From c929a82a6bbec9e1af7c538175ce16e4a21b0882 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 14 Jan 2019 03:51:11 -0500 Subject: [PATCH 1/6] Implement tls_prf_generic using the PSA API --- library/ssl_tls.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 72 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8fe93141fd..d0fadfdc6c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -54,6 +54,10 @@ #include "mbedtls/oid.h" #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "mbedtls/psa_util.h" +#endif + static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ); static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); @@ -490,6 +494,73 @@ static int tls1_prf( const unsigned char *secret, size_t slen, #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static int tls_prf_generic( mbedtls_md_type_t md_type, + const unsigned char *secret, size_t slen, + const char *label, + const unsigned char *random, size_t rlen, + unsigned char *dstbuf, size_t dlen ) +{ + psa_status_t status; + psa_algorithm_t alg; + psa_key_policy_t policy; + psa_key_slot_t master_slot; + psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; + + status = mbedtls_psa_get_free_key_slot( &master_slot ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + if( md_type == MBEDTLS_MD_SHA384 ) + alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); + else + alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); + + psa_key_policy_init( &policy ); + psa_key_policy_set_usage( &policy, + PSA_KEY_USAGE_DERIVE, + alg ); + status = psa_set_key_policy( master_slot, &policy ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_key_derivation( &generator, + master_slot, alg, + random, rlen, + (unsigned char const *) label, + (size_t) strlen( label ), + dlen ); + if( status != PSA_SUCCESS ) + { + psa_generator_abort( &generator ); + psa_destroy_key( master_slot ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_generator_read( &generator, dstbuf, dlen ); + if( status != PSA_SUCCESS ) + { + psa_generator_abort( &generator ); + psa_destroy_key( master_slot ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_generator_abort( &generator ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_destroy_key( master_slot ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + return 0; +} + +#else /* MBEDTLS_USE_PSA_CRYPTO */ + static int tls_prf_generic( mbedtls_md_type_t md_type, const unsigned char *secret, size_t slen, const char *label, @@ -552,7 +623,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, return( 0 ); } - +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SHA256_C) static int tls_prf_sha256( const unsigned char *secret, size_t slen, const char *label, From 70737ca8275f6339c6c0495e6de6b9ca909c0222 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 14 Jan 2019 05:37:13 -0500 Subject: [PATCH 2/6] ssl_tls: add key destruction upon generator failure --- library/ssl_tls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d0fadfdc6c..cbb3c62a0c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -550,7 +550,10 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, status = psa_generator_abort( &generator ); if( status != PSA_SUCCESS ) + { + psa_destroy_key( master_slot ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } status = psa_destroy_key( master_slot ); if( status != PSA_SUCCESS ) From 33171268196b23a7e00af0b6a492442e4adea31e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 15 Jan 2019 03:25:18 -0500 Subject: [PATCH 3/6] ssl_tls: add missing return brackets --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cbb3c62a0c..86fc260422 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -559,7 +559,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - return 0; + return( 0 ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ From ac5dc3423a87497b3dba34b229067dfc3e2dfa34 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 23 Jan 2019 06:57:34 -0500 Subject: [PATCH 4/6] Fix key allocation for tls_prf_generic --- library/ssl_tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 86fc260422..b1bfb6760d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -504,10 +504,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, psa_status_t status; psa_algorithm_t alg; psa_key_policy_t policy; - psa_key_slot_t master_slot; + psa_key_handle_t master_slot; psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; - status = mbedtls_psa_get_free_key_slot( &master_slot ); + if( ( status = psa_allocate_key( PSA_KEY_TYPE_DERIVE, + slen * 8, &master_slot ) ) != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); if( md_type == MBEDTLS_MD_SHA384 ) From 2f76075b784bad194ef920804b356dc8abeec10c Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 28 Jan 2019 08:08:15 -0500 Subject: [PATCH 5/6] ssl_tls: adjust to the new key policy initialization and key allocation --- library/ssl_tls.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b1bfb6760d..8819cf48c5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -507,8 +507,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, psa_key_handle_t master_slot; psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; - if( ( status = psa_allocate_key( PSA_KEY_TYPE_DERIVE, - slen * 8, &master_slot ) ) != PSA_SUCCESS ) + if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); @@ -517,7 +516,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, else alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); - psa_key_policy_init( &policy ); + policy = psa_key_policy_init(); psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg ); From 2d4faa6afa1dca88d8b8f226a87da617ce6f1b32 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 29 Jan 2019 03:14:15 -0500 Subject: [PATCH 6/6] ssl_tls: remove redundant status check --- library/ssl_tls.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8819cf48c5..fca03fc833 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -509,8 +509,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + if( md_type == MBEDTLS_MD_SHA384 ) alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); else