Enable support for psa opaque DHE-PSK key exchange on the client side

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2025-02-19 18:39:55 +00:00 · 2022-04-19 12:22:38 +02:00 · 2022-04-19 12:22:38 +02:00 · b293aaa61b
commit b293aaa61b
parent b6a0503dda
3 changed files with 22 additions and 28 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -5099,7 +5099,8 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) )
    if( ( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
          handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
-          handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) &&
+          handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+          handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) &&
        ssl_use_opaque_psk( ssl ) == 1 )
    {
        /* Perform PSK-to-MS expansion in a single step. */
@ -5134,6 +5135,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
                other_secret = handshake->premaster + 2;
                break;
            case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
                other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
                other_secret = handshake->premaster + 2;
                break;
@ -5383,21 +5385,27 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
    unsigned char *end = p + sizeof( ssl->handshake->premaster );
    const unsigned char *psk = NULL;
    size_t psk_len = 0;
+    int psk_ret = mbedtls_ssl_get_psk( ssl, &psk, &psk_len );

 #if defined(MBEDTLS_USE_PSA_CRYPTO) &&                 \
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
    (void) key_ex;
 #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */

-    if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
-            == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
+    if( psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
    {
        /*
         * This should never happen because the existence of a PSK is always
-         * checked before calling this function
+         * checked before calling this function.
+         *
+         * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
+         * the the shared secret without PSK.
         */
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        if ( key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
    }

    /*
@ -5458,6 +5466,14 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
        p += 2 + len;

        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+
+        /* For opaque PSK fill premaster with the the shared secret without PSK. */
+        if( psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "skip PMS generation for opaque DHE-PSK" ) );
+            return( 0 );
+        }
    }
    else
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@ -3153,12 +3153,6 @@ ecdh_calc_secret:
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
        {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-            /* Opaque PSKs are currently only supported for PSK-only suites. */
-            if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
-                return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
            /*
             * ClientDiffieHellmanPublic public (DHM send G^X mod P)
             */
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1406,22 +1406,6 @@ int main( int argc, char *argv[] )
 #if defined (MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
        if( opt.psk_opaque != 0 )
        {
-            /* Ensure that the chosen ciphersuite is PSK-only, rsa-psk
-               or ecdhe-psk; we must know the ciphersuite in
-               advance to set the correct policy for the
-             * PSK key slot. This limitation might go away in the future. */
-            if( ( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK &&
-                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK &&
-                  ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) ||
-                opt.min_version != MBEDTLS_SSL_MINOR_VERSION_3 )
-            {
-                mbedtls_printf( "opaque PSKs are only supported in conjunction \
-                                 with forcing TLS 1.2 and a PSK-only, RSA-PSK \
-                                 ciphersuites through the 'force_ciphersuite' option.\n" );
-                ret = 2;
-                goto usage;
-            }
-
            /* Determine KDF algorithm the opaque PSK will be used in. */
 #if defined(MBEDTLS_SHA384_C)
            if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )