subject: [PATCH 19/50] Improve the documentation of legacy msg layer transforms Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 639e3d962a82..dc4782e65b2a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1328,10 +1328,18 @@ struct mbedtls_ssl_context /* * Record layer transformations */ - mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) */ - mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (out) */ - mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params */ - mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) + * This is always a reference, + * never an owning pointer. */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (out) + * This is always a reference, + * never an owning pointer. */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params + * This pointer owns the transform + * it references. */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation + * This pointer owns the transform + * it references. */ /* * Timers From 3aa186f9462f6afd2943980863f37d8a608dbaa5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 09:24:19 +0100 Subject: [PATCH 20/50] Add transforms to be used for TLS 1.3 Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 6 ++++++ library/ssl_misc.h | 7 +++++++ library/ssl_tls.c | 12 ++++++++++++ 3 files changed, 25 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index dc4782e65b2a..34353daffbcc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1341,6 +1341,12 @@ struct mbedtls_ssl_context * This pointer owns the transform * it references. */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /* The application data transform in TLS 1.3. + * This pointer owns the transform it references. */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_application); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * Timers */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cc19f4723bc7..174bad88b5bb 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -562,6 +562,13 @@ struct mbedtls_ssl_handshake_params uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /* TLS 1.3 transforms for 0-RTT and encrypted handshake messages. + * Those pointers own the transforms they reference. */ + mbedtls_ssl_transform *transform_handshake; + mbedtls_ssl_transform *transform_earlydata; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * Checksum contexts */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bb5ddc470eeb..8316d252b78c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5393,6 +5393,13 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ), mbedtls_ssl_get_output_buflen( ssl ) ); #endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + mbedtls_free( handshake->transform_earlydata ); + mbedtls_free( handshake->transform_handshake ); + handshake->transform_earlydata = NULL; + handshake->transform_handshake = NULL; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ } void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) @@ -6091,6 +6098,11 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) mbedtls_free( ssl->session_negotiate ); } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + mbedtls_ssl_transform_free( ssl->transform_application ); + mbedtls_free( ssl->transform_application ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + if( ssl->session ) { mbedtls_ssl_session_free( ssl->session ); From 551265f8798eb843ee61063b34d42add44dd9bb7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 13:03:48 +0100 Subject: [PATCH 21/50] Add TLS 1.3 IANA signature-algorithm values Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 221cee33799f..3090f9313c73 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -337,6 +337,41 @@ #define MBEDTLS_SSL_SIG_RSA 1 #define MBEDTLS_SSL_SIG_ECDSA 3 +/* + * TLS 1.3 signature algorithms + * RFC 8446, Section 4.2.2 + */ + +/* RSASSA-PKCS1-v1_5 algorithms */ +#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA256 0x0401 +#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA384 0x0501 +#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA512 0x0601 + +/* ECDSA algorithms */ +#define MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256 0x0403 +#define MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384 0x0503 +#define MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512 0x0603 + +/* RSASSA-PSS algorithms with public key OID rsaEncryption */ +#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256 0x0804 +#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA384 0x0805 +#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA512 0x0806 + +/* EdDSA algorithms */ +#define MBEDTLS_TLS13_SIG_ED25519 0x0807 +#define MBEDTLS_TLS13_SIG_ED448 0x0808 + +/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ +#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA256 0x0809 +#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA384 0x080A +#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA512 0x080B + +/* LEGACY ALGORITHMS */ +#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA1 0x0201 +#define MBEDTLS_TLS13_SIG_ECDSA_SHA1 0x0203 + +#define MBEDTLS_TLS13_SIG_NONE 0x0 + /* * Client Certificate Types * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5 From 1cd6e0021f14d9f1b5015c8851781a0e07ffabec Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 13:27:10 +0100 Subject: [PATCH 22/50] Add experimental API for configuration of TLS 1.3 sig algs Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 17 +++++++++++++++++ library/ssl_tls.c | 16 ++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3090f9313c73..c62f730b3e89 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1182,6 +1182,10 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + const uint16_t* MBEDTLS_PRIVATE(tls13_sig_algs); /*!< allowed signature algorithms in TLS 1.3 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif #if defined(MBEDTLS_ECP_C) @@ -3026,6 +3030,19 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +/** + * \brief Configure allowed signature algorithms for use in TLS 1.3 + * + * \param conf The SSL configuration to use. + * \param sig_algs A 0-terminated list of IANA values for TLS 1.3 signature algorithms, + * with the most preferred algorithm listed first. Supported values + * are available as \c MBEDTLS_TLS13_SIG_XXX. + */ +void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, + const uint16_t* sig_algs ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 923c671a7ba2..e2fb9b66fb8f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3933,6 +3933,22 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, { conf->sig_hashes = hashes; } + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +/** + * \brief Configure allowed signature algorithms for use in TLS 1.3 + * + * \param conf The SSL configuration to use. + * \param sig_algs A 0-terminated list of IANA values for TLS 1.3 signature algorithms, + * with the most preferred algorithm listed first. Supported values + * are available as \c MBEDTLS_TLS13_SIG_XXX. + */ +void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, + const uint16_t* sig_algs ) +{ + conf->tls13_sig_algs = sig_algs; +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) From 11ceadd382b1edb83031b4fcb10af3fcd11997fd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 13:36:41 +0100 Subject: [PATCH 23/50] Add cmdline param for TLS 1.3 sig alg config to ssl_{client,server}2 Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 90 ++++++++++++++++++++++++++++++++++++-- programs/ssl/ssl_server2.c | 89 ++++++++++++++++++++++++++++++++++++- 2 files changed, 174 insertions(+), 5 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 86c314c35d86..17b1ccf93948 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -88,6 +88,7 @@ int main( void ) #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED #define DFL_ALPN_STRING NULL #define DFL_CURVES NULL +#define DFL_SIG_ALGS NULL #define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM #define DFL_HS_TO_MIN 0 #define DFL_HS_TO_MAX 0 @@ -269,6 +270,15 @@ int main( void ) #define USAGE_CURVES "" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#define USAGE_SIG_ALGS \ + " sig_algs=a,b,c,d default: \"default\" (library default)\n" \ + " example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n" +#else +#define USAGE_SIG_ALGS "" +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) #define USAGE_DTLS \ " dtls=%%d default: 0 (TLS)\n" \ @@ -393,6 +403,7 @@ int main( void ) USAGE_ETM \ USAGE_REPRODUCIBLE \ USAGE_CURVES \ + USAGE_SIG_ALGS \ USAGE_DHMLEN \ "\n" @@ -417,9 +428,9 @@ int main( void ) USAGE_SERIALIZATION \ " acceptable ciphersuite names:\n" -#define ALPN_LIST_SIZE 10 -#define CURVE_LIST_SIZE 20 - +#define ALPN_LIST_SIZE 10 +#define CURVE_LIST_SIZE 20 +#define SIG_ALG_LIST_SIZE 5 /* * global options @@ -472,6 +483,7 @@ struct options int reconnect_hard; /* unexpectedly reconnect from the same port */ int tickets; /* enable / disable session tickets */ const char *curves; /* list of supported elliptic curves */ + const char *sig_algs; /* supported TLS 1.3 signature algorithms */ const char *alpn_string; /* ALPN supported protocols */ int transport; /* TLS or DTLS? */ uint32_t hs_to_min; /* Initial value of DTLS handshake timer */ @@ -631,6 +643,12 @@ int main( int argc, char *argv[] ) mbedtls_net_context server_fd; io_ctx_t io_ctx; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && + MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + unsigned char buf[MAX_REQUEST_SIZE + 1]; #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) @@ -833,6 +851,7 @@ int main( int argc, char *argv[] ) opt.tickets = DFL_TICKETS; opt.alpn_string = DFL_ALPN_STRING; opt.curves = DFL_CURVES; + opt.sig_algs = DFL_SIG_ALGS; opt.transport = DFL_TRANSPORT; opt.hs_to_min = DFL_HS_TO_MIN; opt.hs_to_max = DFL_HS_TO_MAX; @@ -1063,6 +1082,12 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + else if( strcmp( p, "sig_algs" ) == 0 ) + opt.sig_algs = q; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && + MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ else if( strcmp( p, "etm" ) == 0 ) { switch( atoi( q ) ) @@ -1450,6 +1475,60 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_ECP_C */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + if( opt.sig_algs != NULL ) + { + p = (char *) opt.sig_algs; + i = 0; + + /* Leave room for a final NULL in signature algorithm list */ + while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) + { + q = p; + + /* Terminate the current string */ + while( *p != ',' && *p != '\0' ) + p++; + if( *p == ',' ) + *p++ = '\0'; + + if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; + } + else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384; + } + else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512; + } + else + { + mbedtls_printf( "unknown signature algorithm %s\n", q ); + mbedtls_printf( "supported signature algorithms: " ); + mbedtls_printf( "ecdsa_secp256r1_sha256 " ); + mbedtls_printf( "ecdsa_secp384r1_sha384 " ); + mbedtls_printf( "ecdsa_secp521r1_sha512 " ); + mbedtls_printf( "\n" ); + goto exit; + } + } + + if( i == ( SIG_ALG_LIST_SIZE - 1 ) && *p != '\0' ) + { + mbedtls_printf( "signature algorithm list too long, maximum %d", + SIG_ALG_LIST_SIZE - 1 ); + goto exit; + } + + sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && + MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { @@ -1785,6 +1864,11 @@ int main( int argc, char *argv[] ) } #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( opt.sig_algs != NULL ) + mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opt.psk_opaque != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 83bd617c6881..c7110e850e44 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -119,6 +119,7 @@ int main( void ) #define DFL_SNI NULL #define DFL_ALPN_STRING NULL #define DFL_CURVES NULL +#define DFL_SIG_ALGS NULL #define DFL_DHM_FILE NULL #define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM #define DFL_COOKIES 1 @@ -418,6 +419,15 @@ int main( void ) #define USAGE_CURVES "" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#define USAGE_SIG_ALGS \ + " sig_algs=a,b,c,d default: \"default\" (library default)\n" \ + " example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n" +#else +#define USAGE_SIG_ALGS "" +#endif + #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) #define USAGE_SERIALIZATION \ " serialize=%%d default: 0 (do not serialize/deserialize)\n" \ @@ -484,6 +494,7 @@ int main( void ) USAGE_EMS \ USAGE_ETM \ USAGE_CURVES \ + USAGE_SIG_ALGS \ "\n" #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) @@ -509,8 +520,9 @@ int main( void ) USAGE_SERIALIZATION \ " acceptable ciphersuite names:\n" -#define ALPN_LIST_SIZE 10 -#define CURVE_LIST_SIZE 20 +#define ALPN_LIST_SIZE 10 +#define CURVE_LIST_SIZE 20 +#define SIG_ALG_LIST_SIZE 5 #define PUT_UINT64_BE(out_be,in_le,i) \ { \ @@ -583,6 +595,7 @@ struct options int cache_timeout; /* expiration delay of session cache entries */ char *sni; /* string describing sni information */ const char *curves; /* list of supported elliptic curves */ + const char *sig_algs; /* supported TLS 1.3 signature algorithms */ const char *alpn_string; /* ALPN supported protocols */ const char *dhm_file; /* the file with the DH parameters */ int extended_ms; /* allow negotiation of extended MS? */ @@ -1326,6 +1339,12 @@ int main( int argc, char *argv[] ) size_t context_buf_len = 0; #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && + MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + int i; char *p, *q; const int *list; @@ -1498,6 +1517,7 @@ int main( int argc, char *argv[] ) opt.sni = DFL_SNI; opt.alpn_string = DFL_ALPN_STRING; opt.curves = DFL_CURVES; + opt.sig_algs = DFL_SIG_ALGS; opt.dhm_file = DFL_DHM_FILE; opt.transport = DFL_TRANSPORT; opt.cookies = DFL_COOKIES; @@ -1665,6 +1685,12 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + else if( strcmp( p, "sig_algs" ) == 0 ) + opt.sig_algs = q; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && && \ + MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? @@ -2172,6 +2198,60 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_ECP_C */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + if( opt.sig_algs != NULL ) + { + p = (char *) opt.sig_algs; + i = 0; + + /* Leave room for a final NULL in signature algorithm list */ + while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) + { + q = p; + + /* Terminate the current string */ + while( *p != ',' && *p != '\0' ) + p++; + if( *p == ',' ) + *p++ = '\0'; + + if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; + } + else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384; + } + else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512; + } + else + { + mbedtls_printf( "unknown signature algorithm %s\n", q ); + mbedtls_printf( "supported signature algorithms: " ); + mbedtls_printf( "ecdsa_secp256r1_sha256 " ); + mbedtls_printf( "ecdsa_secp384r1_sha384 " ); + mbedtls_printf( "ecdsa_secp521r1_sha512 " ); + mbedtls_printf( "\n" ); + goto exit; + } + } + + if( i == ( SIG_ALG_LIST_SIZE - 1 ) && *p != '\0' ) + { + mbedtls_printf( "signature algorithm list too long, maximum %d", + SIG_ALG_LIST_SIZE - 1 ); + goto exit; + } + + sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && + MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { @@ -2750,6 +2830,11 @@ int main( int argc, char *argv[] ) } #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( opt.sig_algs != NULL ) + mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 ) From 9c6aa7bb9a37ad694de9493941b422f8d4e85887 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 13:50:43 +0100 Subject: [PATCH 24/50] Add default values for TLS 1.3 SigAlg configuration Signed-off-by: Hanno Becker --- library/ssl_tls.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e2fb9b66fb8f..4843e423dda8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6277,6 +6277,41 @@ static int ssl_preset_suiteb_hashes[] = { MBEDTLS_MD_SHA384, MBEDTLS_MD_NONE }; + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static uint16_t ssl_preset_default_sig_algs[] = { + /* ECDSA algorithms */ +#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256, +#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384, +#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512, +#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +#endif /* MBEDTLS_ECDSA_C */ + /* RSA algorithms */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256, +#endif + MBEDTLS_TLS13_SIG_NONE +}; + +static uint16_t ssl_preset_suiteb_sig_algs[] = { + /* ECDSA algorithms */ +#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256, +#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384, +#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#endif /* MBEDTLS_ECDSA_C */ + MBEDTLS_TLS13_SIG_NONE +}; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif #if defined(MBEDTLS_ECP_C) @@ -6391,6 +6426,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) conf->sig_hashes = ssl_preset_suiteb_hashes; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + conf->tls13_sig_algs = ssl_preset_suiteb_sig_algs; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif #if defined(MBEDTLS_ECP_C) @@ -6427,6 +6465,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->sig_hashes = ssl_preset_default_hashes; #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + conf->tls13_sig_algs = ssl_preset_default_sig_algs; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_ECP_C) conf->curve_list = ssl_preset_default_curves; #endif From deb68ce2d1935024d24cf85e1ef78528143b917f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 10 Aug 2021 16:04:05 +0100 Subject: [PATCH 25/50] Fix guard around TLS 1.3 SigAlg configuration Signed-off-by: Hanno Becker --- library/ssl_tls.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4843e423dda8..07d468ca7246 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6463,11 +6463,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) conf->sig_hashes = ssl_preset_default_hashes; -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) conf->tls13_sig_algs = ssl_preset_default_sig_algs; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) conf->curve_list = ssl_preset_default_curves; From e043d15d75e81fef9c93aba0639a7dba165b4062 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 12 Aug 2021 06:22:32 +0100 Subject: [PATCH 26/50] Turn comments of 1.3 record transforms into Doxygen documentation Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 4 ++-- library/ssl_misc.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 34353daffbcc..960a262e4362 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1342,8 +1342,8 @@ struct mbedtls_ssl_context * it references. */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - /* The application data transform in TLS 1.3. - * This pointer owns the transform it references. */ + /*! The application data transform in TLS 1.3. + * This pointer owns the transform it references. */ mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_application); #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 174bad88b5bb..0b64e010bc31 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -563,8 +563,8 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - /* TLS 1.3 transforms for 0-RTT and encrypted handshake messages. - * Those pointers own the transforms they reference. */ + /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages. + * Those pointers own the transforms they reference. */ mbedtls_ssl_transform *transform_handshake; mbedtls_ssl_transform *transform_earlydata; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ From 8ca26923eb71d7ea9615c468bac6f75fa5341eaa Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 23 Jul 2021 19:24:23 +0100 Subject: [PATCH 27/50] Add TLS 1.3 ciphersuites Signed-off-by: Hanno Becker --- include/mbedtls/ssl_ciphersuites.h | 7 ++++ library/ssl_ciphersuites.c | 56 ++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 812560c8a11d..18e7c9876762 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -256,6 +256,13 @@ extern "C" { #define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */ #define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */ +/* RFC 8446, Appendix B.4 */ +#define MBEDTLS_TLS1_3_AES_128_GCM_SHA256 0x1301 /**< TLS 1.3 */ +#define MBEDTLS_TLS1_3_AES_256_GCM_SHA384 0x1302 /**< TLS 1.3 */ +#define MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256 0x1303 /**< TLS 1.3 */ +#define MBEDTLS_TLS1_3_AES_128_CCM_SHA256 0x1304 /**< TLS 1.3 */ +#define MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256 0x1305 /**< TLS 1.3 */ + /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange. * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index a3ee157d5038..1df1b26b2c62 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -52,6 +52,15 @@ static const int ciphersuite_preference[] = #if defined(MBEDTLS_SSL_CIPHERSUITES) MBEDTLS_SSL_CIPHERSUITES, #else +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /* TLS 1.3 ciphersuites */ + MBEDTLS_TLS1_3_AES_128_GCM_SHA256, + MBEDTLS_TLS1_3_AES_256_GCM_SHA384, + MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, + MBEDTLS_TLS1_3_AES_128_CCM_SHA256, + MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* Chacha-Poly ephemeral suites */ MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, @@ -283,6 +292,53 @@ static const int ciphersuite_preference[] = static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_GCM_C) +#if defined(MBEDTLS_SHA512_C) + { MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384", + MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, + MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + 0 }, +#endif /* MBEDTLS_SHA512_C */ +#if defined(MBEDTLS_SHA256_C) + { MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256", + MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + 0 }, +#endif /* MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_GCM_C */ +#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_SHA256_C) + { MBEDTLS_TLS1_3_AES_128_CCM_SHA256, "TLS1-3-AES-128-CCM-SHA256", + MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + 0 }, + { MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, "TLS1-3-AES-128-CCM-8-SHA256", + MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + MBEDTLS_CIPHERSUITE_SHORT_TAG }, +#endif /* MBEDTLS_SHA256_C && MBEDTLS_CCM_C */ +#endif /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_CHACHAPOLY_C) && defined(MBEDTLS_SHA256_C) + { MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, + "TLS1-3-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, + 0 // field not used in TLS 1.3 implementation + }, +#endif /* MBEDTLS_CHACHAPOLY_C && MBEDTLS_SHA256_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_CHACHAPOLY_C) && \ defined(MBEDTLS_SHA256_C) && \ defined(MBEDTLS_SSL_PROTO_TLS1_2) From e486b2d7bb5dda556590562fad909dc2c2b66642 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 23 Jul 2021 19:24:30 +0100 Subject: [PATCH 28/50] Document use of mbedtls_ssl_conf_ciphersuites() for TLS 1.3 Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 221cee33799f..f49bf2d98a32 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2521,21 +2521,45 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, * order. First in the list has the highest preference. * (Overrides all version-specific lists) * - * The ciphersuites array is not copied, and must remain - * valid for the lifetime of the ssl_config. - * - * Note: By default, the server chooses its preferred + * For TLS 1.2, the notion of ciphersuite determines both + * the key exchange mechanism and the suite of symmetric + * algorithms to be used during and after the handshake. + * + * For TLS 1.3 (in development), the notion of ciphersuite + * only determines the suite of symmetric algorithmc to be + * used during and after the handshake, while key exchange + * mechanisms are configured separately. + * + * In Mbed TLS, ciphersuites for both TLS 1.2 and TLS 1.3 + * are configured via this function. For users of TLS 1.3, + * there will be separate API for the configuration of key + * exchange mechanisms. + * + * The list of ciphersuites passed to this function may + * contain a mixture of TLS 1.2 and TLS 1.3 ciphersuite + * identifiers. This is useful if negotiation of TLS 1.3 + * should be attempted, but a fallback to TLS 1.2 would + * be tolerated. + * + * \note By default, the server chooses its preferred * ciphersuite among those that the client supports. If * mbedtls_ssl_conf_preference_order() is called to prefer * the client's preferences, the server instead chooses * the client's preferred ciphersuite among those that * the server supports. * - * \param conf SSL configuration - * \param ciphersuites 0-terminated list of allowed ciphersuites + * \warning The ciphersuites array \p ciphersuites is not copied. + * It must remain valid for the lifetime the SSL + * configuration \p conf. + * + * \param conf The SSL configuration to modify. + * \param ciphersuites A 0-terminated list of IANA identifiers of supported + * ciphersuites, accessible through \c MBEDTLS_TLS_XXX + * and \c MBEDTLS_TLS1_3_XXX macros defined in + * ssl_ciphersuites.h. */ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, - const int *ciphersuites ); + const int *ciphersuites ); #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 From ae336852c59973c4642a10009b9db3160cc71215 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 24 Jul 2021 05:27:16 +0100 Subject: [PATCH 29/50] Add ssl-opt.sh run to TLS 1.3 test in all.sh Signed-off-by: Hanno Becker --- tests/scripts/all.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5d2710cadc94..16926390c413 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2454,6 +2454,8 @@ component_test_tls13_experimental_with_padding () { make msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, with padding" make test + msg "ssl-opt.sh (TLS 1.3 experimental)" + if_build_succeeded tests/ssl-opt.sh } component_build_mingw () { From e2defad0bb9c72acc104e8f07b6c7ec252f4aa51 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 24 Jul 2021 05:59:17 +0100 Subject: [PATCH 30/50] Fix indentation of pre-existing code-block in ssl_tls.c Signed-off-by: Hanno Becker --- library/ssl_tls.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2306c712c7bb..97bb7b6470de 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6337,20 +6337,20 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) - if( endpoint == MBEDTLS_SSL_IS_SERVER ) - { - const unsigned char dhm_p[] = - MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; - const unsigned char dhm_g[] = - MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; - - if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf, - dhm_p, sizeof( dhm_p ), - dhm_g, sizeof( dhm_g ) ) ) != 0 ) - { - return( ret ); - } - } + if( endpoint == MBEDTLS_SSL_IS_SERVER ) + { + const unsigned char dhm_p[] = + MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; + const unsigned char dhm_g[] = + MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + + if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf, + dhm_p, sizeof( dhm_p ), + dhm_g, sizeof( dhm_g ) ) ) != 0 ) + { + return( ret ); + } + } #endif /* From 71f1ed66c2a6c5177be777871b058a11a650795a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 24 Jul 2021 06:01:47 +0100 Subject: [PATCH 31/50] Add identifiers and API for configuration of TLS 1.3 key exchanges Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 76 +++++++++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 15 +++++++++ 2 files changed, 91 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index f49bf2d98a32..029fa4292646 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -169,6 +169,30 @@ /** Invalid value in SSL config */ #define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 +/* + * TLS 1.3 Key Exchange Modes + * + * Mbed TLS internal identifiers for use with the SSL configuration API + * mbedtls_ssl_conf_tls13_key_exchange_modes(). + */ + +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE 0 +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 1 ) +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 2 ) + +/* Convenience macros for sets of key exchanges. */ +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL \ + ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \ + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \ + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL \ + ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \ + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \ + ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL | \ + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) + /* * Various constants */ @@ -1069,6 +1093,11 @@ struct mbedtls_ssl_config /** Allowed ciphersuites for (D)TLS 1.2 (0-terminated) */ const int *MBEDTLS_PRIVATE(ciphersuite_list); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /** Allowed TLS 1.3 key exchange modes. */ + int MBEDTLS_PRIVATE(tls13_kex_modes); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /** Callback for printing debug output */ void (*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *); void *MBEDTLS_PRIVATE(p_dbg); /*!< context for the debug function */ @@ -2561,6 +2590,53 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +/** + * \brief Set the supported key exchange modes for TLS 1.3 connections. + * + * In contrast to TLS 1.2, the ciphersuite concept in TLS 1.3 does not + * include the choice of key exchange mechanism. It is therefore not + * covered by the API mbedtls_ssl_conf_ciphersuites(). See the + * documentation of mbedtls_ssl_conf_ciphersuites() for more + * information on the ciphersuite concept in TLS 1.2 and TLS 1.3. + * + * The present function is specific to TLS 1.3 and allows users to + * configure the set of supported key exchange mechanisms in TLS 1.3. + * + * \param conf The SSL configuration the change should apply to. + * \param kex_modes A bitwise combination of one or more of the following: + * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK + * This flag enables pure-PSK key exchanges. + * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL + * This flag enables combined PSK-ephemeral key exchanges. + * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL + * This flag enables pure-ephemeral key exchanges. + * For convenience, the following pre-defined macros are + * available for combinations of the above: + * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL + * Includes all of pure-PSK, PSK-ephemeral and pure-ephemeral. + * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL + * Includes both pure-PSK and combined PSK-ephemeral + * key exchanges, but excludes pure-ephemeral key exchanges. + * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL + * Includes both pure-ephemeral and combined PSK-ephemeral + * key exchanges. + * + * \note If a PSK-based key exchange mode shall be supported, applications + * must also use the APIs mbedtls_ssl_conf_psk() or + * mbedtls_ssl_conf_psk_cb() or mbedtls_ssl_conf_psk_opaque() + * to configure the PSKs to be used. + * + * \note If an ECDHE-based key exchange mode shall be supported, + * server-side applications must also provide a certificate via + * mbedtls_ssl_conf_own_cert(). + * + */ + +void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config* conf, + const int kex_modes ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 97bb7b6470de..4933980cd9ed 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3548,6 +3548,14 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, conf->ciphersuite_list = ciphersuites; } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config* conf, + const int kex_modes ) +{ + conf->tls13_kex_modes = kex_modes; +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, const mbedtls_x509_crt_profile *profile ) @@ -6353,6 +6361,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, } #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /* + * Allow all TLS 1.3 key exchange modes by default. + */ + conf->tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * Preset-specific defaults */ From 2c0f697fbc74795152932466d2c47e0813459724 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 24 Jul 2021 06:27:16 +0100 Subject: [PATCH 32/50] Support TLS 1.3 key exchange config in ssl_client2/ssl_server2 Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 56 ++++++++++++++++++++++++++++++++------ programs/ssl/ssl_server2.c | 30 ++++++++++++++++++++ 2 files changed, 77 insertions(+), 9 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 86c314c35d86..f40897397c21 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -65,6 +65,7 @@ int main( void ) #define DFL_ECJPAKE_PW NULL #define DFL_EC_MAX_OPS -1 #define DFL_FORCE_CIPHER 0 +#define DFL_TLS13_KEX_MODES MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL #define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 @@ -335,6 +336,14 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define USAGE_TLS13_KEY_EXCHANGE_MODES \ + " tls13_kex_modes=%%s default: all\n" \ + " options: psk, psk_ephemeral, ephemeral, psk_all, all\n" +#else +#define USAGE_TLS13_KEY_EXCHANGE_MODES "" +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -403,18 +412,19 @@ int main( void ) #endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #define USAGE4 \ - " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1_2)\n" \ - " max_version=%%s default: (library default: tls1_2)\n" \ - " force_version=%%s default: \"\" (none)\n" \ + " allow_sha1=%%d default: 0\n" \ + " min_version=%%s default: (library default: tls1_2)\n" \ + " max_version=%%s default: (library default: tls1_2)\n" \ + " force_version=%%s default: \"\" (none)\n" \ " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ - "\n\n" \ - " force_ciphersuite= default: all enabled\n"\ - " query_config= return 0 if the specified\n" \ + "\n\n" \ + " force_ciphersuite= default: all enabled\n" \ + USAGE_TLS13_KEY_EXCHANGE_MODES \ + " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ " otherwise. The expansion of the macro\n" \ - " is printed if it is defined\n" \ - USAGE_SERIALIZATION \ + " is printed if it is defined\n" \ + USAGE_SERIALIZATION \ " acceptable ciphersuite names:\n" #define ALPN_LIST_SIZE 10 @@ -453,6 +463,9 @@ struct options const char *ecjpake_pw; /* the EC J-PAKE password */ int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ @@ -814,6 +827,9 @@ int main( int argc, char *argv[] ) opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + opt.tls13_kex_modes = DFL_TLS13_KEX_MODES; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; @@ -1072,6 +1088,24 @@ int main( int argc, char *argv[] ) default: goto usage; } } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( p, "tls13_kex_modes" ) == 0 ) + { + if( strcmp( q, "psk_pure" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; + else if( strcmp(q, "psk_ephemeral" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + else if( strcmp(q, "ephemeral_pure" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; + else if( strcmp(q, "ephemeral_all" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; + else if( strcmp( q, "psk_all" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL; + else if( strcmp( q, "all" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; + else goto usage; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "tls1_2" ) == 0 || @@ -1748,6 +1782,10 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, opt.tls13_kex_modes ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 83bd617c6881..25cdb40c7793 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -95,6 +95,7 @@ int main( void ) #define DFL_ECJPAKE_PW NULL #define DFL_PSK_LIST NULL #define DFL_FORCE_CIPHER 0 +#define DFL_TLS13_KEX_MODES MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL #define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 @@ -564,6 +565,9 @@ struct options char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ @@ -1478,6 +1482,9 @@ int main( int argc, char *argv[] ) opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + opt.tls13_kex_modes = DFL_TLS13_KEX_MODES; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; @@ -1714,6 +1721,25 @@ int main( int argc, char *argv[] ) if( opt.exchanges < 0 ) goto usage; } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + else if( strcmp( p, "tls13_kex_modes" ) == 0 ) + { + if( strcmp( q, "psk_pure" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; + else if( strcmp(q, "psk_ephemeral" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + else if( strcmp(q, "ephemeral_pure" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; + else if( strcmp(q, "ephemeral_all" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; + else if( strcmp( q, "psk_all" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL; + else if( strcmp( q, "all" ) == 0 ) + opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; + else goto usage; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + else if( strcmp( p, "min_version" ) == 0 ) { if( strcmp( q, "tls1_2" ) == 0 || @@ -2610,6 +2636,10 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, opt.tls13_kex_modes ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) From 932064d6603ef632d525e329a30c339934bd38b3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 24 Jul 2021 06:45:50 +0100 Subject: [PATCH 33/50] Add ssl-opt.sh tests for ssl_client/server TLS 1.3 kex parameters Those tests are so far only checking that ssl_client2/ssl_server2 recognize the arguments, nothing more. Signed-off-by: Hanno Becker --- tests/ssl-opt.sh | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 01265ae9b3af..56c4a5fba79e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1453,6 +1453,40 @@ run_test "SHA-256 allowed by default in client certificate" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \ 0 +# Dummy TLS 1.3 test +# Currently only checking that passing TLS 1.3 key exchange modes to +# ssl_client2/ssl_server2 example programs works. +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS 1.3, key exchange mode parameter passing: PSK only" \ + "$P_SRV tls13_kex_modes=psk_pure" \ + "$P_CLI tls13_kex_modes=psk_pure" \ + 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \ + "$P_SRV tls13_kex_modes=psk_ephemeral" \ + "$P_CLI tls13_kex_modes=psk_ephemeral" \ + 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS 1.3, key exchange mode parameter passing: Pure-ephemeral only" \ + "$P_SRV tls13_kex_modes=ephemeral_pure" \ + "$P_CLI tls13_kex_modes=ephemeral_pure" \ + 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS 1.3, key exchange mode parameter passing: All ephemeral" \ + "$P_SRV tls13_kex_modes=ephemeral_all" \ + "$P_CLI tls13_kex_modes=ephemeral_all" \ + 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS 1.3, key exchange mode parameter passing: All PSK" \ + "$P_SRV tls13_kex_modes=psk_all" \ + "$P_CLI tls13_kex_modes=psk_all" \ + 0 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +run_test "TLS 1.3, key exchange mode parameter passing: All" \ + "$P_SRV tls13_kex_modes=all" \ + "$P_CLI tls13_kex_modes=all" \ + 0 + # Tests for datagram packing run_test "DTLS: multiple records in same datagram, client and server" \ "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \ From a2535931acfb8ad0b0b3aa977ce4a740b00711c9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:20:54 +0100 Subject: [PATCH 34/50] Add Doxygen documentation for TLS 1.3 key exchange macros Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 029fa4292646..327184c2de28 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -176,22 +176,27 @@ * mbedtls_ssl_conf_tls13_key_exchange_modes(). */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE 0 -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 1 ) -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 2 ) +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) /*!< Pure-PSK TLS 1.3 key exchange, + * encompassing both externally agreed PSKs + * as well as resumption PSKs. */ +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 1 ) /*!< Pure-Ephemeral TLS 1.3 key exchanges, + * including for example ECDHE and DHE + * key exchanges. */ +#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 2 ) /*!< PSK-Ephemeral TLS 1.3 key exchanges, + * using both a PSK and an ephemeral + * key exchange. */ /* Convenience macros for sets of key exchanges. */ #define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL \ ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \ MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) /*!< All TLS 1.3 key exchanges */ #define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL \ ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All PSK-based TLS 1.3 key exchanges */ #define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \ ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */ /* * Various constants From d4fa9bc7104d9996da72e2b1af2e6ccc6bb06806 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:21:05 +0100 Subject: [PATCH 35/50] Remove outdated mentioning of version-specific ciphersuite config Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 327184c2de28..997cd686d8c9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2553,7 +2553,6 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, /** * \brief Set the list of allowed ciphersuites and the preference * order. First in the list has the highest preference. - * (Overrides all version-specific lists) * * For TLS 1.2, the notion of ciphersuite determines both * the key exchange mechanism and the suite of symmetric From 674f9480cf97f12d5cc26955c3f3b2a359f6e8a6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:21:19 +0100 Subject: [PATCH 36/50] Fix typo: algorithmc -> algorithms Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 997cd686d8c9..5d0cf3edb5a1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2559,7 +2559,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, * algorithms to be used during and after the handshake. * * For TLS 1.3 (in development), the notion of ciphersuite - * only determines the suite of symmetric algorithmc to be + * only determines the suite of symmetric algorithms to be * used during and after the handshake, while key exchange * mechanisms are configured separately. * From 5d045a8b89a34b8dc5e8f68f478eacb5156c2a82 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:21:30 +0100 Subject: [PATCH 37/50] Stick to 'ephemeral' instead of ECDHE for TLS 1.3 key exchanges Signed-off-by: Hanno Becker --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 5d0cf3edb5a1..70dc501c0bf0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2631,7 +2631,7 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, * mbedtls_ssl_conf_psk_cb() or mbedtls_ssl_conf_psk_opaque() * to configure the PSKs to be used. * - * \note If an ECDHE-based key exchange mode shall be supported, + * \note If a pure-ephemeral key exchange mode shall be supported, * server-side applications must also provide a certificate via * mbedtls_ssl_conf_own_cert(). * From 30319f1f889863afd60a87a292602992297d3c6c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:21:55 +0100 Subject: [PATCH 38/50] Remove misplaced comment in TLS 1.3 ciphersuite definitions Signed-off-by: Hanno Becker --- library/ssl_ciphersuites.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 1df1b26b2c62..9a416c811d31 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -334,8 +334,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, - 0 // field not used in TLS 1.3 implementation - }, + 0 }, #endif /* MBEDTLS_CHACHAPOLY_C && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ From cfa4d4b3f5b229ec8491d9bb72435d306db6039f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:22:06 +0100 Subject: [PATCH 39/50] ssl_client2: Adjust usage string to recognized cmd line parameter Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f40897397c21..223b7bff2f2c 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -339,7 +339,7 @@ int main( void ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) #define USAGE_TLS13_KEY_EXCHANGE_MODES \ " tls13_kex_modes=%%s default: all\n" \ - " options: psk, psk_ephemeral, ephemeral, psk_all, all\n" + " options: psk_pure, psk_ephemeral, ephemeral_pure, ephemeral_all, psk_all, all\n" #else #define USAGE_TLS13_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ From a9e4e6fd6f3648400b5f26913cfec349a91570b7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Aug 2021 21:22:28 +0100 Subject: [PATCH 40/50] ssl_server2: Add usage string for TLS 1.3 key exchange modes Signed-off-by: Hanno Becker --- programs/ssl/ssl_server2.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 25cdb40c7793..87558f54cbf1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -433,6 +433,15 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define USAGE_TLS13_KEY_EXCHANGE_MODES \ + " tls13_kex_modes=%%s default: all\n" \ + " options: psk_pure, psk_ephemeral, ephemeral_pure, ephemeral_all, psk_all, all\n" +#else +#define USAGE_TLS13_KEY_EXCHANGE_MODES "" +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + + /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -496,18 +505,19 @@ int main( void ) #define USAGE4 \ USAGE_SSL_ASYNC \ USAGE_SNI \ - " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1_2)\n" \ - " max_version=%%s default: (library default: tls1_2)\n" \ - " force_version=%%s default: \"\" (none)\n" \ + " allow_sha1=%%d default: 0\n" \ + " min_version=%%s default: (library default: tls1_2)\n" \ + " max_version=%%s default: (library default: tls1_2)\n" \ + " force_version=%%s default: \"\" (none)\n" \ " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ - "\n\n" \ - " force_ciphersuite= default: all enabled\n" \ - " query_config= return 0 if the specified\n" \ + "\n\n" \ + " force_ciphersuite= default: all enabled\n" \ + USAGE_TLS13_KEY_EXCHANGE_MODES \ + " query_config= return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ " otherwise. The expansion of the macro\n" \ - " is printed if it is defined\n" \ - USAGE_SERIALIZATION \ + " is printed if it is defined\n" \ + USAGE_SERIALIZATION \ " acceptable ciphersuite names:\n" #define ALPN_LIST_SIZE 10 From f7fce9200c73bbbfc92116a94f8d1d856422096e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 17 Aug 2021 13:16:08 +0800 Subject: [PATCH 41/50] Remove rsa_pss_rsae_sha256 from preset_sig_algs. To keep consistent with ssl_{clien2t,server2}. Change-Id: I08dbe47a3d9b778ba3acad283f608fef4e63c626 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- library/ssl_tls.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 07d468ca7246..f97b47376ead 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6292,10 +6292,6 @@ static uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512, #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ - /* RSA algorithms */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256, -#endif MBEDTLS_TLS13_SIG_NONE }; From 7899de839cf26941be5525402078752839cdf6d7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 17 Aug 2021 13:09:23 +0800 Subject: [PATCH 42/50] fix comments and format issues Change-Id: I927d97f9d788389d6abb9edbda0f7c3e2f8e9b63 CustomizedGitHooks: yes Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 9 +++++---- library/ssl_tls.c | 9 +-------- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c62f730b3e89..c867e025c4b0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1184,7 +1184,7 @@ struct mbedtls_ssl_config const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - const uint16_t* MBEDTLS_PRIVATE(tls13_sig_algs); /*!< allowed signature algorithms in TLS 1.3 */ + const uint16_t *MBEDTLS_PRIVATE(tls13_sig_algs); /*!< allowed signature algorithms for TLS 1.3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif @@ -3036,9 +3036,10 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, * \brief Configure allowed signature algorithms for use in TLS 1.3 * * \param conf The SSL configuration to use. - * \param sig_algs A 0-terminated list of IANA values for TLS 1.3 signature algorithms, - * with the most preferred algorithm listed first. Supported values - * are available as \c MBEDTLS_TLS13_SIG_XXX. + * \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, + * terminated by \c MBEDTLS_TLS13_SIG_NONE. The list must remain + * available throughout the liftime of the conf object. Supported + * values are available as \c MBEDTLS_TLS13_SIG_XXXX */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, const uint16_t* sig_algs ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f97b47376ead..909a32a594d1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3935,14 +3935,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -/** - * \brief Configure allowed signature algorithms for use in TLS 1.3 - * - * \param conf The SSL configuration to use. - * \param sig_algs A 0-terminated list of IANA values for TLS 1.3 signature algorithms, - * with the most preferred algorithm listed first. Supported values - * are available as \c MBEDTLS_TLS13_SIG_XXX. - */ +/* Configure allowed signature algorithms for use in TLS 1.3 */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, const uint16_t* sig_algs ) { From 7276f13c9385fdaba52be47a6a528a9e7217dd35 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 17 Aug 2021 18:25:48 +0800 Subject: [PATCH 43/50] fix comments for sig_algs parser Change-Id: I68bd691c4b67fb18ff9d55ead34f5517b1b981de Signed-off-by: Jerry Yu --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 17b1ccf93948..08f993466d8e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1482,7 +1482,7 @@ int main( int argc, char *argv[] ) p = (char *) opt.sig_algs; i = 0; - /* Leave room for a final NULL in signature algorithm list */ + /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list(sig_alg_list) */ while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) { q = p; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c7110e850e44..d5ec6a7cd4cd 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2205,7 +2205,7 @@ int main( int argc, char *argv[] ) p = (char *) opt.sig_algs; i = 0; - /* Leave room for a final NULL in signature algorithm list */ + /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list(sig_alg_list) */ while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) { q = p; From 447a3bee1774e260d53dd3df47ebbe00f9a26f82 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 18 Aug 2021 09:55:32 +0800 Subject: [PATCH 44/50] fix wrong typo and format issues Change-Id: I99a4c7d28c26bfcc43bc8947485d1dfafb6974dc Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 2 +- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c867e025c4b0..f537e864a931 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3038,7 +3038,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, * \param conf The SSL configuration to use. * \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, * terminated by \c MBEDTLS_TLS13_SIG_NONE. The list must remain - * available throughout the liftime of the conf object. Supported + * available throughout the lifetime of the conf object. Supported * values are available as \c MBEDTLS_TLS13_SIG_XXXX */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 08f993466d8e..1400961b8c21 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1482,7 +1482,7 @@ int main( int argc, char *argv[] ) p = (char *) opt.sig_algs; i = 0; - /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list(sig_alg_list) */ + /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list (sig_alg_list). */ while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) { q = p; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d5ec6a7cd4cd..b9a789e7298c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2205,7 +2205,7 @@ int main( int argc, char *argv[] ) p = (char *) opt.sig_algs; i = 0; - /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list(sig_alg_list) */ + /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list (sig_alg_list). */ while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) { q = p; From cadebe5343c40d2e17b4acb24b5024290f63d98d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 24 Aug 2021 10:36:45 +0800 Subject: [PATCH 45/50] fix several format and comment issues Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 2 +- library/ssl_tls.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 70dc501c0bf0..d328d23cdbb8 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2582,7 +2582,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, * the server supports. * * \warning The ciphersuites array \p ciphersuites is not copied. - * It must remain valid for the lifetime the SSL + * It must remain valid for the lifetime of the SSL * configuration \p conf. * * \param conf The SSL configuration to modify. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4933980cd9ed..834a23983f35 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3549,7 +3549,7 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config* conf, +void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, const int kex_modes ) { conf->tls13_kex_modes = kex_modes; From 69e0ec46b7db6c90539e360f2275a41821fbdd8b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 24 Aug 2021 10:44:15 +0800 Subject: [PATCH 46/50] Replace SHA512_C with SHA384_C Signed-off-by: Jerry Yu --- library/ssl_ciphersuites.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 9a416c811d31..b10a9634ef43 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -295,14 +295,14 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_GCM_C) -#if defined(MBEDTLS_SHA512_C) +#if defined(MBEDTLS_SHA384_C) { MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384", MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, 0 }, -#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_SHA384_C */ #if defined(MBEDTLS_SHA256_C) { MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256", MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, From 31c01d303eddf649ba076fb0e6ee5d1405b16ee8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 24 Aug 2021 10:49:06 +0800 Subject: [PATCH 47/50] Rename available values for tls13_kex_modes Rename `psk_pure` to `psk` and `ephemeral_pure` to `ephemeral` Signed-off-by: Jerry Yu --- programs/ssl/ssl_client2.c | 6 +++--- programs/ssl/ssl_server2.c | 6 +++--- tests/ssl-opt.sh | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 223b7bff2f2c..f583f2267c38 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -339,7 +339,7 @@ int main( void ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) #define USAGE_TLS13_KEY_EXCHANGE_MODES \ " tls13_kex_modes=%%s default: all\n" \ - " options: psk_pure, psk_ephemeral, ephemeral_pure, ephemeral_all, psk_all, all\n" + " options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n" #else #define USAGE_TLS13_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ @@ -1091,11 +1091,11 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) else if( strcmp( p, "tls13_kex_modes" ) == 0 ) { - if( strcmp( q, "psk_pure" ) == 0 ) + if( strcmp( q, "psk" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; else if( strcmp(q, "psk_ephemeral" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; - else if( strcmp(q, "ephemeral_pure" ) == 0 ) + else if( strcmp(q, "ephemeral" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; else if( strcmp(q, "ephemeral_all" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 87558f54cbf1..a339bbf53cfb 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -436,7 +436,7 @@ int main( void ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) #define USAGE_TLS13_KEY_EXCHANGE_MODES \ " tls13_kex_modes=%%s default: all\n" \ - " options: psk_pure, psk_ephemeral, ephemeral_pure, ephemeral_all, psk_all, all\n" + " options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n" #else #define USAGE_TLS13_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ @@ -1734,11 +1734,11 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) else if( strcmp( p, "tls13_kex_modes" ) == 0 ) { - if( strcmp( q, "psk_pure" ) == 0 ) + if( strcmp( q, "psk" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; else if( strcmp(q, "psk_ephemeral" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; - else if( strcmp(q, "ephemeral_pure" ) == 0 ) + else if( strcmp(q, "ephemeral" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; else if( strcmp(q, "ephemeral_all" ) == 0 ) opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 56c4a5fba79e..6066bc702a3a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1458,8 +1458,8 @@ run_test "SHA-256 allowed by default in client certificate" \ # ssl_client2/ssl_server2 example programs works. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS 1.3, key exchange mode parameter passing: PSK only" \ - "$P_SRV tls13_kex_modes=psk_pure" \ - "$P_CLI tls13_kex_modes=psk_pure" \ + "$P_SRV tls13_kex_modes=psk" \ + "$P_CLI tls13_kex_modes=psk" \ 0 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \ @@ -1468,8 +1468,8 @@ run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \ 0 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS 1.3, key exchange mode parameter passing: Pure-ephemeral only" \ - "$P_SRV tls13_kex_modes=ephemeral_pure" \ - "$P_CLI tls13_kex_modes=ephemeral_pure" \ + "$P_SRV tls13_kex_modes=ephemeral" \ + "$P_CLI tls13_kex_modes=ephemeral" \ 0 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL run_test "TLS 1.3, key exchange mode parameter passing: All ephemeral" \ From d85a52c508b49c337b9c5bb294c2636daa4d7aa7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 24 Aug 2021 10:55:07 +0800 Subject: [PATCH 48/50] Add mask for kex_modes Signed-off-by: Jerry Yu --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 834a23983f35..8a65b70adb59 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3552,7 +3552,7 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, const int kex_modes ) { - conf->tls13_kex_modes = kex_modes; + conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; } #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ From 1eb4bf6a2961acb74085333c012c16d237813980 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 12 Nov 2021 17:34:04 +0100 Subject: [PATCH 49/50] Fix duplication of mbedtls_ssl_tls13_populate_transform --- library/ssl_tls13_generic.c | 108 ------------------------------------ 1 file changed, 108 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 99c6db8d8ef4..748a0895a4cc 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1998,114 +1998,6 @@ static int ssl_read_certificate_postprocess( mbedtls_ssl_context* ssl ) return( 0 ); } -int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, - int endpoint, - int ciphersuite, - mbedtls_ssl_key_set const *traffic_keys, - mbedtls_ssl_context *ssl /* DEBUG ONLY */ ) -{ - int ret; - mbedtls_cipher_info_t const *cipher_info; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - unsigned char const *key_enc; - unsigned char const *iv_enc; - unsigned char const *key_dec; - unsigned char const *iv_dec; - -#if !defined(MBEDTLS_DEBUG_C) - ssl = NULL; /* make sure we don't use it except for those cases */ - (void) ssl; -#endif - - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); - - cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); - if( cipher_info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - /* - * Setup cipher contexts in target transform - */ - - if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, - cipher_info ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); - return( ret ); - } - - if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, - cipher_info ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); - return( ret ); - } - -#if defined(MBEDTLS_SSL_SRV_C) - if( endpoint == MBEDTLS_SSL_IS_SERVER ) - { - key_enc = traffic_keys->server_write_key; - key_dec = traffic_keys->client_write_key; - iv_enc = traffic_keys->server_write_iv; - iv_dec = traffic_keys->client_write_iv; - } - else -#endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_CLI_C) - if( endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - key_enc = traffic_keys->client_write_key; - key_dec = traffic_keys->server_write_key; - iv_enc = traffic_keys->client_write_iv; - iv_dec = traffic_keys->server_write_iv; - } - else -#endif /* MBEDTLS_SSL_CLI_C */ - { - /* should not happen */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len ); - memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len ); - - if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, - key_enc, cipher_info->key_bitlen, - MBEDTLS_ENCRYPT ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); - return( ret ); - } - - if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, - key_dec, cipher_info->key_bitlen, - MBEDTLS_DECRYPT ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); - return( ret ); - } - - /* - * Setup other fields in SSL transform - */ - - if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 ) - transform->taglen = 8; - else - transform->taglen = 16; - - transform->ivlen = traffic_keys->iv_len; - transform->maclen = 0; - transform->fixed_ivlen = transform->ivlen; - transform->minlen = transform->taglen + 1; - transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4; - - return( 0 ); -} - void mbedtls_ssl_handshake_wrapup_tls13( mbedtls_ssl_context *ssl ) { From c009b429573e2c8320c08028b0c84f2796fe5aba Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 12 Nov 2021 17:35:07 +0100 Subject: [PATCH 50/50] Fix all.sh components to test TLS 1.3 padding Remove all.sh components running the ssl unit test suite as the test suite is not operational in the prototype. Add instead two components to test padding with compat.sh and ssl-opt.sh. --- tests/scripts/all.sh | 56 ++++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7e5ed3c7291a..ca317b7a97b7 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2058,6 +2058,7 @@ component_test_tls13 () { scripts/config.py set MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 cmake CC=gcc CMAKE_BUILD_TYPE=ASanDbg . make @@ -2074,6 +2075,41 @@ component_test_tls13_no_mps () { scripts/config.py unset MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + cmake CC=gcc CMAKE_BUILD_TYPE=ASanDbg . + make + + msg "test: TLS 1.3 without MPS compat.sh" + if_build_succeeded tests/compat.sh -m tls1_3 -t ECDSA + + msg "test: TLS 1.3 without MPS ssl-opt.sh" + if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" +} + +component_test_tls13_with_padding () { + msg "build: TLS 1.3 (ASanDbg) " + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_USE_MPS + scripts/config.py set MBEDTLS_RSA_C + scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 + cmake CC=gcc CMAKE_BUILD_TYPE=ASanDbg . + make + + msg "test: TLS 1.3 compat.sh" + if_build_succeeded tests/compat.sh -m tls1_3 -t ECDSA + + msg "test: TLS 1.3 ssl-opt.sh" + if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" +} + +component_test_tls13_no_mps_with_padding () { + msg "build: TLS 1.3 without MPS (ASanDbg) " + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py unset MBEDTLS_SSL_USE_MPS + scripts/config.py set MBEDTLS_RSA_C + scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 cmake CC=gcc CMAKE_BUILD_TYPE=ASanDbg . make @@ -2528,26 +2564,6 @@ component_build_armcc () { armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a" } -component_test_tls13_experimental () { - msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, without padding" - scripts/config.pl set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL - scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, without padding" - make test -} - -component_test_tls13_experimental_with_padding () { - msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, with padding" - scripts/config.pl set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL - scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL enabled, with padding" - make test -} - component_build_mingw () { msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs