Merge remote-tracking branch 'origin/pr/2386' into development-psa
This commit is contained in:
commit
80b566267f
@ -27,6 +27,10 @@
|
||||
#include "ssl.h"
|
||||
#include "cipher.h"
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#include "psa/crypto.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
#include "md5.h"
|
||||
#endif
|
||||
@ -370,11 +374,19 @@ struct mbedtls_ssl_handshake_params
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_operation_t fin_sha256_psa;
|
||||
#else
|
||||
mbedtls_sha256_context fin_sha256;
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_operation_t fin_sha384_psa;
|
||||
#else
|
||||
mbedtls_sha512_context fin_sha512;
|
||||
#endif
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
|
@ -1426,7 +1426,7 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
|
||||
mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
|
||||
mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
|
||||
|
||||
mbedtls_md5_finish_ret( &md5, hash );
|
||||
mbedtls_md5_finish_ret( &md5, hash );
|
||||
mbedtls_sha1_finish_ret( &sha1, hash + 16 );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
|
||||
@ -1443,6 +1443,28 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
size_t hash_size;
|
||||
psa_status_t status;
|
||||
psa_hash_operation_t sha256_psa = psa_hash_operation_init();
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
|
||||
status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
|
||||
return;
|
||||
}
|
||||
|
||||
status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
|
||||
return;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 32 );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
|
||||
#else
|
||||
mbedtls_sha256_context sha256;
|
||||
|
||||
mbedtls_sha256_init( &sha256 );
|
||||
@ -1456,7 +1478,7 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
|
||||
|
||||
mbedtls_sha256_free( &sha256 );
|
||||
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
return;
|
||||
}
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
@ -1464,6 +1486,28 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
size_t hash_size;
|
||||
psa_status_t status;
|
||||
psa_hash_operation_t sha384_psa = psa_hash_operation_init();
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
|
||||
status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
|
||||
return;
|
||||
}
|
||||
|
||||
status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
|
||||
return;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 48 );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
|
||||
#else
|
||||
mbedtls_sha512_context sha512;
|
||||
|
||||
mbedtls_sha512_init( &sha512 );
|
||||
@ -1477,7 +1521,7 @@ void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
|
||||
|
||||
mbedtls_sha512_free( &sha512 );
|
||||
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
return;
|
||||
}
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
@ -6248,11 +6292,21 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort( &ssl->handshake->fin_sha256_psa );
|
||||
psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
|
||||
#else
|
||||
mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort( &ssl->handshake->fin_sha384_psa );
|
||||
psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
|
||||
#else
|
||||
mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
|
||||
#endif
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
}
|
||||
|
||||
@ -6266,11 +6320,19 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
|
||||
#else
|
||||
mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
|
||||
#else
|
||||
mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
|
||||
#endif
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
}
|
||||
|
||||
@ -6289,7 +6351,11 @@ static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
|
||||
static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len )
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
|
||||
#else
|
||||
mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -6297,7 +6363,11 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
|
||||
static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len )
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
|
||||
#else
|
||||
mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
@ -6453,13 +6523,44 @@ static void ssl_calc_finished_tls_sha256(
|
||||
{
|
||||
int len = 12;
|
||||
const char *sender;
|
||||
mbedtls_sha256_context sha256;
|
||||
unsigned char padbuf[32];
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
size_t hash_size;
|
||||
psa_hash_operation_t sha256_psa;
|
||||
psa_status_t status;
|
||||
#else
|
||||
mbedtls_sha256_context sha256;
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_session *session = ssl->session_negotiate;
|
||||
if( !session )
|
||||
session = ssl->session;
|
||||
|
||||
sender = ( from == MBEDTLS_SSL_IS_CLIENT )
|
||||
? "client finished"
|
||||
: "server finished";
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
sha256_psa = psa_hash_operation_init();
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
|
||||
|
||||
status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
|
||||
return;
|
||||
}
|
||||
|
||||
status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
|
||||
return;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
|
||||
#else
|
||||
|
||||
mbedtls_sha256_init( &sha256 );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
|
||||
@ -6477,19 +6578,15 @@ static void ssl_calc_finished_tls_sha256(
|
||||
sha256.state, sizeof( sha256.state ) );
|
||||
#endif
|
||||
|
||||
sender = ( from == MBEDTLS_SSL_IS_CLIENT )
|
||||
? "client finished"
|
||||
: "server finished";
|
||||
|
||||
mbedtls_sha256_finish_ret( &sha256, padbuf );
|
||||
mbedtls_sha256_free( &sha256 );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
ssl->handshake->tls_prf( session->master, 48, sender,
|
||||
padbuf, 32, buf, len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
|
||||
|
||||
mbedtls_sha256_free( &sha256 );
|
||||
|
||||
mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
|
||||
@ -6502,13 +6599,43 @@ static void ssl_calc_finished_tls_sha384(
|
||||
{
|
||||
int len = 12;
|
||||
const char *sender;
|
||||
mbedtls_sha512_context sha512;
|
||||
unsigned char padbuf[48];
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
size_t hash_size;
|
||||
psa_hash_operation_t sha384_psa;
|
||||
psa_status_t status;
|
||||
#else
|
||||
mbedtls_sha512_context sha512;
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_session *session = ssl->session_negotiate;
|
||||
if( !session )
|
||||
session = ssl->session;
|
||||
|
||||
sender = ( from == MBEDTLS_SSL_IS_CLIENT )
|
||||
? "client finished"
|
||||
: "server finished";
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
sha384_psa = psa_hash_operation_init();
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
|
||||
|
||||
status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
|
||||
return;
|
||||
}
|
||||
|
||||
status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
|
||||
return;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
|
||||
#else
|
||||
mbedtls_sha512_init( &sha512 );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
|
||||
@ -6526,19 +6653,15 @@ static void ssl_calc_finished_tls_sha384(
|
||||
sha512.state, sizeof( sha512.state ) );
|
||||
#endif
|
||||
|
||||
sender = ( from == MBEDTLS_SSL_IS_CLIENT )
|
||||
? "client finished"
|
||||
: "server finished";
|
||||
|
||||
mbedtls_sha512_finish_ret( &sha512, padbuf );
|
||||
mbedtls_sha512_free( &sha512 );
|
||||
#endif
|
||||
|
||||
ssl->handshake->tls_prf( session->master, 48, sender,
|
||||
padbuf, 48, buf, len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
|
||||
|
||||
mbedtls_sha512_free( &sha512 );
|
||||
|
||||
mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
|
||||
@ -6849,13 +6972,23 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
handshake->fin_sha256_psa = psa_hash_operation_init();
|
||||
psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
|
||||
#else
|
||||
mbedtls_sha256_init( &handshake->fin_sha256 );
|
||||
mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
handshake->fin_sha384_psa = psa_hash_operation_init();
|
||||
psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
|
||||
#else
|
||||
mbedtls_sha512_init( &handshake->fin_sha512 );
|
||||
mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
|
||||
#endif
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
handshake->update_checksum = ssl_update_checksum_start;
|
||||
@ -9158,11 +9291,19 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort( &handshake->fin_sha256_psa );
|
||||
#else
|
||||
mbedtls_sha256_free( &handshake->fin_sha256 );
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort( &handshake->fin_sha384_psa );
|
||||
#else
|
||||
mbedtls_sha512_free( &handshake->fin_sha512 );
|
||||
#endif
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
#if defined(MBEDTLS_DHM_C)
|
||||
|
@ -755,13 +755,17 @@ run_test() {
|
||||
run_test_psa() {
|
||||
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
|
||||
run_test "PSA-supported ciphersuite: $1" \
|
||||
"$P_SRV debug_level=1 force_version=tls1_2" \
|
||||
"$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \
|
||||
"$P_SRV debug_level=2 force_version=tls1_2" \
|
||||
"$P_CLI debug_level=2 force_version=tls1_2 force_ciphersuite=$1" \
|
||||
0 \
|
||||
-c "Successfully setup PSA-based decryption cipher context" \
|
||||
-c "Successfully setup PSA-based encryption cipher context" \
|
||||
-c "PSA calc verify" \
|
||||
-c "calc PSA finished" \
|
||||
-s "Successfully setup PSA-based decryption cipher context" \
|
||||
-s "Successfully setup PSA-based encryption cipher context" \
|
||||
-s "PSA calc verify" \
|
||||
-s "calc PSA finished" \
|
||||
-C "Failed to setup PSA-based cipher context"\
|
||||
-S "Failed to setup PSA-based cipher context"\
|
||||
-s "Protocol is TLSv1.2" \
|
||||
|
Loading…
Reference in New Issue
Block a user