From 9f4bb319c956dd5acee0421edbca1c6ef8b31718 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 31 Jan 2022 16:33:47 +0100 Subject: [PATCH 01/15] Implement HKDF extract in TLS 1.3 based on PSA HMAC Signed-off-by: Gabor Mezei --- library/ssl_tls13_invasive.h | 5 ++++ library/ssl_tls13_keys.c | 51 ++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h index aa35784010..e3b1dc7c59 100644 --- a/library/ssl_tls13_invasive.h +++ b/library/ssl_tls13_invasive.h @@ -28,6 +28,11 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) +int mbedtls_psa_hkdf_extract( psa_algorithm_t alg, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + unsigned char *prk ); + /** * \brief Expand the supplied \p prk into several additional pseudorandom * keys, which is the output of the HKDF. diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 885dd16fbf..e63f83afb9 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -138,6 +138,57 @@ static void ssl_tls13_hkdf_encode_label( #if defined( MBEDTLS_TEST_HOOKS ) +MBEDTLS_STATIC_TESTABLE +int mbedtls_psa_hkdf_extract( psa_algorithm_t alg, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + unsigned char *prk ) +{ + unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' }; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t prk_len; + int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + + if( salt == NULL || salt_len == 0 ) + { + size_t hash_len; + + if( salt_len != 0 ) + { + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + //hash_len = mbedtls_md_get_size( md ); + hash_len = PSA_HASH_LENGTH( alg ); + + if( hash_len == 0 ) + { + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + salt = null_salt; + salt_len = hash_len; + } + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC ); + + ret = psa_import_key( &attributes, salt, salt_len, &key ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + ret = psa_mac_compute( key, alg, ikm, ikm_len, prk, PSA_HASH_LENGTH( alg ), &prk_len ); + +cleanup: + psa_destroy_key( key ); + + return( ret ); +} + MBEDTLS_STATIC_TESTABLE psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t alg, const unsigned char *prk, size_t prk_len, From 73cb6f54de0ddb65a621ed8cb4b1a3e8cd89a5b6 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 31 Jan 2022 16:35:50 +0100 Subject: [PATCH 02/15] Add tests for mbedtls_psa_hkdf_extrct The tests are based on the the test of mbedtls_hkdf_extract. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_ssl.data | 31 +++++++++++++++ tests/suites/test_suite_ssl.function | 58 ++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index eb1b8f44e8..6f89695238 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -4392,6 +4392,37 @@ SSL TLS 1.3 Key schedule: Secret evolution #3 # Handshake secret to Master Secret ssl_tls13_key_evolution:MBEDTLS_MD_SHA256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #1 Extract +depends_on:PSA_WANT_ALG_SHA_256 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5" + +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #2 Extract +depends_on:PSA_WANT_ALG_SHA_256 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_256):"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244" + +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #3 Extract +depends_on:PSA_WANT_ALG_SHA_256 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04" + +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #4 Extract +depends_on:PSA_WANT_ALG_SHA_1 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_1):"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243" + +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #5 Extract +depends_on:PSA_WANT_ALG_SHA_1 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_1):"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"8adae09a2a307059478d309b26c4115a224cfaf6" + +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #6 Extract +depends_on:PSA_WANT_ALG_SHA_1 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_1):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01" + +SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #7 Extract +depends_on:PSA_WANT_ALG_SHA_1 +psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"2adccada18779e7c2077ad2eb19d3f3e731385dd" + +SSL TLS 1.3 Key schedule: HKDF extract fails with hash_len of 0 +psa_hkdf_extract_ret:0:MBEDTLS_ERR_SSL_BAD_INPUT_DATA + SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #1 Expand depends_on:PSA_WANT_ALG_SHA_256 psa_hkdf_expand:PSA_ALG_HMAC(PSA_ALG_SHA_256):"f0f1f2f3f4f5f6f7f8f9":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index cb66f3afc8..0122d46e5c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3806,6 +3806,64 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */ +void psa_hkdf_extract( int alg, char *hex_ikm_string, + char *hex_salt_string, char *hex_prk_string ) +{ + unsigned char *ikm = NULL; + unsigned char *salt = NULL; + unsigned char *prk = NULL; + unsigned char *output_prk = NULL; + size_t ikm_len, salt_len, prk_len, output_prk_len; + + output_prk_len = PSA_HASH_LENGTH( alg ); + output_prk = mbedtls_calloc( 1, output_prk_len ); + + ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len ); + salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); + prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len ); + + PSA_ASSERT( psa_crypto_init() ); + PSA_ASSERT( mbedtls_psa_hkdf_extract( alg, salt, salt_len, + ikm, ikm_len, output_prk ) ); + + ASSERT_COMPARE( output_prk, output_prk_len, prk, prk_len ); + +exit: + mbedtls_free(ikm); + mbedtls_free(salt); + mbedtls_free(prk); + mbedtls_free(output_prk); + + PSA_DONE( ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */ +void psa_hkdf_extract_ret( int hash_len, int ret ) +{ + int output_ret; + unsigned char *salt = NULL; + unsigned char *ikm = NULL; + unsigned char *prk = NULL; + size_t salt_len, ikm_len; + + prk = mbedtls_calloc( PSA_MAC_MAX_SIZE, 1 ); + salt_len = hash_len; + ikm_len = 0; + + PSA_ASSERT( psa_crypto_init() ); + output_ret = mbedtls_psa_hkdf_extract( 0, salt, salt_len, + ikm, ikm_len, prk ); + TEST_ASSERT( output_ret == ret ); + +exit: + mbedtls_free(prk); + + PSA_DONE( ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */ void psa_hkdf_expand( int alg, char *hex_info_string, char *hex_prk_string, char *hex_okm_string ) From 62bf024025b13a122c5e73e60bbcba4b2182a294 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Feb 2022 18:12:07 +0100 Subject: [PATCH 03/15] Make the mbedtls_psa_hkdf_extract function more PSA compatible Change the return value to `psa_status_t`. Add `prk_size` and `prk_len` parameters. Signed-off-by: Gabor Mezei --- library/ssl_tls13_invasive.h | 9 +++++---- library/ssl_tls13_keys.c | 14 +++++++------- tests/suites/test_suite_ssl.function | 17 +++++++++++------ 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h index e3b1dc7c59..9f30c4aa0f 100644 --- a/library/ssl_tls13_invasive.h +++ b/library/ssl_tls13_invasive.h @@ -28,10 +28,11 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) -int mbedtls_psa_hkdf_extract( psa_algorithm_t alg, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - unsigned char *prk ); +psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + unsigned char *prk, size_t prk_size, + size_t *prk_len ); /** * \brief Expand the supplied \p prk into several additional pseudorandom diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index e63f83afb9..ad794e62ed 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -139,16 +139,16 @@ static void ssl_tls13_hkdf_encode_label( #if defined( MBEDTLS_TEST_HOOKS ) MBEDTLS_STATIC_TESTABLE -int mbedtls_psa_hkdf_extract( psa_algorithm_t alg, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - unsigned char *prk ) +psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + unsigned char *prk, size_t prk_size, + size_t *prk_len ) { unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' }; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - size_t prk_len; - int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + psa_status_t ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; if( salt == NULL || salt_len == 0 ) { @@ -181,7 +181,7 @@ int mbedtls_psa_hkdf_extract( psa_algorithm_t alg, goto cleanup; } - ret = psa_mac_compute( key, alg, ikm, ikm_len, prk, PSA_HASH_LENGTH( alg ), &prk_len ); + ret = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len ); cleanup: psa_destroy_key( key ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 0122d46e5c..c8b70a39d8 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3814,10 +3814,10 @@ void psa_hkdf_extract( int alg, char *hex_ikm_string, unsigned char *salt = NULL; unsigned char *prk = NULL; unsigned char *output_prk = NULL; - size_t ikm_len, salt_len, prk_len, output_prk_len; + size_t ikm_len, salt_len, prk_len, output_prk_size, output_prk_len; - output_prk_len = PSA_HASH_LENGTH( alg ); - output_prk = mbedtls_calloc( 1, output_prk_len ); + output_prk_size = PSA_HASH_LENGTH( alg ); + output_prk = mbedtls_calloc( 1, output_prk_size ); ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len ); salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); @@ -3825,7 +3825,9 @@ void psa_hkdf_extract( int alg, char *hex_ikm_string, PSA_ASSERT( psa_crypto_init() ); PSA_ASSERT( mbedtls_psa_hkdf_extract( alg, salt, salt_len, - ikm, ikm_len, output_prk ) ); + ikm, ikm_len, + output_prk, output_prk_size, + &output_prk_len ) ); ASSERT_COMPARE( output_prk, output_prk_len, prk, prk_len ); @@ -3846,16 +3848,19 @@ void psa_hkdf_extract_ret( int hash_len, int ret ) unsigned char *salt = NULL; unsigned char *ikm = NULL; unsigned char *prk = NULL; - size_t salt_len, ikm_len; + size_t salt_len, ikm_len, prk_len; prk = mbedtls_calloc( PSA_MAC_MAX_SIZE, 1 ); salt_len = hash_len; ikm_len = 0; + prk_len = 0; PSA_ASSERT( psa_crypto_init() ); output_ret = mbedtls_psa_hkdf_extract( 0, salt, salt_len, - ikm, ikm_len, prk ); + ikm, ikm_len, + prk, PSA_MAC_MAX_SIZE, &prk_len ); TEST_ASSERT( output_ret == ret ); + TEST_ASSERT( prk_len == 0 ); exit: mbedtls_free(prk); From b1f53976eede92802153e8a6e858d670dbd839fb Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Feb 2022 18:18:16 +0100 Subject: [PATCH 04/15] Add documentation for mbedtls_psa_hkdf_extract Signed-off-by: Gabor Mezei --- library/ssl_tls13_invasive.h | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h index 9f30c4aa0f..5a9d536b9e 100644 --- a/library/ssl_tls13_invasive.h +++ b/library/ssl_tls13_invasive.h @@ -28,6 +28,28 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) +/** + * \brief Take the input keying material \p ikm and extract from it a + * fixed-length pseudorandom key \p prk. + * + * \param alg A hash function. + * \param salt An optional salt value (a non-secret random value); + * if the salt is not provided, a string of all zeros + * of the length of the hash provided by \p alg is used + * as the salt. + * \param salt_len The length in bytes of the optional \p salt. + * \param ikm The input keying material. + * \param ikm_len The length in bytes of \p ikm. + * \param[out] prk A pseudorandom key of \p prk_len bytes. + * \param prk_size Size of the \p prk buffer in bytes. + * \param[out] prk_len On success, the length in bytes of the + * pseudorandom key in \p prk. + * + * \return 0 on success. + * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. + * \return An PSA_ERROR_* error for errors returned from the underlying + * PSA layer. + */ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, const unsigned char *salt, size_t salt_len, const unsigned char *ikm, size_t ikm_len, From 89c1a95f8f6f7281e9223fd0b59f8663f270658c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Feb 2022 18:19:05 +0100 Subject: [PATCH 05/15] Delete leftover code Signed-off-by: Gabor Mezei --- library/ssl_tls13_keys.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ad794e62ed..429d1241c3 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -159,7 +159,6 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - //hash_len = mbedtls_md_get_size( md ); hash_len = PSA_HASH_LENGTH( alg ); if( hash_len == 0 ) From 298a2d6109acbaec2b97ad6ff2ec2fe8f553b1f5 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Feb 2022 18:21:39 +0100 Subject: [PATCH 06/15] Use ASSERT_ALLOC Change the calloc functions to ASSERT_ALLOC to check the return value of calloc as well. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_hkdf.function | 4 ++-- tests/suites/test_suite_ssl.function | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_hkdf.function b/tests/suites/test_suite_hkdf.function index feb17174e5..1e112ba727 100644 --- a/tests/suites/test_suite_hkdf.function +++ b/tests/suites/test_suite_hkdf.function @@ -44,7 +44,7 @@ void test_hkdf_extract( int md_alg, char *hex_ikm_string, TEST_ASSERT( md != NULL ); output_prk_len = mbedtls_md_get_size( md ); - output_prk = mbedtls_calloc( 1, output_prk_len ); + ASSERT_ALLOC( output_prk, output_prk_len ); ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len ); salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); @@ -113,7 +113,7 @@ void test_hkdf_extract_ret( int hash_len, int ret ) fake_md_info.type = MBEDTLS_MD_NONE; fake_md_info.size = hash_len; - prk = mbedtls_calloc( MBEDTLS_MD_MAX_SIZE, 1 ); + ASSERT_ALLOC( prk, MBEDTLS_MD_MAX_SIZE); salt_len = 0; ikm_len = 0; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c8b70a39d8..7149840a00 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3817,7 +3817,7 @@ void psa_hkdf_extract( int alg, char *hex_ikm_string, size_t ikm_len, salt_len, prk_len, output_prk_size, output_prk_len; output_prk_size = PSA_HASH_LENGTH( alg ); - output_prk = mbedtls_calloc( 1, output_prk_size ); + ASSERT_ALLOC( output_prk, output_prk_size ); ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len ); salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); @@ -3850,8 +3850,8 @@ void psa_hkdf_extract_ret( int hash_len, int ret ) unsigned char *prk = NULL; size_t salt_len, ikm_len, prk_len; - prk = mbedtls_calloc( PSA_MAC_MAX_SIZE, 1 ); salt_len = hash_len; + ASSERT_ALLOC( prk, PSA_MAC_MAX_SIZE); ikm_len = 0; prk_len = 0; From ebc9368173aa42c1bdffcc87f523f613539c32ef Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Feb 2022 18:06:35 +0100 Subject: [PATCH 07/15] typo Signed-off-by: Gabor Mezei --- tests/suites/test_suite_ssl.function | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 7149840a00..c01204e179 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3832,10 +3832,10 @@ void psa_hkdf_extract( int alg, char *hex_ikm_string, ASSERT_COMPARE( output_prk, output_prk_len, prk, prk_len ); exit: - mbedtls_free(ikm); - mbedtls_free(salt); - mbedtls_free(prk); - mbedtls_free(output_prk); + mbedtls_free( ikm ); + mbedtls_free( salt ); + mbedtls_free( prk ); + mbedtls_free( output_prk ); PSA_DONE( ); } @@ -3863,7 +3863,7 @@ void psa_hkdf_extract_ret( int hash_len, int ret ) TEST_ASSERT( prk_len == 0 ); exit: - mbedtls_free(prk); + mbedtls_free( prk ); PSA_DONE( ); } From 5d7d201b87605436158c43052dc2170361b18f8a Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Mon, 7 Feb 2022 18:23:18 +0100 Subject: [PATCH 08/15] Update test Testing the hash length in this context is not applicable because there is no way to specify it when calling mbedtls_psa_hkdf_extract. Change to test invalid `alg` parameter. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_ssl.data | 2 +- tests/suites/test_suite_ssl.function | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6f89695238..9e189a3359 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -4420,7 +4420,7 @@ SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #7 Extract depends_on:PSA_WANT_ALG_SHA_1 psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"2adccada18779e7c2077ad2eb19d3f3e731385dd" -SSL TLS 1.3 Key schedule: HKDF extract fails with hash_len of 0 +SSL TLS 1.3 Key schedule: HKDF extract fails with wrong hash alg psa_hkdf_extract_ret:0:MBEDTLS_ERR_SSL_BAD_INPUT_DATA SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #1 Expand diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c01204e179..c35e2433d4 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3842,7 +3842,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */ -void psa_hkdf_extract_ret( int hash_len, int ret ) +void psa_hkdf_extract_ret( int alg, int ret ) { int output_ret; unsigned char *salt = NULL; @@ -3850,13 +3850,13 @@ void psa_hkdf_extract_ret( int hash_len, int ret ) unsigned char *prk = NULL; size_t salt_len, ikm_len, prk_len; - salt_len = hash_len; ASSERT_ALLOC( prk, PSA_MAC_MAX_SIZE); + salt_len = 0; ikm_len = 0; prk_len = 0; PSA_ASSERT( psa_crypto_init() ); - output_ret = mbedtls_psa_hkdf_extract( 0, salt, salt_len, + output_ret = mbedtls_psa_hkdf_extract( alg, salt, salt_len, ikm, ikm_len, prk, PSA_MAC_MAX_SIZE, &prk_len ); TEST_ASSERT( output_ret == ret ); From c5efb8e58bcfe3adfc457bcc5d53b798830f3788 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 8 Feb 2022 13:15:45 +0100 Subject: [PATCH 09/15] Use PSA error code Signed-off-by: Gabor Mezei --- library/ssl_tls13_invasive.h | 2 +- library/ssl_tls13_keys.c | 6 +++--- tests/suites/test_suite_ssl.data | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h index 5a9d536b9e..1008b2d212 100644 --- a/library/ssl_tls13_invasive.h +++ b/library/ssl_tls13_invasive.h @@ -46,7 +46,7 @@ * pseudorandom key in \p prk. * * \return 0 on success. - * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. + * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid. * \return An PSA_ERROR_* error for errors returned from the underlying * PSA layer. */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 429d1241c3..aee2a8565f 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -148,7 +148,7 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' }; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + psa_status_t ret = PSA_ERROR_CORRUPTION_DETECTED; if( salt == NULL || salt_len == 0 ) { @@ -156,14 +156,14 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, if( salt_len != 0 ) { - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + return( PSA_ERROR_INVALID_ARGUMENT ); } hash_len = PSA_HASH_LENGTH( alg ); if( hash_len == 0 ) { - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + return( PSA_ERROR_INVALID_ARGUMENT ); } salt = null_salt; diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 9e189a3359..0c6e3133ef 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -4421,7 +4421,7 @@ depends_on:PSA_WANT_ALG_SHA_1 psa_hkdf_extract:PSA_ALG_HMAC(PSA_ALG_SHA_1):"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"2adccada18779e7c2077ad2eb19d3f3e731385dd" SSL TLS 1.3 Key schedule: HKDF extract fails with wrong hash alg -psa_hkdf_extract_ret:0:MBEDTLS_ERR_SSL_BAD_INPUT_DATA +psa_hkdf_extract_ret:0:PSA_ERROR_INVALID_ARGUMENT SSL TLS 1.3 Key schedule: HKDF RFC5869 Test Vector #1 Expand depends_on:PSA_WANT_ALG_SHA_256 From 320d21cecf398332f985374dbf814e8084e60606 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 9 Feb 2022 17:25:43 +0100 Subject: [PATCH 10/15] Update documentation Signed-off-by: Gabor Mezei --- library/ssl_tls13_invasive.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h index 1008b2d212..a025dbee3d 100644 --- a/library/ssl_tls13_invasive.h +++ b/library/ssl_tls13_invasive.h @@ -32,7 +32,10 @@ * \brief Take the input keying material \p ikm and extract from it a * fixed-length pseudorandom key \p prk. * - * \param alg A hash function. + * \param alg The HMAC algorithm to use + * (\c #PSA_ALG_HMAC( PSA_ALG_XXX ) value such that + * PSA_ALG_XXX is a hash algorithm and + * #PSA_ALG_IS_HMAC(\p alg) is true). * \param salt An optional salt value (a non-secret random value); * if the salt is not provided, a string of all zeros * of the length of the hash provided by \p alg is used From 26c6741c58abf11bdd83a439bf017e25b0bce319 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 15 Feb 2022 15:46:17 +0100 Subject: [PATCH 11/15] Add better name for variable. Signed-off-by: Gabor Mezei --- library/ssl_tls13_keys.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index aee2a8565f..ab74eb5db6 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -148,7 +148,7 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' }; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t ret = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( salt == NULL || salt_len == 0 ) { @@ -174,18 +174,18 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, psa_set_key_algorithm( &attributes, alg ); psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC ); - ret = psa_import_key( &attributes, salt, salt_len, &key ); - if( PSA_SUCCESS != ret ) + status = psa_import_key( &attributes, salt, salt_len, &key ); + if( status != PSA_SUCCESS ) { goto cleanup; } - ret = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len ); + status = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len ); cleanup: psa_destroy_key( key ); - return( ret ); + return( status ); } MBEDTLS_STATIC_TESTABLE From 0e7c6f4961a7f461224eeba7890c01b308052571 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 15 Feb 2022 15:47:54 +0100 Subject: [PATCH 12/15] Check return value of psa_destroy_key Signed-off-by: Gabor Mezei --- library/ssl_tls13_keys.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ab74eb5db6..25a1b50862 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -149,6 +149,7 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t destroy_status = PSA_ERROR_CORRUPTION_DETECTED; if( salt == NULL || salt_len == 0 ) { @@ -183,9 +184,9 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, status = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len ); cleanup: - psa_destroy_key( key ); + destroy_status = psa_destroy_key( key ); - return( status ); + return( ( status == PSA_SUCCESS ) ? destroy_status : status ); } MBEDTLS_STATIC_TESTABLE From d860e0f18b19770a2496189be1a78dab4450e841 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 15 Feb 2022 16:02:59 +0100 Subject: [PATCH 13/15] Add comment Signed-off-by: Gabor Mezei --- library/ssl_tls13_keys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 25a1b50862..d135afc865 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -167,6 +167,8 @@ psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t alg, return( PSA_ERROR_INVALID_ARGUMENT ); } + /* salt_len <= sizeof( salt ) because + PSA_HASH_LENGTH( alg ) <= PSA_MAC_MAX_SIZE. */ salt = null_salt; salt_len = hash_len; } From 4fded1359a9cb4f2d8605b8ae3fbd447cc4043a8 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 15 Feb 2022 16:35:23 +0100 Subject: [PATCH 14/15] Use PSA_INIT() Signed-off-by: Gabor Mezei --- tests/suites/test_suite_ssl.function | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c35e2433d4..97f25e16ef 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3816,6 +3816,8 @@ void psa_hkdf_extract( int alg, char *hex_ikm_string, unsigned char *output_prk = NULL; size_t ikm_len, salt_len, prk_len, output_prk_size, output_prk_len; + PSA_INIT( ); + output_prk_size = PSA_HASH_LENGTH( alg ); ASSERT_ALLOC( output_prk, output_prk_size ); @@ -3823,7 +3825,6 @@ void psa_hkdf_extract( int alg, char *hex_ikm_string, salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len ); - PSA_ASSERT( psa_crypto_init() ); PSA_ASSERT( mbedtls_psa_hkdf_extract( alg, salt, salt_len, ikm, ikm_len, output_prk, output_prk_size, @@ -3850,12 +3851,13 @@ void psa_hkdf_extract_ret( int alg, int ret ) unsigned char *prk = NULL; size_t salt_len, ikm_len, prk_len; + PSA_INIT( ); + ASSERT_ALLOC( prk, PSA_MAC_MAX_SIZE); salt_len = 0; ikm_len = 0; prk_len = 0; - PSA_ASSERT( psa_crypto_init() ); output_ret = mbedtls_psa_hkdf_extract( alg, salt, salt_len, ikm, ikm_len, prk, PSA_MAC_MAX_SIZE, &prk_len ); From 88f3b2e5025521e67ba2422b9217acaae45c66a9 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 16 Mar 2022 16:53:23 +0100 Subject: [PATCH 15/15] Update old style test function parameter handling Use data_t type for hex string parameters. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_hkdf.function | 48 +++++++++---------------- tests/suites/test_suite_ssl.function | 50 +++++++++------------------ 2 files changed, 34 insertions(+), 64 deletions(-) diff --git a/tests/suites/test_suite_hkdf.function b/tests/suites/test_suite_hkdf.function index 1e112ba727..1ad6f3d4f3 100644 --- a/tests/suites/test_suite_hkdf.function +++ b/tests/suites/test_suite_hkdf.function @@ -30,15 +30,14 @@ void test_hkdf( int md_alg, data_t *ikm, data_t *salt, data_t *info, /* END_CASE */ /* BEGIN_CASE */ -void test_hkdf_extract( int md_alg, char *hex_ikm_string, - char *hex_salt_string, char *hex_prk_string ) +void test_hkdf_extract( int md_alg, + data_t *ikm, + data_t *salt, + data_t *prk ) { int ret; - unsigned char *ikm = NULL; - unsigned char *salt = NULL; - unsigned char *prk = NULL; unsigned char *output_prk = NULL; - size_t ikm_len, salt_len, prk_len, output_prk_len; + size_t output_prk_len; const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg ); TEST_ASSERT( md != NULL ); @@ -46,55 +45,42 @@ void test_hkdf_extract( int md_alg, char *hex_ikm_string, output_prk_len = mbedtls_md_get_size( md ); ASSERT_ALLOC( output_prk, output_prk_len ); - ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len ); - salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); - prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len ); - - ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, output_prk ); + ret = mbedtls_hkdf_extract( md, salt->x, salt->len, + ikm->x, ikm->len, output_prk ); TEST_ASSERT( ret == 0 ); - ASSERT_COMPARE( output_prk, output_prk_len, prk, prk_len ); + ASSERT_COMPARE( output_prk, output_prk_len, prk->x, prk->len ); exit: - mbedtls_free(ikm); - mbedtls_free(salt); - mbedtls_free(prk); mbedtls_free(output_prk); } /* END_CASE */ /* BEGIN_CASE */ -void test_hkdf_expand( int md_alg, char *hex_info_string, - char *hex_prk_string, char *hex_okm_string ) +void test_hkdf_expand( int md_alg, + data_t *info, + data_t *prk, + data_t *okm ) { enum { OKM_LEN = 1024 }; int ret; - unsigned char *info = NULL; - unsigned char *prk = NULL; - unsigned char *okm = NULL; unsigned char *output_okm = NULL; - size_t info_len, prk_len, okm_len; const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg ); TEST_ASSERT( md != NULL ); ASSERT_ALLOC( output_okm, OKM_LEN ); - prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len ); - info = mbedtls_test_unhexify_alloc( hex_info_string, &info_len ); - okm = mbedtls_test_unhexify_alloc( hex_okm_string, &okm_len ); - TEST_ASSERT( prk_len == mbedtls_md_get_size( md ) ); - TEST_ASSERT( okm_len < OKM_LEN ); + TEST_ASSERT( prk->len == mbedtls_md_get_size( md ) ); + TEST_ASSERT( okm->len < OKM_LEN ); - ret = mbedtls_hkdf_expand( md, prk, prk_len, info, info_len, + ret = mbedtls_hkdf_expand( md, prk->x, prk->len, + info->x, info->len, output_okm, OKM_LEN ); TEST_ASSERT( ret == 0 ); - ASSERT_COMPARE( output_okm, okm_len, okm, okm_len ); + ASSERT_COMPARE( output_okm, okm->len, okm->x, okm->len ); exit: - mbedtls_free(info); - mbedtls_free(prk); - mbedtls_free(okm); mbedtls_free(output_okm); } /* END_CASE */ diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 97f25e16ef..65f6445b6f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3807,35 +3807,27 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */ -void psa_hkdf_extract( int alg, char *hex_ikm_string, - char *hex_salt_string, char *hex_prk_string ) +void psa_hkdf_extract( int alg, + data_t *ikm, + data_t *salt, + data_t *prk ) { - unsigned char *ikm = NULL; - unsigned char *salt = NULL; - unsigned char *prk = NULL; unsigned char *output_prk = NULL; - size_t ikm_len, salt_len, prk_len, output_prk_size, output_prk_len; + size_t output_prk_size, output_prk_len; PSA_INIT( ); output_prk_size = PSA_HASH_LENGTH( alg ); ASSERT_ALLOC( output_prk, output_prk_size ); - ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len ); - salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len ); - prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len ); - - PSA_ASSERT( mbedtls_psa_hkdf_extract( alg, salt, salt_len, - ikm, ikm_len, + PSA_ASSERT( mbedtls_psa_hkdf_extract( alg, salt->x, salt->len, + ikm->x, ikm->len, output_prk, output_prk_size, &output_prk_len ) ); - ASSERT_COMPARE( output_prk, output_prk_len, prk, prk_len ); + ASSERT_COMPARE( output_prk, output_prk_len, prk->x, prk->len ); exit: - mbedtls_free( ikm ); - mbedtls_free( salt ); - mbedtls_free( prk ); mbedtls_free( output_prk ); PSA_DONE( ); @@ -3872,35 +3864,27 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3 */ -void psa_hkdf_expand( int alg, char *hex_info_string, - char *hex_prk_string, char *hex_okm_string ) +void psa_hkdf_expand( int alg, + data_t *info, + data_t *prk, + data_t *okm ) { enum { OKM_LEN = 1024 }; - unsigned char *info = NULL; - unsigned char *prk = NULL; - unsigned char *okm = NULL; unsigned char *output_okm = NULL; - size_t info_len, prk_len, okm_len; PSA_INIT( ); ASSERT_ALLOC( output_okm, OKM_LEN ); + TEST_ASSERT( prk->len == PSA_HASH_LENGTH( alg ) ); + TEST_ASSERT( okm->len < OKM_LEN ); - prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len ); - info = mbedtls_test_unhexify_alloc( hex_info_string, &info_len ); - okm = mbedtls_test_unhexify_alloc( hex_okm_string, &okm_len ); - TEST_ASSERT( prk_len == PSA_HASH_LENGTH( alg ) ); - TEST_ASSERT( okm_len < OKM_LEN ); - - PSA_ASSERT( mbedtls_psa_hkdf_expand( alg, prk, prk_len, info, info_len, + PSA_ASSERT( mbedtls_psa_hkdf_expand( alg, prk->x, prk->len, + info->x, info->len, output_okm, OKM_LEN ) ); - ASSERT_COMPARE( output_okm, okm_len, okm, okm_len ); + ASSERT_COMPARE( output_okm, okm->len, okm->x, okm->len ); exit: - mbedtls_free( info ); - mbedtls_free( prk ); - mbedtls_free( okm ); mbedtls_free( output_okm ); PSA_DONE( );