diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt new file mode 100644 index 0000000000..079cd741dc --- /dev/null +++ b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt @@ -0,0 +1,4 @@ +Security + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. diff --git a/ChangeLog.d/ecdsa-conversion-overflow.txt b/ChangeLog.d/ecdsa-conversion-overflow.txt new file mode 100644 index 0000000000..83b7f2f88b --- /dev/null +++ b/ChangeLog.d/ecdsa-conversion-overflow.txt @@ -0,0 +1,6 @@ +Security + * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and + mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the + largest supported curve. In some configurations with PSA disabled, + all values of bits are affected. This never happens in internal library + calls, but can affect applications that call these functions directly. diff --git a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt new file mode 100644 index 0000000000..b81fb426a7 --- /dev/null +++ b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt @@ -0,0 +1,11 @@ +Security + * With TLS 1.3, when a server enables optional authentication of the + client, if the client-provided certificate does not have appropriate values + in keyUsage or extKeyUsage extensions, then the return value of + mbedtls_ssl_get_verify_result() would incorrectly have the + MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits + clear. As a result, an attacker that had a certificate valid for uses other + than TLS client authentication could be able to use it for TLS client + authentication anyway. Only TLS 1.3 servers were affected, and only with + optional authentication (required would abort the handshake with a fatal + alert). diff --git a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt new file mode 100644 index 0000000000..dba25af611 --- /dev/null +++ b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix a memory leak that could occur when failing to process an RSA + key through some PSA functions due to low memory conditions. diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 4a5f21a1e6..80009c043b 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3832,11 +3832,18 @@ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * PSA crypto subsystem. * - * If this option is unset: - * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. - * - Otherwise, the PSA subsystem uses HMAC_DRBG with either - * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and - * on unspecified heuristics. + * If this option is unset, the library chooses a hash (currently between + * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and + * unspecified heuristics. + * + * \note The PSA crypto subsystem uses the first available mechanism amongst + * the following: + * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES + * if #MBEDTLS_CTR_DRBG_C is enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG. + * + * A future version may reevaluate the prioritization of DRBG mechanisms. */ //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 8ac6579e05..651a17b5a2 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -714,6 +714,18 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) /* * Secondary checks: always done, but change 'ret' only if it was 0 */ + /* keyUsage */ + if ((mbedtls_x509_crt_check_key_usage( + ssl->session_negotiate->peer_cert, + MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0)) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); + if (ret == 0) { + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + verify_result |= MBEDTLS_X509_BADCERT_KEY_USAGE; + } + + /* extKeyUsage */ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { ext_oid = MBEDTLS_OID_SERVER_AUTH; ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); @@ -722,16 +734,14 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); } - if ((mbedtls_x509_crt_check_key_usage( - ssl->session_negotiate->peer_cert, - MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) || - (mbedtls_x509_crt_check_extended_key_usage( + if ((mbedtls_x509_crt_check_extended_key_usage( ssl->session_negotiate->peer_cert, ext_oid, ext_len) != 0)) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); if (ret == 0) { ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; } + verify_result |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; } /* mbedtls_x509_crt_verify_with_profile is supposed to report a diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f1f85a036e..b0ecfd0b4b 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2204,7 +2204,9 @@ usage: ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n", (unsigned int) -ret); - if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) { mbedtls_printf( " Unable to verify the server's certificate. " "Either it is invalid,\n" @@ -2215,7 +2217,13 @@ usage: "not using TLS 1.3.\n" " For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`" "or other folder that has root certificates\n"); + + flags = mbedtls_ssl_get_verify_result(&ssl); + char vrfy_buf[512]; + x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags); + mbedtls_printf("%s\n", vrfy_buf); } +#endif mbedtls_printf("\n"); goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cc895a1a6e..714f71d85e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3505,7 +3505,8 @@ handshake: (unsigned int) -ret); #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) - if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) { char vrfy_buf[512]; flags = mbedtls_ssl_get_verify_result(&ssl); diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh index 31aae31b61..2eb2b0f432 100644 --- a/tests/scripts/components-sanitizers.sh +++ b/tests/scripts/components-sanitizers.sh @@ -49,6 +49,7 @@ component_test_memsan_constant_flow () { scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm + scripts/config.py unset MBEDTLS_HAVE_ASM CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . make @@ -67,6 +68,7 @@ component_test_memsan_constant_flow_psa () { scripts/config.py full scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm + scripts/config.py unset MBEDTLS_HAVE_ASM CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . make diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 216bbd061b..531eb74560 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -7640,22 +7640,26 @@ run_test "ALPN: both, no common" \ # Tests for keyUsage in leaf certificates, part 1: # server-side certificate/suite selection +# +# This is only about 1.2 (for 1.3, all key exchanges use signatures). +# In 4.0 this will probably go away as all TLS 1.2 key exchanges will use +# signatures too, following the removal of RSA #8170 and static ECDH #9201. -run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \ +run_test "keyUsage srv 1.2: RSA, digitalSignature -> (EC)DHE-RSA" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \ crt_file=$DATA_FILES_PATH/server2.ku-ds.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-" -run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \ +run_test "keyUsage srv 1.2: RSA, keyEncipherment -> RSA" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \ crt_file=$DATA_FILES_PATH/server2.ku-ke.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-" -run_test "keyUsage srv: RSA, keyAgreement -> fail" \ +run_test "keyUsage srv 1.2: RSA, keyAgreement -> fail" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \ crt_file=$DATA_FILES_PATH/server2.ku-ka.crt" \ "$P_CLI" \ @@ -7663,7 +7667,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \ -C "Ciphersuite is " requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ +run_test "keyUsage srv 1.2: ECC, digitalSignature -> ECDHE-ECDSA" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ crt_file=$DATA_FILES_PATH/server5.ku-ds.crt" \ "$P_CLI" \ @@ -7671,14 +7675,14 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" -run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ +run_test "keyUsage srv 1.2: ECC, keyAgreement -> ECDH-" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-ECDH-" -run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ +run_test "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \ "$P_CLI" \ @@ -7687,8 +7691,12 @@ run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ # Tests for keyUsage in leaf certificates, part 2: # client-side checking of server cert +# +# TLS 1.3 uses only signature, but for 1.2 it depends on the key exchange. +# In 4.0 this will probably change as all TLS 1.2 key exchanges will use +# signatures too, following the removal of RSA #8170 and static ECDH #9201. -run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ +run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, RSA: OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \ "$P_CLI debug_level=1 \ @@ -7698,7 +7706,7 @@ run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ +run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \ "$P_CLI debug_level=1 \ @@ -7708,7 +7716,7 @@ run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ +run_test "keyUsage cli 1.2: KeyEncipherment, RSA: OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ "$P_CLI debug_level=1 \ @@ -7718,28 +7726,32 @@ run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ +run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (hard)" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 \ + "$P_CLI debug_level=3 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" + -C "Ciphersuite is TLS-" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT -run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ +run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (soft)" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 auth_mode=optional \ + "$P_CLI debug_level=3 auth_mode=optional \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" \ + -C "send alert level=2 message=43" \ -c "! Usage does not match the keyUsage extension" -run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ +run_test "keyUsage cli 1.2: DigitalSignature, DHE-RSA: OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ "$P_CLI debug_level=1 \ @@ -7749,27 +7761,43 @@ run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: DigitalSignature, RSA: fail" \ +run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (hard)" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 \ + "$P_CLI debug_level=3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" + -C "Ciphersuite is TLS-" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT -run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ +run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (soft)" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 auth_mode=optional \ + "$P_CLI debug_level=3 auth_mode=optional \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" \ + -C "send alert level=2 message=43" \ -c "! Usage does not match the keyUsage extension" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli 1.3: DigitalSignature, RSA: OK" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ds.crt" \ + "$P_CLI debug_level=3" \ + 0 \ + -C "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is" + requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED @@ -7785,26 +7813,32 @@ run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \ +run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail (hard)" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \ +run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail (hard)" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2-sha256.ku-ka.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ @@ -7821,32 +7855,40 @@ run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \ +run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail (hard)" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.ku-ke.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \ +run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail (hard)" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # Tests for keyUsage in leaf certificates, part 3: # server-side checking of client cert +# +# Here, both 1.2 and 1.3 only use signatures. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \ +run_test "keyUsage cli-auth 1.2: RSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ @@ -7856,25 +7898,40 @@ run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \ +run_test "keyUsage cli-auth 1.2: RSA, DigitalSignature+KeyEncipherment: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \ + 0 \ + -s "Verifying peer X.509 certificate... ok" \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (soft)" \ + "$P_SRV debug_level=3 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ - "$P_SRV debug_level=1 force_version=tls12 auth_mode=required" \ +run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls12 auth_mode=required" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ 1 \ -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ +run_test "keyUsage cli-auth 1.2: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.ku-ds.crt" \ @@ -7884,14 +7941,28 @@ run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ +run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (soft)" \ + "$P_SRV debug_level=3 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (hard)" \ + "$P_SRV debug_level=3 auth_mode=required" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED @@ -7907,14 +7978,43 @@ run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \ +run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature+KeyEncipherment: OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \ + 0 \ + -s "Verifying peer X.509 certificate... ok" \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \ -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ + "$P_CLI key_file=$DATA_FILES_PATH/server2.key \ + crt_file=$DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "Processing of the Certificate handshake message failed" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -s "! mbedtls_ssl_handshake returned" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED @@ -7931,13 +8031,29 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \ - "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ + "$P_CLI key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "Processing of the Certificate handshake message failed" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -s "! mbedtls_ssl_handshake returned" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection requires_key_exchange_with_cert_in_tls12_or_tls13_enabled @@ -7971,7 +8087,7 @@ run_test "extKeyUsage srv: codeSign -> fail" \ # Tests for extendedKeyUsage, part 2: client-side checking of server cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: serverAuth -> OK" \ +run_test "extKeyUsage cli 1.2: serverAuth -> OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-srv.crt" \ "$P_CLI debug_level=1" \ @@ -7981,7 +8097,7 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ +run_test "extKeyUsage cli 1.2: serverAuth,clientAuth -> OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \ "$P_CLI debug_level=1" \ @@ -7991,7 +8107,7 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ +run_test "extKeyUsage cli 1.2: codeSign,anyEKU -> OK" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \ "$P_CLI debug_level=1" \ @@ -8001,14 +8117,30 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: codeSign -> fail" \ +run_test "extKeyUsage cli 1.2: codeSign -> fail (soft)" \ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=3 auth_mode=optional" \ + 0 \ + -c "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is TLS-" \ + -C "send alert level=2 message=43" \ + -c "! Usage does not match the extendedKeyUsage extension" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "extKeyUsage cli 1.2: codeSign -> fail (hard)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" + -C "Ciphersuite is TLS-" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the extendedKeyUsage extension" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ @@ -8049,19 +8181,22 @@ run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "extKeyUsage cli 1.3: codeSign -> fail" \ +run_test "extKeyUsage cli 1.3: codeSign -> fail (hard)" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the extendedKeyUsage extension" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # Tests for extendedKeyUsage, part 3: server-side checking of client cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: clientAuth -> OK" \ +run_test "extKeyUsage cli-auth 1.2: clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cli.crt" \ @@ -8070,7 +8205,7 @@ run_test "extKeyUsage cli-auth: clientAuth -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ +run_test "extKeyUsage cli-auth 1.2: serverAuth,clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \ @@ -8079,7 +8214,7 @@ run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ +run_test "extKeyUsage cli-auth 1.2: codeSign,anyEKU -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \ @@ -8088,22 +8223,27 @@ run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ +run_test "extKeyUsage cli-auth 1.2: codeSign -> fail (soft)" \ + "$P_SRV debug_level=3 auth_mode=optional" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ 0 \ -s "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" + -S "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ + -S "Processing of the Certificate handshake message failed" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ +run_test "extKeyUsage cli-auth 1.2: codeSign -> fail (hard)" \ + "$P_SRV debug_level=3 auth_mode=required" \ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ 1 \ -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ @@ -8142,13 +8282,29 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \ - "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ + "$P_CLI key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.eku-cs.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ + -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + # Tests for DHM parameters loading run_test "DHM parameters: reference" \ diff --git a/tf-psa-crypto/core/psa_crypto_random_impl.h b/tf-psa-crypto/core/psa_crypto_random_impl.h index 9049822ebf..1d9c02ad5a 100644 --- a/tf-psa-crypto/core/psa_crypto_random_impl.h +++ b/tf-psa-crypto/core/psa_crypto_random_impl.h @@ -21,13 +21,10 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t; #include "mbedtls/entropy.h" /* Choose a DRBG based on configuration and availability */ -#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) - -#include "mbedtls/hmac_drbg.h" - -#elif defined(MBEDTLS_CTR_DRBG_C) +#if defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/ctr_drbg.h" +#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE #elif defined(MBEDTLS_HMAC_DRBG_C) @@ -49,17 +46,11 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t; #error "No hash algorithm available for HMAC_DBRG." #endif -#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ +#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ #error "No DRBG module available for the psa_crypto module." -#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ - -#if defined(MBEDTLS_CTR_DRBG_C) -#include "mbedtls/ctr_drbg.h" -#elif defined(MBEDTLS_HMAC_DRBG_C) -#include "mbedtls/hmac_drbg.h" -#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ +#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ /* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */ #if defined(MBEDTLS_CTR_DRBG_C) diff --git a/tf-psa-crypto/core/psa_crypto_rsa.c b/tf-psa-crypto/core/psa_crypto_rsa.c index f8e36d8b12..5fe26ec87c 100644 --- a/tf-psa-crypto/core/psa_crypto_rsa.c +++ b/tf-psa-crypto/core/psa_crypto_rsa.c @@ -197,16 +197,13 @@ psa_status_t mbedtls_psa_rsa_export_public_key( status = mbedtls_psa_rsa_load_representation( attributes->type, key_buffer, key_buffer_size, &rsa); - if (status != PSA_SUCCESS) { - return status; + if (status == PSA_SUCCESS) { + status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY, + rsa, + data, + data_size, + data_length); } - - status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY, - rsa, - data, - data_size, - data_length); - mbedtls_rsa_free(rsa); mbedtls_free(rsa); @@ -264,6 +261,7 @@ psa_status_t mbedtls_psa_rsa_generate_key( (unsigned int) attributes->bits, exponent); if (ret != 0) { + mbedtls_rsa_free(&rsa); return mbedtls_to_psa_error(ret); } @@ -330,7 +328,7 @@ psa_status_t mbedtls_psa_rsa_sign_hash( key_buffer_size, &rsa); if (status != PSA_SUCCESS) { - return status; + goto exit; } status = psa_rsa_decode_md_type(alg, hash_length, &md_alg); diff --git a/tf-psa-crypto/core/psa_util.c b/tf-psa-crypto/core/psa_util.c index 7db8bd1fca..779a852a51 100644 --- a/tf-psa-crypto/core/psa_util.c +++ b/tf-psa-crypto/core/psa_util.c @@ -443,6 +443,9 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l if (raw_len != (2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } + if (coordinate_len > sizeof(r)) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } /* Since raw and der buffers might overlap, dump r and s before starting * the conversion. */ @@ -561,6 +564,9 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_l if (raw_size < coordinate_size * 2) { return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; } + if (2 * coordinate_size > sizeof(raw_tmp)) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } /* Check that the provided input DER buffer has the right header. */ ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len, diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.c b/tf-psa-crypto/drivers/builtin/src/bignum_core.c index 1a3e0b9b6f..39ab6e9091 100644 --- a/tf-psa-crypto/drivers/builtin/src/bignum_core.c +++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.c @@ -449,9 +449,10 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X, mbedtls_mpi_uint c = 0; for (size_t i = 0; i < limbs; i++) { - mbedtls_mpi_uint z = (A[i] < c); + mbedtls_mpi_uint z = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(A[i], c), + 1, 0); mbedtls_mpi_uint t = A[i] - c; - c = (t < B[i]) + z; + c = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(t, B[i]), 1, 0) + z; X[i] = t - B[i]; } @@ -489,7 +490,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *d, size_t d_len, while (excess_len--) { *d += c; - c = (*d < c); + c = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(*d, c), 1, 0); d++; } diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.h b/tf-psa-crypto/drivers/builtin/src/bignum_core.h index 92c8d47db5..51ecca5ff7 100644 --- a/tf-psa-crypto/drivers/builtin/src/bignum_core.h +++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.h @@ -376,6 +376,9 @@ mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X, * \p X may be aliased to \p A or \p B, or even both, but may not overlap * either otherwise. * + * This function operates in constant time with respect to the values + * of \p A and \p B. + * * \param[out] X The result of the subtraction. * \param[in] A Little-endian presentation of left operand. * \param[in] B Little-endian presentation of right operand. @@ -397,6 +400,9 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X, * * This function operates modulo `2^(biL*X_limbs)`. * + * This function operates in constant time with respect to the values + * of \p X and \p A and \p b. + * * \param[in,out] X The pointer to the (little-endian) array * representing the bignum to accumulate onto. * \param X_limbs The number of limbs of \p X. This must be @@ -456,6 +462,10 @@ mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N); * \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may * not alias \p N (since they must be in canonical form, they cannot == \p N). * + * This function operates in constant time with respect + * to the values of \p A, \p B and \p N. + * + * * \param[out] X The destination MPI, as a little-endian array of * length \p AN_limbs. * On successful completion, X contains the result of @@ -611,6 +621,9 @@ size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs); * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs == * \p AN_limbs. * + * This function operates in constant time with respect + * to the values of \p A, \p N and \p E. + * * \param[out] X The destination MPI, as a little endian array of length * \p AN_limbs. * \param[in] A The base MPI, as a little endian array of length \p AN_limbs. diff --git a/tf-psa-crypto/tests/suites/test_suite_bignum_core.function b/tf-psa-crypto/tests/suites/test_suite_bignum_core.function index db84d6238f..6c0bd1e0c4 100644 --- a/tf-psa-crypto/tests/suites/test_suite_bignum_core.function +++ b/tf-psa-crypto/tests/suites/test_suite_bignum_core.function @@ -660,31 +660,48 @@ void mpi_core_sub(char *input_A, char *input_B, memcpy(b, B.p, B.n * sizeof(mbedtls_mpi_uint)); memcpy(x, X.p, X.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(a, bytes); + TEST_CF_SECRET(b, bytes); + /* 1a) r = a - b => we should get the correct carry */ TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, a, b, limbs)); + TEST_CF_PUBLIC(r, bytes); + /* 1b) r = a - b => we should get the correct result */ TEST_MEMORY_COMPARE(r, bytes, x, bytes); /* 2 and 3 test "r may be aliased to a or b" */ /* 2a) r = a; r -= b => we should get the correct carry (use r to avoid clobbering a) */ memcpy(r, a, bytes); + + TEST_CF_SECRET(r, bytes); + TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, r, b, limbs)); + TEST_CF_PUBLIC(r, bytes); + /* 2b) r -= b => we should get the correct result */ TEST_MEMORY_COMPARE(r, bytes, x, bytes); /* 3a) r = b; r = a - r => we should get the correct carry (use r to avoid clobbering b) */ memcpy(r, b, bytes); + + TEST_CF_SECRET(r, bytes); + TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, a, r, limbs)); + TEST_CF_PUBLIC(r, bytes); + /* 3b) r = a - b => we should get the correct result */ TEST_MEMORY_COMPARE(r, bytes, x, bytes); /* 4 tests "r may be aliased to [...] both" */ if (A.n == B.n && memcmp(A.p, B.p, bytes) == 0) { memcpy(r, b, bytes); + TEST_CF_SECRET(r, bytes); TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, r, r, limbs)); + TEST_CF_PUBLIC(r, bytes); TEST_MEMORY_COMPARE(r, bytes, x, bytes); } @@ -770,16 +787,32 @@ void mpi_core_mla(char *input_A, char *input_B, char *input_S, memcpy(a, A.p, A.n * sizeof(mbedtls_mpi_uint)); memcpy(x, X->p, X->n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(a, bytes); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(S.p, sizeof(mbedtls_mpi_uint)); + /* 1a) A += B * s => we should get the correct carry */ TEST_EQUAL(mbedtls_mpi_core_mla(a, limbs, B.p, B.n, *S.p), *cy->p); + TEST_CF_PUBLIC(a, bytes); + TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_PUBLIC(S.p, sizeof(mbedtls_mpi_uint)); + /* 1b) A += B * s => we should get the correct result */ TEST_MEMORY_COMPARE(a, bytes, x, bytes); if (A.n == B.n && memcmp(A.p, B.p, bytes) == 0) { /* Check when A and B are aliased */ memcpy(a, A.p, A.n * sizeof(mbedtls_mpi_uint)); + + TEST_CF_SECRET(a, bytes); + TEST_CF_SECRET(S.p, sizeof(mbedtls_mpi_uint)); + TEST_EQUAL(mbedtls_mpi_core_mla(a, limbs, a, limbs, *S.p), *cy->p); + + TEST_CF_PUBLIC(a, bytes); + TEST_CF_PUBLIC(S.p, sizeof(mbedtls_mpi_uint)); + TEST_MEMORY_COMPARE(a, bytes, x, bytes); } @@ -883,12 +916,20 @@ void mpi_core_montmul(int limbs_AN4, int limbs_B4, TEST_EQUAL(working_limbs, limbs_AN * 2 + 1); TEST_EQUAL(0, mbedtls_mpi_grow(&T, working_limbs)); + TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint)); + /* Calculate the Montgomery constant (this is unit tested separately) */ mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N.p); TEST_EQUAL(0, mbedtls_mpi_grow(&R, limbs_AN)); /* ensure it's got the right number of limbs */ + TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_core_montmul(R.p, A.p, B.p, B.n, N.p, N.n, mm, T.p); + + TEST_CF_PUBLIC(R.p, R.n * sizeof(mbedtls_mpi_uint)); size_t bytes = N.n * sizeof(mbedtls_mpi_uint); TEST_MEMORY_COMPARE(R.p, bytes, X->p, bytes); @@ -896,7 +937,13 @@ void mpi_core_montmul(int limbs_AN4, int limbs_B4, memcpy(R.p, A.p, bytes); + TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_core_montmul(A.p, A.p, B.p, B.n, N.p, N.n, mm, T.p); + + TEST_CF_PUBLIC(A.p, A.n * sizeof(mbedtls_mpi_uint)); TEST_MEMORY_COMPARE(A.p, bytes, X->p, bytes); memcpy(A.p, R.p, bytes); /* restore A */ @@ -905,18 +952,33 @@ void mpi_core_montmul(int limbs_AN4, int limbs_B4, memcpy(R.p, N.p, bytes); + TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_core_montmul(N.p, A.p, B.p, B.n, N.p, N.n, mm, T.p); + + TEST_CF_PUBLIC(N.p, N.n * sizeof(mbedtls_mpi_uint)); TEST_MEMORY_COMPARE(N.p, bytes, X->p, bytes); memcpy(N.p, R.p, bytes); + TEST_CF_PUBLIC(A.p, A.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint)); + if (limbs_AN == limbs_B) { /* Test when A aliased to B (requires A == B on input values) */ if (memcmp(A.p, B.p, bytes) == 0) { /* Test with A aliased to B and output, since this is permitted - * don't bother with yet another test with only A and B aliased */ + TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_core_montmul(B.p, B.p, B.p, B.n, N.p, N.n, mm, T.p); + + TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint)); TEST_MEMORY_COMPARE(B.p, bytes, X->p, bytes); memcpy(B.p, A.p, bytes); /* restore B from equal value A */ @@ -924,7 +986,13 @@ void mpi_core_montmul(int limbs_AN4, int limbs_B4, /* The output may be aliased to B - last test, so we don't save B */ + TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_core_montmul(B.p, A.p, B.p, B.n, N.p, N.n, mm, T.p); + + TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint)); TEST_MEMORY_COMPARE(B.p, bytes, X->p, bytes); } @@ -1229,14 +1297,24 @@ void mpi_core_exp_mod(char *input_N, char *input_A, TEST_CALLOC(T, working_limbs); + TEST_CF_SECRET(A, A_limbs * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(N, N_limbs * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(E, E_limbs * sizeof(mbedtls_mpi_uint)); + mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T); + TEST_CF_PUBLIC(Y, N_limbs * sizeof(mbedtls_mpi_uint)); + TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint))); - /* Check when output aliased to input */ + TEST_CF_SECRET(A, A_limbs * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(N, N_limbs * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(E, E_limbs * sizeof(mbedtls_mpi_uint)); + /* Check when output aliased to input */ mbedtls_mpi_core_exp_mod(A, A, N, N_limbs, E, E_limbs, R2, T); + TEST_CF_PUBLIC(A, A_limbs * sizeof(mbedtls_mpi_uint)); TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint))); exit: diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data index 807007b5e6..c84a8368cd 100644 --- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data +++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data @@ -6,6 +6,16 @@ ECDSA Raw -> DER, 256bit, DER buffer too small depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +# Check coordinates one byte larger than the largest supported curve. +# If we add an even larger curve, this test case will fail in the full +# configuration because mbedtls_ecdsa_raw_to_der() will return 0, and we'll +# need to use larger data for this test case. +ECDSA Raw -> DER, very large input (536-bit) +ecdsa_raw_to_der:536:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA Raw -> DER, very large input (1016-bit) +ecdsa_raw_to_der:1016:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + ECDSA Raw -> DER, 256bit, Null r depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA @@ -58,6 +68,16 @@ ECDSA DER -> Raw, 256bit, Raw buffer too small depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +# Check coordinates one byte larger than the largest supported curve. +# If we add an even larger curve, this test case will fail in the full +# configuration because mbedtls_ecdsa_der_to_raw() will return 0, and we'll +# need to use larger data for this test case. +ECDSA DER -> Raw, very large input (536-bit) +ecdsa_der_to_raw:536:"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA DER -> Raw, very large input (1016-bit) +ecdsa_der_to_raw:1016:"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + ECDSA DER -> Raw, 256bit, Wrong sequence tag depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG