Add non-PSA support for TLS 1.3 client

Summary: Add non-PSA crypto support for the client when it uses TLS 1.3. * Update include/mbedtls/check_config.h to allow MBEDTLS_SSL_PROTO_TLS1_3 without MBEDTLS_PSA_CRYPTO_C * Add non-PSA crypto support in TLS 1.3 implementation. * Require MBEDTLS_USE_PSA_CRYPTO for the TLS 1.3: Client authentication, rsa_pss_rsae tests. It is because the padding is set to [PSA_ALG_RSA_PSS](https://github.com/hannestschofenig/mbedtls/blob/tls13-prototype/library/pk.c#L557) in `mbedtls_pk_sign_ext` which is only for MBEDTLS_USE_PSA_CRYPTO. Test Plan: ``` tests/ssl-opt.sh -p -s -f "TLS 1.3: " ``` Reviewers: Subscribers: Tasks: Tags:
hannestschofenig · Sep 7, 2022 · 8dc03f8 · 8dc03f8
1 parent 93c6b92
commit 8dc03f8
Show file tree

Hide file tree

Showing 8 changed files with 388 additions and 35 deletions.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
@@ -703,8 +703,7 @@
  */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
     ( ( !defined(MBEDTLS_HKDF_C) ) || \
-      ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) || \
-      ( !defined(MBEDTLS_PSA_CRYPTO_C) ) )
+      ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) )
 #error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites"
 #endif
 

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
@@ -654,14 +654,14 @@ struct mbedtls_ssl_handshake_params
  */
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || (defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3))
     psa_key_type_t ecdh_psa_type;
     size_t ecdh_bits;
     mbedtls_svc_key_id_t ecdh_psa_privkey;
     uint8_t ecdh_psa_privkey_is_external;
     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
     size_t ecdh_psa_peerkey_len;
-#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_USE_PSA_CRYPTO || (defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)) */
 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@@ -2695,7 +2695,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_typ
                                     size_t *key_size );
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || (defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3))
 /**
  * \brief       Convert given PSA status to mbedtls error code.
  *
@@ -2725,6 +2725,6 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status )
             return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
     }
 }
-#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_USE_PSA_CRYPTO || (defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3))*/
 
 #endif /* ssl_misc.h */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
@@ -3771,11 +3771,12 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
     mbedtls_ssl_buffering_free( ssl );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
-#if defined(MBEDTLS_ECDH_C) && \
-    ( defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
+#if defined(MBEDTLS_ECDH_C) && ( defined(MBEDTLS_USE_PSA_CRYPTO) \
+    || ( defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) ) )
     if( handshake->ecdh_psa_privkey_is_external == 0 )
         psa_destroy_key( handshake->ecdh_psa_privkey );
-#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_ECDH_C && ( defined(MBEDTLS_USE_PSA_CRYPTO) \
+    || ( defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) ) ) */
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_transform_free( handshake->transform_handshake );

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
@@ -45,6 +45,8 @@
 #define mbedtls_free       free
 #endif
 
+#include "ecp_internal.h"
+
 /* Write extensions */
 
 /*
@@ -197,6 +199,7 @@ static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_ECDH_C)
     if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
     {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
         psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 
@@ -210,6 +213,7 @@ static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
         }
 
         ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
         return( 0 );
     }
     else
@@ -226,6 +230,7 @@ static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
  * Functions for writing key_share extension.
  */
 #if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
 static int ssl_tls13_generate_and_write_ecdh_key_exchange(
                 mbedtls_ssl_context *ssl,
                 uint16_t named_group,
@@ -282,6 +287,7 @@ static int ssl_tls13_generate_and_write_ecdh_key_exchange(
 
     return( 0 );
 }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_ECDH_C */
 
 static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
@@ -388,8 +394,34 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
          */
         MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
         p += 4;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
         ret = ssl_tls13_generate_and_write_ecdh_key_exchange( ssl, group_id, p, end,
                                                               &key_exchange_len );
+#else
+        mbedtls_ecp_group_id ecp_group_id = mbedtls_ecp_named_group_to_id( group_id );
+        if( ecp_group_id == MBEDTLS_ECP_DP_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
+                                        (unsigned) group_id ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, ecp_group_id);
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_setup", ret );
+            return( ret );
+        }
+
+        ret = mbedtls_ecdh_make_tls13_params( &ssl->handshake->ecdh_ctx, &key_exchange_len,
+                                               p, end - p,
+                                               ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_tls_13_params", ret );
+            return( ret );
+        }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
         p += key_exchange_len;
         if( ret != 0 )
             return( ret );
@@ -439,6 +471,7 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_ECDH_C)
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
 static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
                                               const unsigned char *buf,
                                               size_t buf_len )
@@ -460,6 +493,7 @@ static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
 
     return( 0 );
 }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_ECDH_C */
 
 /*
@@ -585,9 +619,18 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
         ret = ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
         if( ret != 0 )
             return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_import_public_raw( &ssl->handshake->ecdh_ctx, p,
+            end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_import_public_raw" ), ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
     }
     else
 #endif /* MBEDTLS_ECDH_C */
@@ -997,7 +1040,10 @@ int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders(
         return( ret );
 
     ret = mbedtls_ssl_tls13_create_psk_binder( ssl,
-              mbedtls_psa_translate_md( suite_info->mac ),
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        mbedtls_psa_translate_md
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        ( suite_info->mac ),
               psk, psk_len, psk_type,
               transcript, p );
     if( ret != 0 )
@@ -3382,7 +3428,10 @@ static int ssl_tls13_new_session_ticket_parse( mbedtls_ssl_context *ssl,
      *                    "resumption", ticket_nonce, Hash.length )
      */
     ret = mbedtls_ssl_tls13_hkdf_expand_label(
-                    mbedtls_psa_translate_md( suite_info->mac ),
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        mbedtls_psa_translate_md
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+        ( suite_info->mac ),
                     ssl->session->app_secrets.resumption_master_secret,
                     hash_length,
                     MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
@@ -1984,6 +1984,7 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
     verify_hash_len = mbedtls_md_get_size( md_info );
     MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
     if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
                         md_alg, verify_hash, verify_hash_len,
                         p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
@@ -1992,6 +1993,16 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
         return( ret );
     }
+#else
+    if( ( ret = mbedtls_pk_sign( own_key, md_alg,
+                                 verify_hash, verify_hash_len,
+                                 p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
+                                 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
     MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
     p += 2 + signature_len;
@@ -2262,14 +2273,6 @@ int mbedtls_ecdh_make_tls13_params( mbedtls_ecdh_context *ctx, size_t *out_len,
 #endif
 }
 
-static int ecdh_import_public_raw( mbedtls_ecdh_context_mbed *ctx,
-                                   const unsigned char *buf,
-                                   const unsigned char *end )
-{
-    return( mbedtls_ecp_point_read_binary( &ctx->grp, &ctx->Qp,
-                                           buf, end - buf ) );
-}
-
 #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
 static int everest_import_public_raw( mbedtls_x25519_context *ctx,
                         const unsigned char *buf, const unsigned char *end )
@@ -2291,7 +2294,8 @@ int mbedtls_ecdh_import_public_raw( mbedtls_ecdh_context *ctx,
     ECDH_VALIDATE_RET( end != NULL );
 
 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    return( ecdh_read_tls13_params_internal( ctx, buf, end ) );
+    return( mbedtls_ecp_tls13_read_point( &ctx->grp, &ctx->Qp, &buf,
+                                        end - buf ) );
 #else
     switch( ctx->var )
     {
@@ -2301,8 +2305,8 @@ int mbedtls_ecdh_import_public_raw( mbedtls_ecdh_context *ctx,
                                                buf, end) );
 #endif
         case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
-            return( ecdh_import_public_raw( &ctx->ctx.mbed_ecdh,
-                                            buf, end ) );
+            return( mbedtls_ecp_tls13_read_point( &ctx->ctx.mbed_ecdh.grp,
+                  &ctx->ctx.mbed_ecdh.Qp, &buf, end - buf ) );
         default:
             return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
     }