Skip to content

Commit

Permalink
Make PK PSA functions also available for TLS 1.3
Browse files Browse the repository at this point in the history 
Signed-off-by: Przemek Stekiel <[email protected]>
  • Loading branch information
@mprse
mprse committed Jun 20, 2022
1 parent 2813711 commit bea2359
Show file tree
Hide file tree
Showing 7 changed files with 44 additions and 44 deletions.
18 changes: 9 additions & 9 deletions include/mbedtls/pk.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
#include "mbedtls/ecdsa.h"
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "psa/crypto.h"
#endif

Expand Down Expand Up @@ -141,7 +141,7 @@ typedef struct mbedtls_pk_rsassa_pss_options
#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if PSA_SIGNATURE_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
/* PSA_SIGNATURE_MAX_SIZE is the maximum size of a signature made
* through the PSA API in the PSA representation. */
Expand All @@ -159,7 +159,7 @@ typedef struct mbedtls_pk_rsassa_pss_options
#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
#define MBEDTLS_PK_SIGNATURE_MAX_SIZE ( PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE + 11 )
#endif
#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) || MBEDTLS_SSL_PROTO_TLS1_3 */

/**
* \brief Types for interfacing with the debug module
Expand Down Expand Up @@ -321,7 +321,7 @@ void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
*/
int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/**
* \brief Initialize a PK context to wrap a PSA key.
*
Expand Down Expand Up @@ -352,7 +352,7 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
*/
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
const mbedtls_svc_key_id_t key );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/**
Expand Down Expand Up @@ -411,7 +411,7 @@ static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
*/
int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/**
* \brief Tell if context can do the operation given by PSA algorithm
*
Expand Down Expand Up @@ -441,7 +441,7 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
*/
int mbedtls_pk_can_do_ext( const mbedtls_pk_context *ctx, psa_algorithm_t alg,
psa_key_usage_t usage );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

/**
* \brief Verify signature (including padding if relevant).
Expand Down Expand Up @@ -947,7 +947,7 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/**
* \brief Turn an EC or RSA key into an opaque one.
*
Expand All @@ -972,7 +972,7 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
psa_algorithm_t alg,
psa_key_usage_t usage,
psa_algorithm_t alg2 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#ifdef __cplusplus
}
Expand Down
4 changes: 2 additions & 2 deletions include/mbedtls/psa_util.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@

#include "mbedtls/build_info.h"

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_SSL_PROTO_TLS1_3)

#include "psa/crypto.h"

Expand Down Expand Up @@ -361,6 +361,6 @@ extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;

#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */

#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_PSA_CRYPTO_C || MBEDTLS_SSL_PROTO_TLS1_3 */

#endif /* MBEDTLS_PSA_UTIL_H */
14 changes: 7 additions & 7 deletions library/pk.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
return( 0 );
}

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* Initialise a PSA-wrapping context
*/
Expand Down Expand Up @@ -184,7 +184,7 @@ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,

return( 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/*
Expand Down Expand Up @@ -232,7 +232,7 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
return( ctx->pk_info->can_do( type ) );
}

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* Tell if a PK can do the operations of the given PSA algorithm
*/
Expand Down Expand Up @@ -351,7 +351,7 @@ int mbedtls_pk_can_do_ext( const mbedtls_pk_context *ctx, psa_algorithm_t alg,

return( 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

/*
* Helper for mbedtls_pk_sign and mbedtls_pk_verify
Expand Down Expand Up @@ -495,7 +495,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,

pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( pss_opts->mgf1_hash_id == md_alg &&
( (size_t) pss_opts->expected_salt_len == hash_len ||
pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ) )
Expand Down Expand Up @@ -832,7 +832,7 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
return( ctx->pk_info->type );
}

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* Load the key to a PSA key slot,
* then turn the PK context into a wrapper for that key slot.
Expand Down Expand Up @@ -937,5 +937,5 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
#endif /* !MBEDTLS_ECP_C && !MBEDTLS_RSA_C */
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_PK_C */
30 changes: 15 additions & 15 deletions library/pk_wrap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,15 @@
#include "mbedtls/ecdsa.h"
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "mbedtls/asn1write.h"
#endif

#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
#include "mbedtls/platform_util.h"
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "mbedtls/asn1.h"
Expand Down Expand Up @@ -126,7 +126,7 @@ int mbedtls_pk_error_from_psa_rsa( psa_status_t status )

#endif /* MBEDTLS_PSA_CRYPTO_C */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)

#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
int mbedtls_pk_error_from_psa_ecdsa( psa_status_t status )
Expand All @@ -150,7 +150,7 @@ int mbedtls_pk_error_from_psa_ecdsa( psa_status_t status )
}
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */

#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_RSA_C)
static int rsa_can_do( mbedtls_pk_type_t type )
Expand All @@ -165,7 +165,7 @@ static size_t rsa_get_bitlen( const void *ctx )
return( 8 * mbedtls_rsa_get_len( rsa ) );
}

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len )
Expand Down Expand Up @@ -316,9 +316,9 @@ int mbedtls_pk_psa_rsa_sign_ext( psa_algorithm_t alg,
ret = mbedtls_pk_error_from_psa( status );
return( ret );
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_PSA_CRYPTO_C || MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t sig_size, size_t *sig_len,
Expand Down Expand Up @@ -360,7 +360,7 @@ static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
}
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
static int rsa_decrypt_wrap( void *ctx,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
Expand Down Expand Up @@ -443,7 +443,7 @@ static int rsa_decrypt_wrap( void *ctx,
}
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
static int rsa_encrypt_wrap( void *ctx,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
Expand Down Expand Up @@ -864,7 +864,7 @@ static int ecdsa_can_do( mbedtls_pk_type_t type )
return( type == MBEDTLS_PK_ECDSA );
}

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
* those integers and convert it to the fixed-length encoding expected by PSA.
Expand Down Expand Up @@ -1007,7 +1007,7 @@ static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,

return( ret );
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
#else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len )
Expand All @@ -1023,9 +1023,9 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,

return( ret );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*
* Simultaneously convert and move raw MPI from the beginning of a buffer
* to an ASN.1 MPI at the end of the buffer.
Expand Down Expand Up @@ -1463,7 +1463,7 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {

#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)

static void *pk_opaque_alloc_wrap( void )
{
Expand Down Expand Up @@ -1656,6 +1656,6 @@ const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info = {
NULL, /* debug - could be done later, or even left NULL */
};

#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#endif /* MBEDTLS_PK_C */
4 changes: 2 additions & 2 deletions library/pk_wrap.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,15 +135,15 @@ extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
extern const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info;
extern const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info;

#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
int mbedtls_pk_error_from_psa_ecdsa( psa_status_t status );
#endif

#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_PSA_CRYPTO_C)
int mbedtls_pk_error_from_psa( psa_status_t status );
Expand Down
6 changes: 3 additions & 3 deletions tests/suites/test_suite_pk.function
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ size_t mbedtls_rsa_key_len_func( void *ctx )
}
#endif /* MBEDTLS_RSA_C */

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)

/*
* Generate an ECC key using PSA and return the key identifier of that key,
Expand Down Expand Up @@ -130,7 +130,7 @@ mbedtls_svc_key_id_t pk_psa_genkey_rsa( void )
exit:
return( key );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
/* END_HEADER */

/* BEGIN_DEPENDENCIES
Expand Down Expand Up @@ -582,7 +582,7 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest,
digest, hash_result, hash_len,
result_str->x, sig_len );

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( result == MBEDTLS_ERR_RSA_INVALID_PADDING )
{
/* Mbed TLS distinguishes "invalid padding" from "valid padding but
Expand Down
12 changes: 6 additions & 6 deletions tests/suites/test_suite_x509write.function
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ size_t mbedtls_rsa_key_len_func( void *ctx )
}
#endif /* MBEDTLS_RSA_C */

#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
#if ( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) ) && \
defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen )
{
Expand Down Expand Up @@ -84,11 +84,11 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_SSL_PROTO_TLS1_3)
unsigned char check_buf[4000];
FILE *f;
size_t olen = 0;
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#endif /* !MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_SSL_PROTO_TLS1_3 */
size_t pem_len = 0, buf_index;
int der_len = -1;
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
Expand Down Expand Up @@ -122,7 +122,7 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
TEST_ASSERT( buf[buf_index] == 0 );
}

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
// When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used
(void)cert_req_check_file;
buf[pem_len] = '\0';
Expand All @@ -135,7 +135,7 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,

TEST_ASSERT( olen >= pem_len - 1 );
TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */

der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ),
mbedtls_test_rnd_pseudo_rand,
Expand All @@ -145,7 +145,7 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
if( der_len == 0 )
goto exit;

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
// When using PSA crypto, RNG isn't controllable, result length isn't
// deterministic over multiple runs, removing a single byte isn't enough to
// go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
Expand Down

0 comments on commit bea2359

Please sign in to comment.