From be3ffba33db8eec8e61d661bd2d33460455b8e41 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 16 Nov 2018 15:21:18 +0000 Subject: [PATCH 1/8] Setup PSA-based cipher context in mbedtls_ssl_derive_keys() This commit changes the code path in mbedtls_ssl_derive_keys() responsible for setting up record protection cipher contexts to attempt to use the new API mbedtls_cipher_setup_psa() in case MBEDTLS_USE_PSA_CRYPTO is set. For that, the AEAD tag length must be provided, which is already computed earlier in mbedtls_ssl_derive_keys() and only needs to be stored a function scope to be available for mbedtls_cipher_setup_psa(). If mbedtls_cipher_setup_psa() fails cleanly indicating that the requested cipher is not supported in PSA, we fall through to the default setup using mbedtls_cipher_setup(). However, we print a debug message in this case, to allow catching the fallthrough in tests where we know we're using a cipher which should be supported by PSA. --- library/ssl_tls.c | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 82e65251f..acfb3de82 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -618,6 +618,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) unsigned char *mac_dec; size_t mac_key_len; size_t iv_copy_len; + size_t taglen = 0; const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; @@ -810,7 +811,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) cipher_info->mode == MBEDTLS_MODE_CCM || cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) { - size_t taglen, explicit_ivlen; + size_t explicit_ivlen; transform->maclen = 0; mac_key_len = 0; @@ -1030,6 +1031,22 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc, + cipher_info, taglen ); + if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); + return( ret ); + } + + if( ret == 0 ) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based encryption cipher context" ) ); + else + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) ); + + if( ret != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, cipher_info ) ) != 0 ) { @@ -1037,6 +1054,23 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec, + cipher_info, taglen ); + + if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); + return( ret ); + } + + if( ret == 0 ) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based decryption cipher context" ) ); + else + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) ); + + if( ret != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, cipher_info ) ) != 0 ) { From 2dd04907e2dd6f4e403856b62eede1e7bc14efba Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 16 Nov 2018 17:27:29 +0000 Subject: [PATCH 2/8] Omit tests from ssl-opt.sh which force a disabled ciphersuite --- tests/ssl-opt.sh | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ce9aee28a..2e2f4f1ab 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -185,6 +185,12 @@ requires_config_value_at_most() { fi } +requires_ciphersuite_enabled() { + if [ -z "$($P_CLI --help | grep "$1")" ]; then + SKIP_NEXT="YES" + fi +} + # skip next test if OpenSSL doesn't support FALLBACK_SCSV requires_openssl_with_fallback_scsv() { if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then @@ -519,14 +525,6 @@ run_test() { SKIP_NEXT="YES" fi - # should we skip? - if [ "X$SKIP_NEXT" = "XYES" ]; then - SKIP_NEXT="NO" - echo "SKIP" - SKIPS=$(( $SKIPS + 1 )) - return - fi - # does this test use a proxy? if [ "X$1" = "X-p" ]; then PXY_CMD="$2" @@ -541,6 +539,26 @@ run_test() { CLI_EXPECT="$3" shift 3 + # Check if server forces ciphersuite + FORCE_CIPHERSUITE=$(echo "$SRV_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p') + if [ ! -z "$FORCE_CIPHERSUITE" ]; then + requires_ciphersuite_enabled $FORCE_CIPHERSUITE + fi + + # Check if client forces ciphersuite + FORCE_CIPHERSUITE=$(echo "$CLI_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p') + if [ ! -z "$FORCE_CIPHERSUITE" ]; then + requires_ciphersuite_enabled $FORCE_CIPHERSUITE + fi + + # should we skip? + if [ "X$SKIP_NEXT" = "XYES" ]; then + SKIP_NEXT="NO" + echo "SKIP" + SKIPS=$(( $SKIPS + 1 )) + return + fi + # fix client port if [ -n "$PXY_CMD" ]; then CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g ) From f43177d1d07e1cc013bb9583ef13a3be4f168bac Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 16 Nov 2018 17:28:40 +0000 Subject: [PATCH 3/8] Add runs for specific PSA-supported ciphersuites to ssl-opt.sh So far, make sure we test the following ciphersuites without any fallback to non-PSA ciphers: TLS-ECDHE-ECDSA-WITH-AES-128-CCM TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 TLS-ECDHE-ECDSA-WITH-AES-256-CCM TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 --- tests/ssl-opt.sh | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2e2f4f1ab..6b24a2978 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -752,6 +752,23 @@ run_test() { rm -f $SRV_OUT $CLI_OUT $PXY_OUT } +run_test_psa() { + requires_config_enabled MBEDTLS_USE_PSA_CRYPTO + run_test "Default, PSA ($1)" \ + "$P_SRV debug_level=1 force_version=tls1_2" \ + "$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \ + 0 \ + -c "Successfully setup PSA-based decryption cipher context" \ + -c "Successfully setup PSA-based encryption cipher context" \ + -s "Successfully setup PSA-based decryption cipher context" \ + -s "Successfully setup PSA-based encryption cipher context" \ + -C "Failed to setup PSA-based cipher context"\ + -S "Failed to setup PSA-based cipher context"\ + -s "Protocol is TLSv1.2" \ + -S "error" \ + -C "error" +} + cleanup() { rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1 @@ -883,6 +900,18 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" +# Test ciphersuites which we expect to be fully supported by PSA Crypto +# and check that we don't fall back to Mbed TLS' internal crypto primitives. +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 +run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 + # Test current time in ServerHello requires_config_enabled MBEDTLS_HAVE_TIME run_test "ServerHello contains gmt_unix_time" \ From 4724645e28edcf1dacaea515baddff8e71608420 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 17 Nov 2018 21:18:01 +0000 Subject: [PATCH 4/8] Introduce macros for constants in SSL ticket implementation --- library/ssl_ticket.c | 56 ++++++++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 985b7cd50..6692187a0 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -54,6 +54,19 @@ void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx ) #define MAX_KEY_BYTES 32 /* 256 bits */ +#define TICKET_KEY_NAME_BYTES 4 +#define TICKET_IV_BYTES 12 +#define TICKET_CRYPT_LEN_BYTES 2 +#define TICKET_AUTH_TAG_BYTES 16 + +#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \ + TICKET_IV_BYTES + \ + TICKET_CRYPT_LEN_BYTES + \ + TICKET_AUTH_TAG_BYTES ) +#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \ + TICKET_IV_BYTES + \ + TICKET_CRYPT_LEN_BYTES ) + /* * Generate/update a key */ @@ -278,6 +291,7 @@ static int ssl_load_session( mbedtls_ssl_session *session, * The key_name, iv, and length of encrypted_state are the additional * authenticated data. */ + int mbedtls_ssl_ticket_write( void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, @@ -289,9 +303,9 @@ int mbedtls_ssl_ticket_write( void *p_ticket, mbedtls_ssl_ticket_context *ctx = p_ticket; mbedtls_ssl_ticket_key *key; unsigned char *key_name = start; - unsigned char *iv = start + 4; - unsigned char *state_len_bytes = iv + 12; - unsigned char *state = state_len_bytes + 2; + unsigned char *iv = start + TICKET_KEY_NAME_BYTES; + unsigned char *state_len_bytes = iv + TICKET_IV_BYTES; + unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES; unsigned char *tag; size_t clear_len, ciph_len; @@ -302,7 +316,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket, /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag, * in addition to session itself, that will be checked when writing it. */ - if( end - start < 4 + 12 + 2 + 16 ) + if( end - start < TICKET_MIN_LEN ) return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); #if defined(MBEDTLS_THREADING_C) @@ -317,9 +331,9 @@ int mbedtls_ssl_ticket_write( void *p_ticket, *ticket_lifetime = ctx->ticket_lifetime; - memcpy( key_name, key->name, 4 ); + memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES ); - if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 ) + if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 ) goto cleanup; /* Dump session state */ @@ -335,8 +349,11 @@ int mbedtls_ssl_ticket_write( void *p_ticket, /* Encrypt and authenticate */ tag = state + clear_len; if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx, - iv, 12, key_name, 4 + 12 + 2, - state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 ) + iv, TICKET_IV_BYTES, + /* Additional data: key name, IV and length */ + key_name, TICKET_ADD_DATA_LEN, + state, clear_len, state, &ciph_len, + tag, TICKET_AUTH_TAG_BYTES ) ) != 0 ) { goto cleanup; } @@ -346,7 +363,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket, goto cleanup; } - *tlen = 4 + 12 + 2 + 16 + ciph_len; + *tlen = TICKET_MIN_LEN + ciph_len; cleanup: #if defined(MBEDTLS_THREADING_C) @@ -385,17 +402,16 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, mbedtls_ssl_ticket_context *ctx = p_ticket; mbedtls_ssl_ticket_key *key; unsigned char *key_name = buf; - unsigned char *iv = buf + 4; - unsigned char *enc_len_p = iv + 12; - unsigned char *ticket = enc_len_p + 2; + unsigned char *iv = buf + TICKET_KEY_NAME_BYTES; + unsigned char *enc_len_p = iv + TICKET_IV_BYTES; + unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES; unsigned char *tag; size_t enc_len, clear_len; if( ctx == NULL || ctx->f_rng == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - /* See mbedtls_ssl_ticket_write() */ - if( len < 4 + 12 + 2 + 16 ) + if( len < TICKET_MIN_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); #if defined(MBEDTLS_THREADING_C) @@ -409,7 +425,7 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; tag = ticket + enc_len; - if( len != 4 + 12 + 2 + enc_len + 16 ) + if( len != TICKET_MIN_LEN + enc_len ) { ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; goto cleanup; @@ -425,9 +441,13 @@ int mbedtls_ssl_ticket_parse( void *p_ticket, } /* Decrypt and authenticate */ - if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12, - key_name, 4 + 12 + 2, ticket, enc_len, - ticket, &clear_len, tag, 16 ) ) != 0 ) + if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, + iv, TICKET_IV_BYTES, + /* Additional data: key name, IV and length */ + key_name, TICKET_ADD_DATA_LEN, + ticket, enc_len, + ticket, &clear_len, + tag, TICKET_AUTH_TAG_BYTES ) ) != 0 ) { if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) ret = MBEDTLS_ERR_SSL_INVALID_MAC; From 329919eadf05abc9c992d85d7e38aaf9ef9a0641 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 17 Nov 2018 21:25:59 +0000 Subject: [PATCH 5/8] Use PSA-based ciphers for SSL ticket protection This commit modifies the default SSL ticket implementation from `library/ssl_ticket.c` to use PSA-based cipher context for ticket creation and parsing. As in mbedtls_ssl_derive_keys() adapted in an earlier commit, we allow fallback to the ordinary mbedtls_cipher_setup() if the provided cipher is not known. We do this even though we always call mbedtls_ssl_ticket_setup() with AES-GCM in our own code since this function is public and might be used with other ciphers by users. --- library/ssl_ticket.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 6692187a0..9fc690f4c 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -154,11 +154,27 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 || - ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 ) - { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx, + cipher_info, TICKET_AUTH_TAG_BYTES ); + if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + return( ret ); + /* We don't yet expect to support all ciphers through PSA, + * so allow fallback to ordinary mbedtls_cipher_setup(). */ + if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ) + return( ret ); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx, + cipher_info, TICKET_AUTH_TAG_BYTES ); + if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + return( ret ); + if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 ) return( ret ); - } if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 || ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 ) From fc20c14e76c32e6d6b10af650bdfb0b37c3d40a5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 17 Nov 2018 22:27:38 +0000 Subject: [PATCH 6/8] Use PSA-based ciphers for record protections in TLS-1.2 only Reasons: - For the first release, we attempt to support TLS-1.2 only, - At least TLS-1.0 is known to not work at the moment, as for CBC ciphersuites the code in mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() assumes that mbedtls_cipher_crypt() updates the structure field for the IV in the cipher context, which the PSA-based implementation currently doesn't. --- library/ssl_tls.c | 85 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index acfb3de82..e6a4222a2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -610,6 +610,9 @@ static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char * int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { int ret = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + int psa_fallthrough; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char tmp[64]; unsigned char keyblk[256]; unsigned char *key1; @@ -1032,20 +1035,41 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc, - cipher_info, taglen ); - if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + + /* Only use PSA-based ciphers for TLS-1.2. + * That's relevant at least for TLS-1.0, where + * we assume that mbedtls_cipher_crypt() updates + * the structure field for the IV, which the PSA-based + * implementation currently doesn't. */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); - return( ret ); + ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc, + cipher_info, taglen ); + if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); + return( ret ); + } + + if( ret == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based encryption cipher context" ) ); + psa_fallthrough = 0; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) ); + psa_fallthrough = 1; + } } - - if( ret == 0 ) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based encryption cipher context" ) ); else - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) ); + psa_fallthrough = 1; +#else + psa_fallthrough = 1; +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - if( ret != 0 ) + if( psa_fallthrough == 1 ) #endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, cipher_info ) ) != 0 ) @@ -1055,21 +1079,40 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec, - cipher_info, taglen ); - - if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + /* Only use PSA-based ciphers for TLS-1.2. + * That's relevant at least for TLS-1.0, where + * we assume that mbedtls_cipher_crypt() updates + * the structure field for the IV, which the PSA-based + * implementation currently doesn't. */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); - return( ret ); + ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec, + cipher_info, taglen ); + if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret ); + return( ret ); + } + + if( ret == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based decryption cipher context" ) ); + psa_fallthrough = 0; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) ); + psa_fallthrough = 1; + } } - - if( ret == 0 ) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based decryption cipher context" ) ); else - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) ); + psa_fallthrough = 1; +#else + psa_fallthrough = 1; +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - if( ret != 0 ) + if( psa_fallthrough == 1 ) #endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, cipher_info ) ) != 0 ) From 5b6425a9313bdeb32380eb08fb1aec4a2e1213a9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 20 Nov 2018 11:31:17 +0000 Subject: [PATCH 7/8] Remove superfluous quotes in ssl-opt.sh --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6b24a2978..5d8efc2eb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -186,7 +186,7 @@ requires_config_value_at_most() { } requires_ciphersuite_enabled() { - if [ -z "$($P_CLI --help | grep "$1")" ]; then + if [ -z "$($P_CLI --help | grep $1)" ]; then SKIP_NEXT="YES" fi } From 0110add3d6680003ed64311be8b5c5cd259cfc92 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 20 Nov 2018 11:37:34 +0000 Subject: [PATCH 8/8] Rename PSA test in ssl-opt.sh --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5d8efc2eb..bae70e8ec 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -754,7 +754,7 @@ run_test() { run_test_psa() { requires_config_enabled MBEDTLS_USE_PSA_CRYPTO - run_test "Default, PSA ($1)" \ + run_test "PSA-supported ciphersuite: $1" \ "$P_SRV debug_level=1 force_version=tls1_2" \ "$P_CLI debug_level=1 force_version=tls1_2 force_ciphersuite=$1" \ 0 \