From 4d8685b4ff1c92f1000635ebf4c0c9383c13847f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 Aug 2015 15:44:42 +0200 Subject: [PATCH 01/87] Add skeleton for EC J-PAKE module --- include/mbedtls/check_config.h | 5 ++ include/mbedtls/config.h | 16 ++++++ include/mbedtls/ecjpake.h | 46 ++++++++++++++++++ library/CMakeLists.txt | 1 + library/Makefile | 3 +- library/ecjpake.c | 62 ++++++++++++++++++++++++ library/version_features.c | 3 ++ programs/test/selftest.c | 6 +++ tests/CMakeLists.txt | 3 +- tests/Makefile | 6 ++- tests/suites/test_suite_ecjpake.data | 2 + tests/suites/test_suite_ecjpake.function | 15 ++++++ 12 files changed, 165 insertions(+), 3 deletions(-) create mode 100644 include/mbedtls/ecjpake.h create mode 100644 library/ecjpake.c create mode 100644 tests/suites/test_suite_ecjpake.data create mode 100644 tests/suites/test_suite_ecjpake.function diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index cb707e9bc..ee89c9fad 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -88,6 +88,11 @@ #error "MBEDTLS_ECDSA_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_ECJPAKE_C) && \ + ( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) ) +#error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C) #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites" #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 66657da55..fa202756f 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1670,6 +1670,21 @@ */ #define MBEDTLS_ECDSA_C +/** + * \def MBEDTLS_ECJPAKE_C + * + * Enable the elliptic curve J-PAKE library. + * + * Module: library/ecjpake.c + * Caller: + * + * This module is used by the following key exchanges: + * ECJPAKE + * + * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C + */ +#define MBEDTLS_ECJPAKE_C + /** * \def MBEDTLS_ECP_C * @@ -1678,6 +1693,7 @@ * Module: library/ecp.c * Caller: library/ecdh.c * library/ecdsa.c + * library/ecjpake.c * * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED */ diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h new file mode 100644 index 000000000..57f4b15e4 --- /dev/null +++ b/include/mbedtls/ecjpake.h @@ -0,0 +1,46 @@ +/** + * \file ecjpake.h + * + * \brief Elliptic curve J-PAKE + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#ifndef MBEDTLS_ECJPAKE_H +#define MBEDTLS_ECJPAKE_H + +#include "ecp.h" +#include "md.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#if defined(MBEDTLS_SELF_TEST) +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if a test failed + */ +int mbedtls_ecjpake_self_test( int verbose ); +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* ecjpake.h */ diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index c458117d4..d6c551a74 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -20,6 +20,7 @@ set(src_crypto dhm.c ecdh.c ecdsa.c + ecjpake.c ecp.c ecp_curves.c entropy.c diff --git a/library/Makefile b/library/Makefile index f72ae8e35..7d253434c 100644 --- a/library/Makefile +++ b/library/Makefile @@ -49,7 +49,8 @@ OBJS_CRYPTO= aes.o aesni.o arc4.o \ bignum.o blowfish.o camellia.o \ ccm.o cipher.o cipher_wrap.o \ ctr_drbg.o des.o dhm.o \ - ecdh.o ecdsa.o ecp.o \ + ecdh.o ecdsa.o ecjpake.o \ + ecp.o \ ecp_curves.o entropy.o entropy_poll.o \ error.o gcm.o havege.o \ hmac_drbg.o md.o md2.o \ diff --git a/library/ecjpake.c b/library/ecjpake.c new file mode 100644 index 000000000..4895990f2 --- /dev/null +++ b/library/ecjpake.c @@ -0,0 +1,62 @@ +/* + * Elliptic curve J-PAKE + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/* + * EC-JPAKE is defined in Chapter 7.4 of the Thread specification. + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_ECJPAKE_C) + +#include "mbedtls/ecjpake.h" + +#if defined(MBEDTLS_SELF_TEST) + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#define mbedtls_printf printf +#endif + +/* + * Checkup routine + */ +int mbedtls_ecjpake_self_test( int verbose ) +{ + int ret; + + ret = 0; /* XXX */ + + if( verbose != 0 ) + mbedtls_printf( "\n" ); + + return( ret ); +} + +#endif /* MBEDTLS_SELF_TEST */ + +#endif /* MBEDTLS_ECJPAKE_C */ diff --git a/library/version_features.c b/library/version_features.c index c2f30f21c..fa7a99809 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -462,6 +462,9 @@ static const char *features[] = { #if defined(MBEDTLS_ECDSA_C) "MBEDTLS_ECDSA_C", #endif /* MBEDTLS_ECDSA_C */ +#if defined(MBEDTLS_ECJPAKE_C) + "MBEDTLS_ECJPAKE_C", +#endif /* MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_ECP_C) "MBEDTLS_ECP_C", #endif /* MBEDTLS_ECP_C */ diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 82e9581f0..fe5d51426 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -49,6 +49,7 @@ #include "mbedtls/xtea.h" #include "mbedtls/pkcs5.h" #include "mbedtls/ecp.h" +#include "mbedtls/ecjpake.h" #include "mbedtls/timing.h" #include @@ -244,6 +245,11 @@ int main( int argc, char *argv[] ) return( ret ); #endif +#if defined(MBEDTLS_ECJPAKE_C) + if( ( ret = mbedtls_ecjpake_self_test( v ) ) != 0 ) + return( ret ); +#endif + #if defined(MBEDTLS_DHM_C) if( ( ret = mbedtls_dhm_self_test( v ) ) != 0 ) return( ret ); diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 864ea77d1..1cca81830 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -60,9 +60,10 @@ add_test_suite(ctr_drbg) add_test_suite(debug) add_test_suite(des) add_test_suite(dhm) -add_test_suite(ecp) add_test_suite(ecdh) add_test_suite(ecdsa) +add_test_suite(ecjpake) +add_test_suite(ecp) add_test_suite(entropy) add_test_suite(error) add_test_suite(gcm gcm.aes128_en) diff --git a/tests/Makefile b/tests/Makefile index e97887ae1..c5172e4d6 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -60,7 +60,7 @@ APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ test_suite_ctr_drbg$(EXEXT) test_suite_debug$(EXEXT) \ test_suite_des$(EXEXT) test_suite_dhm$(EXEXT) \ test_suite_ecdh$(EXEXT) test_suite_ecdsa$(EXEXT) \ - test_suite_ecp$(EXEXT) \ + test_suite_ecjpake$(EXEXT) test_suite_ecp$(EXEXT) \ test_suite_error$(EXEXT) test_suite_entropy$(EXEXT) \ test_suite_gcm.aes128_de$(EXEXT) \ test_suite_gcm.aes192_de$(EXEXT) \ @@ -292,6 +292,10 @@ test_suite_ecdsa$(EXEXT): test_suite_ecdsa.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +test_suite_ecjpake$(EXEXT): test_suite_ecjpake.c $(DEP) + echo " CC $<" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + test_suite_ecp$(EXEXT): test_suite_ecp.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/tests/suites/test_suite_ecjpake.data b/tests/suites/test_suite_ecjpake.data new file mode 100644 index 000000000..3aff2eddb --- /dev/null +++ b/tests/suites/test_suite_ecjpake.data @@ -0,0 +1,2 @@ +ECJPAKE selftest +ecjpake_selftest: diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function new file mode 100644 index 000000000..44a1f009b --- /dev/null +++ b/tests/suites/test_suite_ecjpake.function @@ -0,0 +1,15 @@ +/* BEGIN_HEADER */ +#include "mbedtls/ecjpake.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_ECJPAKE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +void ecjpake_selftest() +{ + TEST_ASSERT( mbedtls_ecjpake_self_test( 0 ) == 0 ); +} +/* END_CASE */ From 3dbf2fbb89e494494a11b27e9cc5e51ed080fd0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Aug 2015 17:24:39 +0200 Subject: [PATCH 02/87] Implement hashing function for ZKP --- library/ecjpake.c | 181 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 180 insertions(+), 1 deletion(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 4895990f2..398f4d907 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -21,6 +21,7 @@ /* * EC-JPAKE is defined in Chapter 7.4 of the Thread specification. + * References below are base on the draft-1.0.0 spec. */ #if !defined(MBEDTLS_CONFIG_FILE) @@ -33,6 +34,90 @@ #include "mbedtls/ecjpake.h" +#include + +/* + * Write a point plus its length to a buffer + */ +static int ecjpake_write_len_point( unsigned char **p, + const unsigned char *end, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *P ) +{ + int ret; + size_t len; + + /* Need at least 4 for length plus 1 for point */ + if( end < *p || end - *p < 5 ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + ret = mbedtls_ecp_point_write_binary( grp, P, MBEDTLS_ECP_PF_UNCOMPRESSED, + &len, *p + 4, end - ( *p + 4 ) ); + if( ret != 0 ) + return( ret ); + + (*p)[0] = (unsigned char)( ( len >> 24 ) & 0xFF ); + (*p)[1] = (unsigned char)( ( len >> 16 ) & 0xFF ); + (*p)[2] = (unsigned char)( ( len >> 8 ) & 0xFF ); + (*p)[3] = (unsigned char)( ( len ) & 0xFF ); + + *p += 4 + len; + + return( 0 ); +} + +/* + * Size of the temporary buffer for ecjpake_hash: + * 3 EC points plus their length, plus ID (6 bytes) + */ +#define ECJPAKE_HASH_BUF_LEN ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 6 ) + +/* + * Compute hash for ZKP (7.4.2.2.2.1) + */ +static int ecjpake_hash( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + const mbedtls_ecp_point *V, + const mbedtls_ecp_point *X, + const char *id, + mbedtls_mpi *h ) +{ + int ret; + unsigned char buf[ECJPAKE_HASH_BUF_LEN]; + unsigned char *p = buf; + const unsigned char *end = buf + sizeof( buf ); + size_t id_len = strlen( id ); + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + + /* Write things to temporary buffer */ + MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, G ) ); + MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, V ) ); + MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, X ) ); + + if( end < p || (size_t)( end - p ) < id_len ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + *p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF ); + *p++ = (unsigned char)( ( id_len >> 16 ) & 0xFF ); + *p++ = (unsigned char)( ( id_len >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( id_len ) & 0xFF ); + + memcpy( p, id, id_len ); + p += id_len; + + /* Compute hash */ + mbedtls_md( md_info, buf, p - buf, hash ); + + /* Turn it into an integer mod n */ + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash, + mbedtls_md_get_size( md_info ) ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( h, h, &grp->N ) ); + +cleanup: + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -42,14 +127,106 @@ #define mbedtls_printf printf #endif +#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \ + !defined(MBEDTLS_SHA256_C) +int mbedtls_ecjpake_self_test( int verbose ) +{ + (void) verbose; + return( 0 ); +} +#else + +static const unsigned char ecjpake_test_G[] = { + 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, + 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, + 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, + 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, + 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, + 0x68, 0x37, 0xbf, 0x51, 0xf5 +}; + +static const unsigned char ecjpake_test_V[] = { + 0x04, 0xfa, 0x9a, 0x24, 0x9d, 0x73, 0x6e, 0x30, 0x28, 0xd1, 0x2d, 0xf1, + 0xdc, 0xfa, 0x22, 0xd1, 0xed, 0x62, 0x82, 0xbf, 0xab, 0x27, 0x7c, 0x7c, + 0x52, 0x56, 0xf3, 0xfd, 0x38, 0x07, 0xa5, 0xae, 0xe0, 0x72, 0xfb, 0x4d, + 0x9c, 0x2b, 0xd6, 0xa4, 0x70, 0xf7, 0xb4, 0xd0, 0xbd, 0xfb, 0x4a, 0x94, + 0x96, 0xcf, 0xcd, 0xd3, 0x53, 0xf9, 0x90, 0x3c, 0x0a, 0x69, 0xa4, 0x4b, + 0x18, 0xc6, 0xd2, 0x9b, 0xb8 +}; + +static const unsigned char ecjpake_test_X[] = { + 0x04, 0x52, 0xa4, 0xda, 0x90, 0xa5, 0x15, 0x7f, 0xc0, 0xe5, 0x1f, 0x79, + 0x4b, 0xe3, 0xbb, 0x3f, 0x1d, 0xf8, 0xdf, 0xb1, 0xe3, 0x18, 0xa8, 0x10, + 0xf2, 0x05, 0x2e, 0x64, 0xa8, 0xe8, 0x35, 0x64, 0xe8, 0xe2, 0x8c, 0x17, + 0x15, 0xab, 0xf7, 0x8d, 0x1f, 0x8b, 0x18, 0x99, 0x6d, 0x6a, 0xb7, 0xbd, + 0xcc, 0xbe, 0x52, 0x08, 0x1a, 0x3a, 0xe7, 0x65, 0x4b, 0xdf, 0x66, 0x62, + 0xf5, 0x74, 0xe0, 0xfd, 0x80 +}; + +static const unsigned char ecjpake_test_h[] = { + 0xec, 0xf3, 0x24, 0x46, 0x16, 0xce, 0xa5, 0x34, 0x58, 0x46, 0xd2, 0x45, + 0xba, 0x27, 0x63, 0x36, 0x50, 0xc4, 0x70, 0x3d, 0x56, 0x0c, 0x7a, 0x7c, + 0x51, 0x69, 0xfe, 0xa7, 0xa3, 0xf7, 0x79, 0x10 +}; + /* * Checkup routine */ int mbedtls_ecjpake_self_test( int verbose ) { int ret; + mbedtls_ecp_group grp; + mbedtls_ecp_point G, V, X; + mbedtls_mpi h, h_ref; + const mbedtls_md_info_t *md_info; - ret = 0; /* XXX */ + mbedtls_ecp_group_init( &grp ); + mbedtls_ecp_point_init( &G ); + mbedtls_ecp_point_init( &V ); + mbedtls_ecp_point_init( &X ); + mbedtls_mpi_init( &h_ref ); + mbedtls_mpi_init( &h ); + + if( verbose != 0 ) + mbedtls_printf( " ECJPAKE test #1 (hash): " ); + + md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); + MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &G, ecjpake_test_G, + sizeof( ecjpake_test_G ) ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &V, ecjpake_test_V, + sizeof( ecjpake_test_V ) ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &X, ecjpake_test_X, + sizeof( ecjpake_test_X ) ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &h_ref, ecjpake_test_h, + sizeof( ecjpake_test_h ) ) ); + + MBEDTLS_MPI_CHK( ecjpake_hash( md_info, &grp, &G, &V, &X, "client", &h ) ); + + if( mbedtls_mpi_cmp_mpi( &h, &h_ref ) != 0 ) + { + ret = 1; + goto cleanup; + } + + if( verbose != 0 ) + mbedtls_printf( "passed\n" ); + +cleanup: + mbedtls_ecp_group_free( &grp ); + mbedtls_ecp_point_free( &G ); + mbedtls_ecp_point_free( &V ); + mbedtls_ecp_point_free( &X ); + mbedtls_mpi_free( &h_ref ); + mbedtls_mpi_free( &h ); + + if( ret != 0 ) + { + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + ret = 1; + } if( verbose != 0 ) mbedtls_printf( "\n" ); @@ -57,6 +234,8 @@ int mbedtls_ecjpake_self_test( int verbose ) return( ret ); } +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */ + #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_ECJPAKE_C */ From 8489f17277af7fe2b2d03adbfb9a79860aefdc10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 7 Aug 2015 17:47:39 +0200 Subject: [PATCH 03/87] First draft of ecjpake_write_zkp() --- library/ecjpake.c | 107 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 101 insertions(+), 6 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 398f4d907..7dc780ca9 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -20,8 +20,8 @@ */ /* - * EC-JPAKE is defined in Chapter 7.4 of the Thread specification. - * References below are base on the draft-1.0.0 spec. + * We implement EC-JPAKE as defined in Chapter 7.4 of the Thread v1.0 + * Specification. References below are to this document. */ #if !defined(MBEDTLS_CONFIG_FILE) @@ -87,7 +87,7 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, unsigned char buf[ECJPAKE_HASH_BUF_LEN]; unsigned char *p = buf; const unsigned char *end = buf + sizeof( buf ); - size_t id_len = strlen( id ); + const size_t id_len = strlen( id ); unsigned char hash[MBEDTLS_MD_MAX_SIZE]; /* Write things to temporary buffer */ @@ -118,6 +118,62 @@ cleanup: return( ret ); } +/* + * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2) + */ +static int ecjpake_write_zkp( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + const mbedtls_mpi *x, + const mbedtls_ecp_point *X, + const char *id, + unsigned char **p, + const unsigned char *end, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + mbedtls_ecp_point V; + mbedtls_mpi v; + mbedtls_mpi h; /* later recycled to hold r */ + size_t len; + + if( end < *p ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + mbedtls_ecp_point_init( &V ); + mbedtls_mpi_init( &v ); + mbedtls_mpi_init( &h ); + + /* Compute signature */ + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( (mbedtls_ecp_group *) grp, + &v, &V, f_rng, p_rng ) ); /* TODO: wrong base point! */ + MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */ + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */ + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */ + + /* Write it out */ + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V, + MBEDTLS_ECP_PF_UNCOMPRESSED, &len, *p, end - *p ) ); + *p += len; + + len = mbedtls_mpi_size( &h ); /* actually r */ + if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + *(*p)++ = (unsigned char)( len & 0xFF ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */ + *p += len; + +cleanup: + mbedtls_ecp_point_free( &V ); + mbedtls_mpi_free( &v ); + mbedtls_mpi_free( &h ); + + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -169,6 +225,25 @@ static const unsigned char ecjpake_test_h[] = { 0x51, 0x69, 0xfe, 0xa7, 0xa3, 0xf7, 0x79, 0x10 }; +/* For tests we don't need a secure RNG; + * use the LGC from Numerical Recipes for simplicity */ +static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) +{ + static uint32_t x = 42; + (void) p; + + while( len > 0 ) + { + size_t use_len = len > 4 ? 4 : len; + x = 1664525 * x + 1013904223; + memcpy( out, &x, use_len ); + out += use_len; + len -= use_len; + } + + return( 0 ); +} + /* * Checkup routine */ @@ -177,8 +252,10 @@ int mbedtls_ecjpake_self_test( int verbose ) int ret; mbedtls_ecp_group grp; mbedtls_ecp_point G, V, X; - mbedtls_mpi h, h_ref; + mbedtls_mpi x, h, h_ref; const mbedtls_md_info_t *md_info; + unsigned char buf[1000]; + unsigned char *p; mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &G ); @@ -186,12 +263,15 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_ecp_point_init( &X ); mbedtls_mpi_init( &h_ref ); mbedtls_mpi_init( &h ); + mbedtls_mpi_init( &x ); + + /* Common to all tests */ + md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); + MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #1 (hash): " ); - md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); - MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &G, ecjpake_test_G, sizeof( ecjpake_test_G ) ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &V, ecjpake_test_V, @@ -212,6 +292,20 @@ int mbedtls_ecjpake_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n" ); + if( verbose != 0 ) + mbedtls_printf( " ECJPAKE test #2 (zkp, WIP): " ); + + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( &grp, &x, &X, + ecjpake_lgc, NULL ) ); + + p = buf; + MBEDTLS_MPI_CHK( ecjpake_write_zkp( md_info, &grp, &G, &x, &X, "client", + &p, buf + sizeof( buf ), + ecjpake_lgc, NULL ) ); + + if( verbose != 0 ) + mbedtls_printf( "passed\n" ); + cleanup: mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &G ); @@ -219,6 +313,7 @@ cleanup: mbedtls_ecp_point_free( &X ); mbedtls_mpi_free( &h_ref ); mbedtls_mpi_free( &h ); + mbedtls_mpi_free( &x ); if( ret != 0 ) { From d9a3f47ecd803262a1c3b527afabc8b2b54e824e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 11 Aug 2015 14:31:03 +0200 Subject: [PATCH 04/87] Add mbedtls_ecp_gen_keypair_base() --- include/mbedtls/ecp.h | 23 +++++++++++++++++++++++ library/ecp.c | 19 ++++++++++++++++--- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 723e46c98..e82704083 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -569,6 +569,29 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_po */ int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d ); +/** + * \brief Generate a keypair with configurable base point + * + * \param grp ECP group + * \param G Chosen base point + * \param d Destination MPI (secret part) + * \param Q Destination point (public part) + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successful, + * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code + * + * \note Uses bare components rather than an mbedtls_ecp_keypair structure + * in order to ease use with other structures such as + * mbedtls_ecdh_context of mbedtls_ecdsa_context. + */ +int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + mbedtls_mpi *d, mbedtls_ecp_point *Q, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + /** * \brief Generate a keypair * diff --git a/library/ecp.c b/library/ecp.c index 858540be2..b21e69d4f 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1761,9 +1761,11 @@ int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi * } /* - * Generate a keypair + * Generate a keypair with configurable base point */ -int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, +int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { @@ -1835,7 +1837,18 @@ cleanup: if( ret != 0 ) return( ret ); - return( mbedtls_ecp_mul( grp, Q, d, &grp->G, f_rng, p_rng ) ); + return( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) ); +} + +/* + * Generate key pair, wrapper for conventional base point + */ +int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, + mbedtls_mpi *d, mbedtls_ecp_point *Q, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) ); } /* From c618195bc42279b0a3a7ee5396b45591badc195b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 11 Aug 2015 14:33:51 +0200 Subject: [PATCH 05/87] Fix base point in ecjpake_write_zkp() --- library/ecjpake.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 7dc780ca9..3046154f6 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -146,8 +146,8 @@ static int ecjpake_write_zkp( const mbedtls_md_info_t *md_info, mbedtls_mpi_init( &h ); /* Compute signature */ - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( (mbedtls_ecp_group *) grp, - &v, &V, f_rng, p_rng ) ); /* TODO: wrong base point! */ + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, + G, &v, &V, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */ @@ -295,8 +295,8 @@ int mbedtls_ecjpake_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #2 (zkp, WIP): " ); - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( &grp, &x, &X, - ecjpake_lgc, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( &grp, &G, &x, &X, + ecjpake_lgc, NULL ) ); p = buf; MBEDTLS_MPI_CHK( ecjpake_write_zkp( md_info, &grp, &G, &x, &X, "client", From 6029a85572e194e66fcb280b6fadea28ac14e05d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 11 Aug 2015 15:44:41 +0200 Subject: [PATCH 06/87] Add ecjpake_zpk_read() Not really tested yet --- include/mbedtls/ecp.h | 15 +++++++++ library/ecjpake.c | 73 +++++++++++++++++++++++++++++++++++++++++-- library/ecp.c | 16 ++++++++++ 3 files changed, 101 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index e82704083..5246c789d 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -346,6 +346,21 @@ int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt ); */ int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ); +/** + * \brief Compare two points + * + * \note This assumes the points are normalized. Otherwise, + * they may compare as "not equal" even if they are. + * + * \param P First point to compare + * \param Q Second point to compare + * + * \return 0 if the points are equal, + * MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise + */ +int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P, + const mbedtls_ecp_point *Q ); + /** * \brief Import a non-zero point from two ASCII strings * diff --git a/library/ecjpake.c b/library/ecjpake.c index 3046154f6..328204cb2 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -121,7 +121,7 @@ cleanup: /* * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2) */ -static int ecjpake_write_zkp( const mbedtls_md_info_t *md_info, +static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, const mbedtls_ecp_point *G, const mbedtls_mpi *x, @@ -174,6 +174,69 @@ cleanup: return( ret ); } +/* + * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3) + */ +static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + const mbedtls_ecp_point *X, + const char *id, + unsigned char **p, + const unsigned char *end ) +{ + int ret; + mbedtls_ecp_point V, VV; + mbedtls_mpi r, h; + size_t r_len; + + mbedtls_ecp_point_init( &V ); + mbedtls_ecp_point_init( &VV ); + mbedtls_mpi_init( &r ); + mbedtls_mpi_init( &h ); + + /* + * struct { + * ECPoint V; + * opaque r<1..2^8-1>; + * } ECSchnorrZKP; + */ + if( end < *p ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, &V, + (const unsigned char **) p, end - *p ) ); + + if( end < *p || (size_t)( end - *p ) < 1 ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + r_len = *(*p)++; + if( end < *p || (size_t)( end - *p ) < r_len ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r, *p, r_len ) ); + *p += r_len; + + /* + * Verification + */ + MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp, + &VV, &h, X, &r, G ) ); + + if( mbedtls_ecp_point_cmp( &VV, &V ) != 0 ) + return( MBEDTLS_ERR_ECP_VERIFY_FAILED ); + +cleanup: + mbedtls_ecp_point_free( &V ); + mbedtls_ecp_point_free( &VV ); + mbedtls_mpi_free( &r ); + mbedtls_mpi_free( &h ); + + return( ret ); +} + + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -293,16 +356,20 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_printf( "passed\n" ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #2 (zkp, WIP): " ); + mbedtls_printf( " ECJPAKE test #2 (zkp write/read): " ); MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( &grp, &G, &x, &X, ecjpake_lgc, NULL ) ); p = buf; - MBEDTLS_MPI_CHK( ecjpake_write_zkp( md_info, &grp, &G, &x, &X, "client", + MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, &grp, &G, &x, &X, "client", &p, buf + sizeof( buf ), ecjpake_lgc, NULL ) ); + p = buf; + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, &grp, &G, &X, "client", + &p, buf + sizeof( buf ) ) ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); diff --git a/library/ecp.c b/library/ecp.c index b21e69d4f..54f51ab50 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -402,6 +402,22 @@ int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt ) return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 ); } +/* + * Compare two points lazyly + */ +int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P, + const mbedtls_ecp_point *Q ) +{ + if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 && + mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 && + mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 ) + { + return( 0 ); + } + + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); +} + /* * Import a non-zero point from ASCII strings */ From 967cd7192d09970b824bc99c4dee36c5ae0063e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 10:09:55 +0200 Subject: [PATCH 07/87] Add test vector for ZKP verification --- library/ecjpake.c | 91 ++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 52 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 328204cb2..6f6143371 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -255,37 +255,25 @@ int mbedtls_ecjpake_self_test( int verbose ) } #else -static const unsigned char ecjpake_test_G[] = { - 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, - 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, - 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, - 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, - 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, - 0x68, 0x37, 0xbf, 0x51, 0xf5 -}; - -static const unsigned char ecjpake_test_V[] = { - 0x04, 0xfa, 0x9a, 0x24, 0x9d, 0x73, 0x6e, 0x30, 0x28, 0xd1, 0x2d, 0xf1, - 0xdc, 0xfa, 0x22, 0xd1, 0xed, 0x62, 0x82, 0xbf, 0xab, 0x27, 0x7c, 0x7c, - 0x52, 0x56, 0xf3, 0xfd, 0x38, 0x07, 0xa5, 0xae, 0xe0, 0x72, 0xfb, 0x4d, - 0x9c, 0x2b, 0xd6, 0xa4, 0x70, 0xf7, 0xb4, 0xd0, 0xbd, 0xfb, 0x4a, 0x94, - 0x96, 0xcf, 0xcd, 0xd3, 0x53, 0xf9, 0x90, 0x3c, 0x0a, 0x69, 0xa4, 0x4b, - 0x18, 0xc6, 0xd2, 0x9b, 0xb8 -}; - static const unsigned char ecjpake_test_X[] = { - 0x04, 0x52, 0xa4, 0xda, 0x90, 0xa5, 0x15, 0x7f, 0xc0, 0xe5, 0x1f, 0x79, - 0x4b, 0xe3, 0xbb, 0x3f, 0x1d, 0xf8, 0xdf, 0xb1, 0xe3, 0x18, 0xa8, 0x10, - 0xf2, 0x05, 0x2e, 0x64, 0xa8, 0xe8, 0x35, 0x64, 0xe8, 0xe2, 0x8c, 0x17, - 0x15, 0xab, 0xf7, 0x8d, 0x1f, 0x8b, 0x18, 0x99, 0x6d, 0x6a, 0xb7, 0xbd, - 0xcc, 0xbe, 0x52, 0x08, 0x1a, 0x3a, 0xe7, 0x65, 0x4b, 0xdf, 0x66, 0x62, - 0xf5, 0x74, 0xe0, 0xfd, 0x80 + 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, + 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5, + 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, 0xa7, + 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62, 0x1f, + 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9, 0x06, + 0x07, 0x31, 0xf6, 0x94, 0xa4 }; -static const unsigned char ecjpake_test_h[] = { - 0xec, 0xf3, 0x24, 0x46, 0x16, 0xce, 0xa5, 0x34, 0x58, 0x46, 0xd2, 0x45, - 0xba, 0x27, 0x63, 0x36, 0x50, 0xc4, 0x70, 0x3d, 0x56, 0x0c, 0x7a, 0x7c, - 0x51, 0x69, 0xfe, 0xa7, 0xa3, 0xf7, 0x79, 0x10 +static const unsigned char ecjpake_test_zkp[] = { + 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d, 0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, + 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e, 0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, + 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e, 0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, + 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73, 0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, + 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22, 0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, + 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce, 0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, + 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00, 0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, + 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b, 0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, + 0x98, 0x34, 0x58 }; /* For tests we don't need a secure RNG; @@ -314,18 +302,15 @@ int mbedtls_ecjpake_self_test( int verbose ) { int ret; mbedtls_ecp_group grp; - mbedtls_ecp_point G, V, X; - mbedtls_mpi x, h, h_ref; + mbedtls_ecp_point X; + mbedtls_mpi x; const mbedtls_md_info_t *md_info; unsigned char buf[1000]; unsigned char *p; + const unsigned char *end; mbedtls_ecp_group_init( &grp ); - mbedtls_ecp_point_init( &G ); - mbedtls_ecp_point_init( &V ); mbedtls_ecp_point_init( &X ); - mbedtls_mpi_init( &h_ref ); - mbedtls_mpi_init( &h ); mbedtls_mpi_init( &x ); /* Common to all tests */ @@ -333,24 +318,30 @@ int mbedtls_ecjpake_self_test( int verbose ) MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #1 (hash): " ); + mbedtls_printf( " ECJPAKE test #1 (zkp read): " ); - MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &G, ecjpake_test_G, - sizeof( ecjpake_test_G ) ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &V, ecjpake_test_V, - sizeof( ecjpake_test_V ) ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &X, ecjpake_test_X, - sizeof( ecjpake_test_X ) ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &h_ref, ecjpake_test_h, - sizeof( ecjpake_test_h ) ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &X, + ecjpake_test_X, + sizeof( ecjpake_test_X ) ) ); - MBEDTLS_MPI_CHK( ecjpake_hash( md_info, &grp, &G, &V, &X, "client", &h ) ); + p = (unsigned char *) ecjpake_test_zkp; + end = ecjpake_test_zkp + sizeof( ecjpake_test_zkp ); + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, &grp, &grp.G, &X, "client", + &p, end ) ); - if( mbedtls_mpi_cmp_mpi( &h, &h_ref ) != 0 ) + /* Corrupt proof */ + memcpy( buf, ecjpake_test_zkp, sizeof( ecjpake_test_zkp ) ); + buf[sizeof( ecjpake_test_zkp ) - 1]--; + p = buf; + end = buf + sizeof( ecjpake_test_zkp ); + ret = ecjpake_zkp_read( md_info, &grp, &grp.G, &X, "client", &p, end ); + + if( ret != MBEDTLS_ERR_ECP_VERIFY_FAILED ) { ret = 1; goto cleanup; } + ret = 0; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -358,16 +349,16 @@ int mbedtls_ecjpake_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #2 (zkp write/read): " ); - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( &grp, &G, &x, &X, + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( &grp, &grp.G, &x, &X, ecjpake_lgc, NULL ) ); p = buf; - MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, &grp, &G, &x, &X, "client", + MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, &grp, &grp.G, &x, &X, "client", &p, buf + sizeof( buf ), ecjpake_lgc, NULL ) ); p = buf; - MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, &grp, &G, &X, "client", + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, &grp, &grp.G, &X, "client", &p, buf + sizeof( buf ) ) ); if( verbose != 0 ) @@ -375,11 +366,7 @@ int mbedtls_ecjpake_self_test( int verbose ) cleanup: mbedtls_ecp_group_free( &grp ); - mbedtls_ecp_point_free( &G ); - mbedtls_ecp_point_free( &V ); mbedtls_ecp_point_free( &X ); - mbedtls_mpi_free( &h_ref ); - mbedtls_mpi_free( &h ); mbedtls_mpi_free( &x ); if( ret != 0 ) From b1b250b68c63fca582cd5990e1ad42cb9ad76241 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 11:01:58 +0200 Subject: [PATCH 08/87] Add ecjpake_kkp_read/write() --- library/ecjpake.c | 159 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 112 insertions(+), 47 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 6f6143371..57afb45f0 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -236,6 +236,72 @@ cleanup: return( ret ); } +/* + * Parse verify a ECJPAKEKeyKP (7.4.2.2.1) + * Output: public key X + */ +static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + mbedtls_ecp_point *X, + const char *id, + unsigned char **p, + const unsigned char *end ) +{ + int ret; + + if( end < *p ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + /* + * struct { + * ECPoint X; + * ECSchnorrZKP zkp; + * } ECJPAKEKeyKP; + */ + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, + (const unsigned char **) p, end - *p ) ); + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, G, X, id, p, end ) ); + +cleanup: + return( ret ); +} + +/* + * Generate an ECJPAKEKeyKP + * Output: the serialized structure, plus private/public key pair + */ +static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + mbedtls_mpi *x, + mbedtls_ecp_point *X, + const char *id, + unsigned char **p, + const unsigned char *end, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + size_t len; + + if( end < *p ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + /* Generate key (7.4.2.3.1) and write it out */ + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, x, X, + f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, X, + MBEDTLS_ECP_PF_UNCOMPRESSED, &len, *p, end - *p ) ); + *p += len; + + /* Generate and write proof */ + MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, G, x, X, id, + p, end, f_rng, p_rng ) ); + +cleanup: + return( ret ); +} #if defined(MBEDTLS_SELF_TEST) @@ -255,25 +321,21 @@ int mbedtls_ecjpake_self_test( int verbose ) } #else -static const unsigned char ecjpake_test_X[] = { - 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, - 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5, - 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, 0xa7, - 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62, 0x1f, - 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9, 0x06, - 0x07, 0x31, 0xf6, 0x94, 0xa4 -}; - -static const unsigned char ecjpake_test_zkp[] = { - 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d, 0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, - 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e, 0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, - 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e, 0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, - 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73, 0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, - 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22, 0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, - 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce, 0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, - 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00, 0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, - 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b, 0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, - 0x98, 0x34, 0x58 +static const unsigned char ecjpake_test_kkp[] = { + 0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, + 0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, + 0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, + 0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62, + 0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9, + 0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d, + 0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e, + 0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e, + 0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73, + 0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22, + 0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce, + 0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00, + 0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b, + 0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58 }; /* For tests we don't need a secure RNG; @@ -295,6 +357,17 @@ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) return( 0 ); } +#define TEST_ASSERT( x ) \ + do { \ + if( x ) \ + ret = 0; \ + else \ + { \ + ret = 1; \ + goto cleanup; \ + } \ + } while( 0 ) + /* * Checkup routine */ @@ -318,48 +391,38 @@ int mbedtls_ecjpake_self_test( int verbose ) MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #1 (zkp read): " ); + mbedtls_printf( " ECJPAKE test #1 (kkp read): " ); - MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &grp, &X, - ecjpake_test_X, - sizeof( ecjpake_test_X ) ) ); - - p = (unsigned char *) ecjpake_test_zkp; - end = ecjpake_test_zkp + sizeof( ecjpake_test_zkp ); - MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, &grp, &grp.G, &X, "client", + p = (unsigned char *) ecjpake_test_kkp; + end = ecjpake_test_kkp + sizeof( ecjpake_test_kkp ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, &grp, &grp.G, &X, "client", &p, end ) ); - /* Corrupt proof */ - memcpy( buf, ecjpake_test_zkp, sizeof( ecjpake_test_zkp ) ); - buf[sizeof( ecjpake_test_zkp ) - 1]--; - p = buf; - end = buf + sizeof( ecjpake_test_zkp ); - ret = ecjpake_zkp_read( md_info, &grp, &grp.G, &X, "client", &p, end ); + TEST_ASSERT( p == end ); - if( ret != MBEDTLS_ERR_ECP_VERIFY_FAILED ) - { - ret = 1; - goto cleanup; - } - ret = 0; + /* Corrupt proof */ + memcpy( buf, ecjpake_test_kkp, sizeof( ecjpake_test_kkp ) ); + buf[sizeof( ecjpake_test_kkp ) - 1]--; + p = buf; + end = buf + sizeof( ecjpake_test_kkp ); + ret = ecjpake_kkp_read( md_info, &grp, &grp.G, &X, "client", &p, end ); + + TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #2 (zkp write/read): " ); - - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( &grp, &grp.G, &x, &X, - ecjpake_lgc, NULL ) ); + mbedtls_printf( " ECJPAKE test #2 (kkp write/read): " ); p = buf; - MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, &grp, &grp.G, &x, &X, "client", + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, &grp, &grp.G, &x, &X, "client", &p, buf + sizeof( buf ), ecjpake_lgc, NULL ) ); - + end = p; p = buf; - MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, &grp, &grp.G, &X, "client", - &p, buf + sizeof( buf ) ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, &grp, &grp.G, &X, "client", + &p, end ) ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -383,6 +446,8 @@ cleanup: return( ret ); } +#undef TEST_ASSERT + #endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_SELF_TEST */ From 4f2cd95e1d1a371d4be84030d26ca2c1863b1878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 11:17:55 +0200 Subject: [PATCH 09/87] Fix potential memory leaks --- library/ecjpake.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 57afb45f0..19f964f5c 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -160,7 +160,10 @@ static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, len = mbedtls_mpi_size( &h ); /* actually r */ if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 ) - return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + { + ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; + goto cleanup; + } *(*p)++ = (unsigned char)( len & 0xFF ); MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */ @@ -208,11 +211,17 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, (const unsigned char **) p, end - *p ) ); if( end < *p || (size_t)( end - *p ) < 1 ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + { + ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + goto cleanup; + } r_len = *(*p)++; if( end < *p || (size_t)( end - *p ) < r_len ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + { + ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + goto cleanup; + } MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r, *p, r_len ) ); *p += r_len; @@ -225,7 +234,10 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, &VV, &h, X, &r, G ) ); if( mbedtls_ecp_point_cmp( &VV, &V ) != 0 ) - return( MBEDTLS_ERR_ECP_VERIFY_FAILED ); + { + ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; + goto cleanup; + } cleanup: mbedtls_ecp_point_free( &V ); From 082767ff0c2b1f3d7bcc83393c6899320853d385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 14:43:57 +0200 Subject: [PATCH 10/87] Add ecjpake_kkpp_read/write --- library/ecjpake.c | 151 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 115 insertions(+), 36 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 19f964f5c..9e074c9cf 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -249,8 +249,8 @@ cleanup: } /* - * Parse verify a ECJPAKEKeyKP (7.4.2.2.1) - * Output: public key X + * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof + * Output: verified public key X */ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, @@ -315,6 +315,71 @@ cleanup: return( ret ); } +/* + * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs + * Ouputs: verified peer public keys Xa, Xb + */ +static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + mbedtls_ecp_point *Xa, + mbedtls_ecp_point *Xb, + const char *id, + const unsigned char *buf, + size_t len ) +{ + int ret; + unsigned char *p = (unsigned char *) buf; + const unsigned char *end = buf + len; + + /* + * struct { + * ECJPAKEKeyKP ecjpake_key_kp_pair_list[2]; + * } ECJPAKEKeyKPPairList; + */ + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, G, Xa, id, &p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, G, Xb, id, &p, end ) ); + + if( p != end ) + ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + +cleanup: + return( ret ); +} + +/* + * Generate a ECJPAKEKeyKPPairList + * Outputs: the serialized structure, plus two private/public key pairs + */ +static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + mbedtls_mpi *xa, + mbedtls_ecp_point *Xa, + mbedtls_mpi *xb, + mbedtls_ecp_point *Xb, + const char *id, + unsigned char *buf, + size_t len, + size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + unsigned char *p = buf; + const unsigned char *end = buf + len; + + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xa, Xa, id, + &p, end, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xb, Xb, id, + &p, end, f_rng, p_rng ) ); + + *olen = p - buf; + +cleanup: + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -333,7 +398,7 @@ int mbedtls_ecjpake_self_test( int verbose ) } #else -static const unsigned char ecjpake_test_kkp[] = { +static const unsigned char ecjpake_test_kkpp[] = { 0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, @@ -347,7 +412,21 @@ static const unsigned char ecjpake_test_kkp[] = { 0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce, 0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00, 0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b, - 0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58 + 0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e, + 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62, + 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5, + 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb, + 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35, + 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0, + 0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb, + 0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47, + 0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39, + 0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97, + 0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40, + 0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d, + 0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa, + 0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d, + 0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0 }; /* For tests we don't need a secure RNG; @@ -387,62 +466,62 @@ int mbedtls_ecjpake_self_test( int verbose ) { int ret; mbedtls_ecp_group grp; - mbedtls_ecp_point X; - mbedtls_mpi x; + mbedtls_ecp_point Xa, Xb; + mbedtls_mpi xa, xb; const mbedtls_md_info_t *md_info; unsigned char buf[1000]; - unsigned char *p; - const unsigned char *end; + size_t len; mbedtls_ecp_group_init( &grp ); - mbedtls_ecp_point_init( &X ); - mbedtls_mpi_init( &x ); + mbedtls_ecp_point_init( &Xa ); + mbedtls_ecp_point_init( &Xb ); + mbedtls_mpi_init( &xa ); + mbedtls_mpi_init( &xb ); /* Common to all tests */ md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #1 (kkp read): " ); + mbedtls_printf( " ECJPAKE test #1 (kkpp read): " ); - p = (unsigned char *) ecjpake_test_kkp; - end = ecjpake_test_kkp + sizeof( ecjpake_test_kkp ); - MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, &grp, &grp.G, &X, "client", - &p, end ) ); + TEST_ASSERT( ecjpake_kkpp_read( md_info, &grp, &grp.G, + &Xa, &Xb, "client", + ecjpake_test_kkpp, + sizeof( ecjpake_test_kkpp ) ) == 0 ); - TEST_ASSERT( p == end ); - - /* Corrupt proof */ - memcpy( buf, ecjpake_test_kkp, sizeof( ecjpake_test_kkp ) ); - buf[sizeof( ecjpake_test_kkp ) - 1]--; - p = buf; - end = buf + sizeof( ecjpake_test_kkp ); - ret = ecjpake_kkp_read( md_info, &grp, &grp.G, &X, "client", &p, end ); - - TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED ); + /* Corrupt message */ + memcpy( buf, ecjpake_test_kkpp, sizeof( ecjpake_test_kkpp ) ); + buf[sizeof( ecjpake_test_kkpp ) - 1]--; + TEST_ASSERT( ecjpake_kkpp_read( md_info, &grp, &grp.G, + &Xa, &Xb, "client", + buf, sizeof( ecjpake_test_kkpp ) ) + == MBEDTLS_ERR_ECP_VERIFY_FAILED ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #2 (kkp write/read): " ); + mbedtls_printf( " ECJPAKE test #2 (kkpp write/read): " ); - p = buf; - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, &grp, &grp.G, &x, &X, "client", - &p, buf + sizeof( buf ), - ecjpake_lgc, NULL ) ); - end = p; - p = buf; - MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, &grp, &grp.G, &X, "client", - &p, end ) ); + TEST_ASSERT( ecjpake_kkpp_write( md_info, &grp, &grp.G, + &xa, &Xa, &xb, &Xb, "client", + buf, sizeof( buf ), &len, + ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( ecjpake_kkpp_read( md_info, &grp, &grp.G, + &Xa, &Xb, "client", + buf, len ) == 0 ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); cleanup: mbedtls_ecp_group_free( &grp ); - mbedtls_ecp_point_free( &X ); - mbedtls_mpi_free( &x ); + mbedtls_ecp_point_free( &Xa ); + mbedtls_ecp_point_free( &Xb ); + mbedtls_mpi_free( &xa ); + mbedtls_mpi_free( &xb ); if( ret != 0 ) { From 9028c5af9a61b9113edff8c6d0bcad767ebdb459 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 14:51:36 +0200 Subject: [PATCH 11/87] Improve const correctness of read() functions --- library/ecjpake.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 9e074c9cf..f56142cc9 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -185,7 +185,7 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, const mbedtls_ecp_point *G, const mbedtls_ecp_point *X, const char *id, - unsigned char **p, + const unsigned char **p, const unsigned char *end ) { int ret; @@ -207,8 +207,7 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, if( end < *p ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, &V, - (const unsigned char **) p, end - *p ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, &V, p, end - *p ) ); if( end < *p || (size_t)( end - *p ) < 1 ) { @@ -217,6 +216,7 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, } r_len = *(*p)++; + if( end < *p || (size_t)( end - *p ) < r_len ) { ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; @@ -257,7 +257,7 @@ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, const mbedtls_ecp_point *G, mbedtls_ecp_point *X, const char *id, - unsigned char **p, + const unsigned char **p, const unsigned char *end ) { int ret; @@ -271,8 +271,7 @@ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, * ECSchnorrZKP zkp; * } ECJPAKEKeyKP; */ - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, - (const unsigned char **) p, end - *p ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, p, end - *p ) ); MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, G, X, id, p, end ) ); cleanup: @@ -329,7 +328,7 @@ static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, size_t len ) { int ret; - unsigned char *p = (unsigned char *) buf; + const unsigned char *p = buf; const unsigned char *end = buf + len; /* From 3aed1851b384cc09355fe1f5218a5246f84e3e3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 14:53:56 +0200 Subject: [PATCH 12/87] Re-order functions. Use the same order for all read-write pair of functions --- library/ecjpake.c | 118 +++++++++++++++++++++++----------------------- 1 file changed, 59 insertions(+), 59 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index f56142cc9..a61c146eb 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -118,65 +118,6 @@ cleanup: return( ret ); } -/* - * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2) - */ -static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, - const mbedtls_ecp_group *grp, - const mbedtls_ecp_point *G, - const mbedtls_mpi *x, - const mbedtls_ecp_point *X, - const char *id, - unsigned char **p, - const unsigned char *end, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) -{ - int ret; - mbedtls_ecp_point V; - mbedtls_mpi v; - mbedtls_mpi h; /* later recycled to hold r */ - size_t len; - - if( end < *p ) - return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); - - mbedtls_ecp_point_init( &V ); - mbedtls_mpi_init( &v ); - mbedtls_mpi_init( &h ); - - /* Compute signature */ - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, - G, &v, &V, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */ - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */ - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */ - - /* Write it out */ - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V, - MBEDTLS_ECP_PF_UNCOMPRESSED, &len, *p, end - *p ) ); - *p += len; - - len = mbedtls_mpi_size( &h ); /* actually r */ - if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 ) - { - ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; - goto cleanup; - } - - *(*p)++ = (unsigned char)( len & 0xFF ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */ - *p += len; - -cleanup: - mbedtls_ecp_point_free( &V ); - mbedtls_mpi_free( &v ); - mbedtls_mpi_free( &h ); - - return( ret ); -} - /* * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3) */ @@ -248,6 +189,65 @@ cleanup: return( ret ); } +/* + * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2) + */ +static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, + const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *G, + const mbedtls_mpi *x, + const mbedtls_ecp_point *X, + const char *id, + unsigned char **p, + const unsigned char *end, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + mbedtls_ecp_point V; + mbedtls_mpi v; + mbedtls_mpi h; /* later recycled to hold r */ + size_t len; + + if( end < *p ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + mbedtls_ecp_point_init( &V ); + mbedtls_mpi_init( &v ); + mbedtls_mpi_init( &h ); + + /* Compute signature */ + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, + G, &v, &V, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */ + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */ + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */ + + /* Write it out */ + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V, + MBEDTLS_ECP_PF_UNCOMPRESSED, &len, *p, end - *p ) ); + *p += len; + + len = mbedtls_mpi_size( &h ); /* actually r */ + if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 ) + { + ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; + goto cleanup; + } + + *(*p)++ = (unsigned char)( len & 0xFF ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */ + *p += len; + +cleanup: + mbedtls_ecp_point_free( &V ); + mbedtls_mpi_free( &v ); + mbedtls_mpi_free( &h ); + + return( ret ); +} + /* * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof * Output: verified public key X From 7af8bc10079153e2aed0d02dae846b99319e0f32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 16:58:50 +0200 Subject: [PATCH 13/87] Start introducing mbedtls_ecjpake_context --- include/mbedtls/ecjpake.h | 46 +++++++++++++++++++++++++++++++ library/ecjpake.c | 58 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 57f4b15e4..0b20ff6dd 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -30,6 +30,52 @@ extern "C" { #endif +typedef struct +{ + const mbedtls_md_info_t *md_info; /**< Hash to use */ + mbedtls_ecp_group grp; /**< Elliptic curve */ + + mbedtls_ecp_point X1; /**< Public key one */ + mbedtls_ecp_point X2; /**< Public key two */ + mbedtls_ecp_point X3; /**< Public key three */ + mbedtls_ecp_point X4; /**< Public key four */ + + mbedtls_mpi xa; /**< Our first secret (x1 or x3) */ + mbedtls_mpi xb; /**< Our second secret (x2 or x4) */ +} mbedtls_ecjpake_context; + +/* + * \brief Initialize a context + * (just makes it ready for setup() or free()). + * + * \param ctx context to initialize + */ +void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); + +/* + * \brief Free a context's content + * + * \param ctx context to free + */ +void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ); + +/* + * \brief Set up a context for use + * + * \note Currently the only values for hash/curve allowed by the + * standard are MBEDTLS_MD_SHA256/MBEDTLS_ECP_DP_SECP256R1. + * + * \param ctx context to set up + * \param hash hash function to use (MBEDTLS_MD_XXX) + * \param curve elliptic curve identifier (MBEDTLS_ECP_DP_XXX) + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, + mbedtls_md_type_t hash, + mbedtls_ecp_group_id curve ); + #if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine diff --git a/library/ecjpake.c b/library/ecjpake.c index a61c146eb..678112c57 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -36,6 +36,64 @@ #include +/* + * Initialize context + */ +void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ) +{ + if( ctx == NULL ) + return; + + ctx->md_info = NULL; + mbedtls_ecp_group_init( &ctx->grp ); + + mbedtls_ecp_point_init( &ctx->X1 ); + mbedtls_ecp_point_init( &ctx->X2 ); + mbedtls_ecp_point_init( &ctx->X3 ); + mbedtls_ecp_point_init( &ctx->X4 ); + + mbedtls_mpi_init( &ctx->xa ); + mbedtls_mpi_init( &ctx->xb ); +} + +/* + * Free context + */ +void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) +{ + if( ctx == NULL ) + return; + + ctx->md_info = NULL; + mbedtls_ecp_group_free( &ctx->grp ); + + mbedtls_ecp_point_free( &ctx->X1 ); + mbedtls_ecp_point_free( &ctx->X2 ); + mbedtls_ecp_point_free( &ctx->X3 ); + mbedtls_ecp_point_free( &ctx->X4 ); + + mbedtls_mpi_free( &ctx->xa ); + mbedtls_mpi_free( &ctx->xb ); +} + +/* + * Setup context + */ +int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, + mbedtls_md_type_t hash, + mbedtls_ecp_group_id curve ) +{ + int ret; + + if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL ) + return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); + + if( ( ret = mbedtls_ecp_group_load( &ctx->grp, curve ) ) != 0 ) + return( ret ); + + return( 0 ); +} + /* * Write a point plus its length to a buffer */ From 4e8bc78ad965f0d15b686376313ea79729135619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 12 Aug 2015 20:50:31 +0200 Subject: [PATCH 14/87] Add context-using functions for Hello extensions Also re-order functions in the header so that they appear in the order they're use, ie free() last. --- include/mbedtls/ecjpake.h | 80 +++++++++++++++++++++++++++++++---- library/ecjpake.c | 88 +++++++++++++++++++++++++++------------ 2 files changed, 134 insertions(+), 34 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 0b20ff6dd..37aff6c68 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -52,13 +52,6 @@ typedef struct */ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); -/* - * \brief Free a context's content - * - * \param ctx context to free - */ -void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ); - /* * \brief Set up a context for use * @@ -76,6 +69,79 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, mbedtls_md_type_t hash, mbedtls_ecp_group_id curve ); +/* + * \brief Generate and write contents of ClientHello extension + * (excluding extension type and length bytes) + * + * \param ctx Context to use + * \param buf Buffer to write the contents to + * \param len Buffer size + * \param olen Will be updated with the number of bytes written + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); +/* + * \brief Read and process contents of the ClientHello extension + * (excluding extension type and length bytes) + * + * \param ctx Context to use + * \param buf Pointer to extension contents + * \param len Extension length + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ); + +/* + * \brief Generate and write contents of ServerHello extension + * (excluding extension type and length bytes) + * + * \param ctx Context to use + * \param buf Buffer to write the contents to + * \param len Buffer size + * \param olen Will be updated with the number of bytes written + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); +/* + * \brief Read and process contents of the ServerHello extension + * (excluding extension type and length bytes) + * + * \param ctx Context to use + * \param buf Pointer to extension contents + * \param len Extension length + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ); + +/* + * \brief Free a context's content + * + * \param ctx context to free + */ +void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ); + #if defined(MBEDTLS_SELF_TEST) /** * \brief Checkup routine diff --git a/library/ecjpake.c b/library/ecjpake.c index 678112c57..922be205f 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -437,6 +437,56 @@ cleanup: return( ret ); } +/* + * Read the contents of the ClientHello extension + */ +int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ) +{ + return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, + &ctx->X1, &ctx->X2, "client", + buf, len ) ); +} + +/* + * Read the contents of the ServerHello extension + */ +int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ) +{ + return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, + &ctx->X3, &ctx->X4, "server", + buf, len ) ); +} + +/* + * Generate the contents of the ClientHello extension + */ +int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, + &ctx->xa, &ctx->X1, &ctx->xb, &ctx->X2, + "client", buf, len, olen, f_rng, p_rng ) ); +} + +/* + * Generate the contents of the ServerHello extension + */ +int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, + &ctx->xa, &ctx->X3, &ctx->xb, &ctx->X4, + "server", buf, len, olen, f_rng, p_rng ) ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -522,36 +572,27 @@ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) int mbedtls_ecjpake_self_test( int verbose ) { int ret; - mbedtls_ecp_group grp; - mbedtls_ecp_point Xa, Xb; - mbedtls_mpi xa, xb; - const mbedtls_md_info_t *md_info; + mbedtls_ecjpake_context ctx; unsigned char buf[1000]; size_t len; - mbedtls_ecp_group_init( &grp ); - mbedtls_ecp_point_init( &Xa ); - mbedtls_ecp_point_init( &Xb ); - mbedtls_mpi_init( &xa ); - mbedtls_mpi_init( &xb ); + mbedtls_ecjpake_init( &ctx ); /* Common to all tests */ - md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); - MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP256R1 ) ); + TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_MD_SHA256, + MBEDTLS_ECP_DP_SECP256R1 ) == 0 ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #1 (kkpp read): " ); + mbedtls_printf( " ECJPAKE test #1 (client ext read): " ); - TEST_ASSERT( ecjpake_kkpp_read( md_info, &grp, &grp.G, - &Xa, &Xb, "client", + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, ecjpake_test_kkpp, sizeof( ecjpake_test_kkpp ) ) == 0 ); /* Corrupt message */ memcpy( buf, ecjpake_test_kkpp, sizeof( ecjpake_test_kkpp ) ); buf[sizeof( ecjpake_test_kkpp ) - 1]--; - TEST_ASSERT( ecjpake_kkpp_read( md_info, &grp, &grp.G, - &Xa, &Xb, "client", + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, buf, sizeof( ecjpake_test_kkpp ) ) == MBEDTLS_ERR_ECP_VERIFY_FAILED ); @@ -559,26 +600,19 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_printf( "passed\n" ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #2 (kkpp write/read): " ); + mbedtls_printf( " ECJPAKE test #2 (client ext write/read): " ); - TEST_ASSERT( ecjpake_kkpp_write( md_info, &grp, &grp.G, - &xa, &Xa, &xb, &Xb, "client", + TEST_ASSERT( mbedtls_ecjpake_tls_write_client_ext( &ctx, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); - TEST_ASSERT( ecjpake_kkpp_read( md_info, &grp, &grp.G, - &Xa, &Xb, "client", - buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, buf, len ) == 0 ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); cleanup: - mbedtls_ecp_group_free( &grp ); - mbedtls_ecp_point_free( &Xa ); - mbedtls_ecp_point_free( &Xb ); - mbedtls_mpi_free( &xa ); - mbedtls_mpi_free( &xb ); + mbedtls_ecjpake_free( &ctx ); if( ret != 0 ) { From 23dcbe3f16e2f0af3d63115af7e0c5b2226748c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 09:37:00 +0200 Subject: [PATCH 15/87] Add support for passphrase in the context --- include/mbedtls/ecjpake.h | 8 +++++++- library/ecjpake.c | 25 +++++++++++++++++++------ 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 37aff6c68..1ffdf60f6 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -42,6 +42,8 @@ typedef struct mbedtls_mpi xa; /**< Our first secret (x1 or x3) */ mbedtls_mpi xb; /**< Our second secret (x2 or x4) */ + + mbedtls_mpi s; /**< Pre-shared secret */ } mbedtls_ecjpake_context; /* @@ -61,13 +63,17 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * \param ctx context to set up * \param hash hash function to use (MBEDTLS_MD_XXX) * \param curve elliptic curve identifier (MBEDTLS_ECP_DP_XXX) + * \param secret shared secret + * \param len length of the shared secret * * \return 0 if successfull, * a negative error code otherwise */ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, mbedtls_md_type_t hash, - mbedtls_ecp_group_id curve ); + mbedtls_ecp_group_id curve, + const unsigned char *secret, + size_t len ); /* * \brief Generate and write contents of ClientHello extension diff --git a/library/ecjpake.c b/library/ecjpake.c index 922be205f..47779fc09 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -54,6 +54,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ) mbedtls_mpi_init( &ctx->xa ); mbedtls_mpi_init( &ctx->xb ); + mbedtls_mpi_init( &ctx->s ); } /* @@ -74,6 +75,7 @@ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) mbedtls_mpi_free( &ctx->xa ); mbedtls_mpi_free( &ctx->xb ); + mbedtls_mpi_free( &ctx->s ); } /* @@ -81,17 +83,25 @@ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) */ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, mbedtls_md_type_t hash, - mbedtls_ecp_group_id curve ) + mbedtls_ecp_group_id curve, + const unsigned char *secret, + size_t len ) { int ret; if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL ) return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); - if( ( ret = mbedtls_ecp_group_load( &ctx->grp, curve ) ) != 0 ) - return( ret ); + MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, curve ) ); - return( 0 ); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->s, secret, len ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->s, &ctx->s, &ctx->grp.N ) ); + +cleanup: + if( ret != 0 ) + mbedtls_ecjpake_free( ctx ); + + return( ret ); } /* @@ -575,12 +585,15 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_ecjpake_context ctx; unsigned char buf[1000]; size_t len; + char secret[] = "test passphrase"; mbedtls_ecjpake_init( &ctx ); /* Common to all tests */ - TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_MD_SHA256, - MBEDTLS_ECP_DP_SECP256R1 ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, + (const unsigned char *) secret, + sizeof( secret ) - 1 ) == 0 ); if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #1 (client ext read): " ); From cb7cd03412f51ce5d0caa240a35fe47e5bc4488e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 10:09:10 +0200 Subject: [PATCH 16/87] Add first draft or read_server_params --- include/mbedtls/ecjpake.h | 36 +++++++++ library/ecjpake.c | 150 ++++++++++++++++++++++++++++++++------ 2 files changed, 163 insertions(+), 23 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 1ffdf60f6..6cad35fc5 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -39,6 +39,7 @@ typedef struct mbedtls_ecp_point X2; /**< Public key two */ mbedtls_ecp_point X3; /**< Public key three */ mbedtls_ecp_point X4; /**< Public key four */ + mbedtls_ecp_point Xp; /**< Peer's public key (Xs or Xc) */ mbedtls_mpi xa; /**< Our first secret (x1 or x3) */ mbedtls_mpi xb; /**< Our second secret (x2 or x4) */ @@ -126,6 +127,7 @@ int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); + /* * \brief Read and process contents of the ServerHello extension * (excluding extension type and length bytes) @@ -141,6 +143,40 @@ int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); +/* + * \brief Generate and write ServerECJPAKEParams + * (the contents for the ServerKeyExchange) + * + * \param ctx Context to use + * \param buf Buffer to write the contents to + * \param len Buffer size + * \param olen Will be updated with the number of bytes written + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + +/* + * \brief Read and process ServerECJPAKEParams + * (the contents for the ServerKeyExchange) + * + * \param ctx Context to use + * \param buf Pointer to the message + * \param len Message length + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ); + /* * \brief Free a context's content * diff --git a/library/ecjpake.c b/library/ecjpake.c index 47779fc09..b80ca1a06 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -51,6 +51,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ) mbedtls_ecp_point_init( &ctx->X2 ); mbedtls_ecp_point_init( &ctx->X3 ); mbedtls_ecp_point_init( &ctx->X4 ); + mbedtls_ecp_point_init( &ctx->Xp ); mbedtls_mpi_init( &ctx->xa ); mbedtls_mpi_init( &ctx->xb ); @@ -72,6 +73,7 @@ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) mbedtls_ecp_point_free( &ctx->X2 ); mbedtls_ecp_point_free( &ctx->X3 ); mbedtls_ecp_point_free( &ctx->X4 ); + mbedtls_ecp_point_free( &ctx->Xp ); mbedtls_mpi_free( &ctx->xa ); mbedtls_mpi_free( &ctx->xb ); @@ -497,6 +499,67 @@ int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, "server", buf, len, olen, f_rng, p_rng ) ); } +/* + * Read and process ServerECJPAKEParams (7.4.2.5) + */ +int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ) +{ + int ret; + const unsigned char *p = buf; + const unsigned char *end = buf + len; + mbedtls_ecp_group grp; + mbedtls_ecp_point GB; + mbedtls_mpi one; + + mbedtls_ecp_group_init( &grp ); + mbedtls_ecp_point_init( &GB ); + mbedtls_mpi_init( &one ); + + /* + * We need that before parsing in order to check Xs as we read it + * GB = X1 + X2 + X3 (7.4.2.5.1) + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &GB, &one, &ctx->X1, + &one, &ctx->X2 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &GB, &one, &GB, + &one, &ctx->X3 ) ); + + /* + * struct { + * ECParameters curve_params; + * ECJPAKEKeyKP ecjpake_key_kp; + * } ServerECJPAKEParams; + */ + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, + &GB, &ctx->Xp, "server", &p, end ) ); + + if( p != end ) + { + ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + goto cleanup; + } + + /* + * Xs already checked, only thing left to check is the group + */ + if( grp.id != ctx->grp.id ) + { + ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; + goto cleanup; + } + +cleanup: + mbedtls_ecp_group_free( &grp ); + mbedtls_ecp_point_free( &GB ); + mbedtls_mpi_free( &one ); + + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -515,7 +578,7 @@ int mbedtls_ecjpake_self_test( int verbose ) } #else -static const unsigned char ecjpake_test_kkpp[] = { +static const unsigned char ecjpake_test_cli_ext[] = { 0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, @@ -546,6 +609,55 @@ static const unsigned char ecjpake_test_kkpp[] = { 0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0 }; +static const unsigned char ecjpake_test_srv_ext[] = { + 0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, + 0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, + 0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, + 0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, + 0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, + 0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d, + 0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64, + 0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36, + 0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2, + 0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec, + 0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16, + 0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96, + 0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3, + 0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19, + 0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f, + 0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8, + 0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7, + 0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea, + 0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5, + 0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6, + 0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31, + 0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d, + 0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8, + 0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee, + 0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84, + 0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f, + 0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80, + 0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12 +}; + +static const unsigned char ecjpake_test_srv_kx[] = { + 0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23, + 0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c, + 0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f, + 0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca, + 0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26, + 0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55, + 0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38, + 0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6, + 0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9, + 0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4, + 0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2, + 0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8, + 0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd, + 0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c +}; + +#if 0 /* For tests we don't need a secure RNG; * use the LGC from Numerical Recipes for simplicity */ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) @@ -564,6 +676,7 @@ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) return( 0 ); } +#endif #define TEST_ASSERT( x ) \ do { \ @@ -583,8 +696,6 @@ int mbedtls_ecjpake_self_test( int verbose ) { int ret; mbedtls_ecjpake_context ctx; - unsigned char buf[1000]; - size_t len; char secret[] = "test passphrase"; mbedtls_ecjpake_init( &ctx ); @@ -596,30 +707,23 @@ int mbedtls_ecjpake_self_test( int verbose ) sizeof( secret ) - 1 ) == 0 ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #1 (client ext read): " ); + mbedtls_printf( " ECJPAKE test #1 (read in sequence): " ); + + /* This is not realistic because it uses the same context for client and + * server, but it ensures the context has all of X1 to X4 when reading the + * key exchange message, so this is convenient for a quick test */ TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, - ecjpake_test_kkpp, - sizeof( ecjpake_test_kkpp ) ) == 0 ); + ecjpake_test_cli_ext, + sizeof( ecjpake_test_cli_ext ) ) == 0 ); - /* Corrupt message */ - memcpy( buf, ecjpake_test_kkpp, sizeof( ecjpake_test_kkpp ) ); - buf[sizeof( ecjpake_test_kkpp ) - 1]--; - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, - buf, sizeof( ecjpake_test_kkpp ) ) - == MBEDTLS_ERR_ECP_VERIFY_FAILED ); + TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &ctx, + ecjpake_test_srv_ext, + sizeof( ecjpake_test_srv_ext ) ) == 0 ); - if( verbose != 0 ) - mbedtls_printf( "passed\n" ); - - if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #2 (client ext write/read): " ); - - TEST_ASSERT( mbedtls_ecjpake_tls_write_client_ext( &ctx, - buf, sizeof( buf ), &len, - ecjpake_lgc, NULL ) == 0 ); - - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &ctx, + ecjpake_test_srv_kx, + sizeof( ecjpake_test_srv_kx ) ) == 0 ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); From 1a7c5ef42bc6b1a5e6a6cd6ba9c014d8e7163ad2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 10:19:09 +0200 Subject: [PATCH 17/87] Optimize some case of mbedtls_ecp_muladd() Those are used by EC-JPAKE --- library/ecp.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index 54f51ab50..89a5612b9 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1697,8 +1697,17 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, mbedtls_ecp_point_init( &mP ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &mP, m, P, NULL, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, n, Q, NULL, NULL ) ); + /* Optimize some simple special cases */ + if( mbedtls_mpi_cmp_int( m, 1 ) == 0 ) + MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &mP, P ) ); + else + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &mP, m, P, NULL, NULL ) ); + + if( mbedtls_mpi_cmp_int( n, 1 ) == 0 ) + MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, Q ) ); + else + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, n, Q, NULL, NULL ) ); + MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, &mP, R ) ); MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) ); From 8d31e80da4023bcaf1d494d1910ae561ea3b8831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 14:44:57 +0200 Subject: [PATCH 18/87] Improve testing strategy - reference handshake tests that we get the right values (not much now, but much more later when we get to deriving the PMS) - random handshake in addition tests our generate/write functions against our read functions, that are tested by the reference handshake, and will be further tested in the test suite later against invalid inputs --- library/ecjpake.c | 113 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 94 insertions(+), 19 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index b80ca1a06..95be8a3cb 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -578,6 +578,35 @@ int mbedtls_ecjpake_self_test( int verbose ) } #else +static const unsigned char ecjpake_test_password[] = { + 0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74, + 0x65, 0x73, 0x74 +}; + +static const unsigned char ecjpake_test_x1[] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, + 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21 +}; + +static const unsigned char ecjpake_test_x2[] = { + 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, + 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, + 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81 +}; + +static const unsigned char ecjpake_test_x3[] = { + 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, + 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, + 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81 +}; + +static const unsigned char ecjpake_test_x4[] = { + 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, + 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, + 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1 +}; + static const unsigned char ecjpake_test_cli_ext[] = { 0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, @@ -657,7 +686,6 @@ static const unsigned char ecjpake_test_srv_kx[] = { 0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c }; -#if 0 /* For tests we don't need a secure RNG; * use the LGC from Numerical Recipes for simplicity */ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) @@ -676,7 +704,6 @@ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) return( 0 ); } -#endif #define TEST_ASSERT( x ) \ do { \ @@ -695,33 +722,80 @@ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) int mbedtls_ecjpake_self_test( int verbose ) { int ret; - mbedtls_ecjpake_context ctx; - char secret[] = "test passphrase"; + mbedtls_ecjpake_context cli; + mbedtls_ecjpake_context srv; + unsigned char buf[512]; + size_t len; - mbedtls_ecjpake_init( &ctx ); - - /* Common to all tests */ - TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, - MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, - (const unsigned char *) secret, - sizeof( secret ) - 1 ) == 0 ); + mbedtls_ecjpake_init( &cli ); + mbedtls_ecjpake_init( &srv ); if( verbose != 0 ) - mbedtls_printf( " ECJPAKE test #1 (read in sequence): " ); + mbedtls_printf( " ECJPAKE test #0 (setup): " ); - /* This is not realistic because it uses the same context for client and - * server, but it ensures the context has all of X1 to X4 when reading the - * key exchange message, so this is convenient for a quick test */ + TEST_ASSERT( mbedtls_ecjpake_setup( &cli, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, + ecjpake_test_password, + sizeof( ecjpake_test_password ) ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &ctx, + TEST_ASSERT( mbedtls_ecjpake_setup( &srv, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, + ecjpake_test_password, + sizeof( ecjpake_test_password ) ) == 0 ); + + if( verbose != 0 ) + mbedtls_printf( "passed\n" ); + + if( verbose != 0 ) + mbedtls_printf( " ECJPAKE test #1 (random handshake): " ); + + TEST_ASSERT( mbedtls_ecjpake_tls_write_client_ext( &cli, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &srv, buf, len ) == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_tls_write_server_ext( &srv, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &cli, buf, len ) == 0 ); + + if( verbose != 0 ) + mbedtls_printf( "passed\n" ); + + if( verbose != 0 ) + mbedtls_printf( " ECJPAKE test #2 (reference handshake): " ); + + /* Simulate key generation on client, skip writing client_ext */ + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xa, + ecjpake_test_x1, sizeof( ecjpake_test_x1 ) ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xb, + ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.X1, &cli.xa, + &cli.grp.G, NULL, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.X2, &cli.xb, + &cli.grp.G, NULL, NULL ) ); + + /* Server reads client ext */ + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &srv, ecjpake_test_cli_ext, sizeof( ecjpake_test_cli_ext ) ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &ctx, + /* Simulate key generation on server, skip writing server_ext */ + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xa, + ecjpake_test_x3, sizeof( ecjpake_test_x3 ) ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xb, + ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.X3, &srv.xa, + &srv.grp.G, NULL, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.X4, &srv.xb, + &srv.grp.G, NULL, NULL ) ); + + /* Client reads server ext and key exchange */ + TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &cli, ecjpake_test_srv_ext, sizeof( ecjpake_test_srv_ext ) ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &ctx, + TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &cli, ecjpake_test_srv_kx, sizeof( ecjpake_test_srv_kx ) ) == 0 ); @@ -729,7 +803,8 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_printf( "passed\n" ); cleanup: - mbedtls_ecjpake_free( &ctx ); + mbedtls_ecjpake_free( &cli ); + mbedtls_ecjpake_free( &srv ); if( ret != 0 ) { From bed9e417612d76bd359d7e4671081f0466fbdd39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 18:53:59 +0200 Subject: [PATCH 19/87] Add writing of server params --- library/ecjpake.c | 105 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 96 insertions(+), 9 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 95be8a3cb..d6087a040 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -499,6 +499,29 @@ int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, "server", buf, len, olen, f_rng, p_rng ) ); } +/* + * Compute the sum of three points R = A + B + C + */ +static int ecjpake_ecp_add3( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, + const mbedtls_ecp_point *A, + const mbedtls_ecp_point *B, + const mbedtls_ecp_point *C ) +{ + int ret; + mbedtls_mpi one; + + mbedtls_mpi_init( &one ); + + MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, A, &one, B ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, R, &one, C ) ); + +cleanup: + mbedtls_mpi_free( &one ); + + return( ret ); +} + /* * Read and process ServerECJPAKEParams (7.4.2.5) */ @@ -511,21 +534,16 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, const unsigned char *end = buf + len; mbedtls_ecp_group grp; mbedtls_ecp_point GB; - mbedtls_mpi one; mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &GB ); - mbedtls_mpi_init( &one ); /* - * We need that before parsing in order to check Xs as we read it * GB = X1 + X2 + X3 (7.4.2.5.1) + * We need that before parsing in order to check Xs as we read it */ - MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &GB, &one, &ctx->X1, - &one, &ctx->X2 ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &GB, &one, &GB, - &one, &ctx->X3 ) ); + MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GB, + &ctx->X1, &ctx->X2, &ctx->X3 ) ); /* * struct { @@ -555,7 +573,71 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, cleanup: mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &GB ); - mbedtls_mpi_free( &one ); + + return( ret ); +} + +/* + * Generate and write ServerECJPAKEParams (7.4.2.5) + */ +int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + mbedtls_ecp_point GB, Xs; + mbedtls_mpi xs; + unsigned char *p = buf; + const unsigned char *end = buf + len; + size_t ec_len; + + if( end < *p ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + mbedtls_ecp_point_init( &GB ); + mbedtls_ecp_point_init( &Xs ); + mbedtls_mpi_init( &xs ); + + /* + * First generate private/public key pair (7.4.2.5.1) + * + * GB = X1 + X2 + X3 + * xs = x4 * s mod n + * Xs = xs * GB + */ + MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GB, + &ctx->X1, &ctx->X2, &ctx->X3 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xs, &ctx->xb, &ctx->s ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xs, &xs, &ctx->grp.N ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xs, &xs, &GB, f_rng, p_rng ) ); + + /* + * Now write things out + */ + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_group( &ctx->grp, &ec_len, + p, end - p ) ); + p += ec_len; + + if( end < p ) + { + ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; + goto cleanup; + } + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xs, + MBEDTLS_ECP_PF_UNCOMPRESSED, &ec_len, p, end - p ) ); + p += ec_len; + + MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, + &GB, &xs, &Xs, "server", + &p, end, f_rng, p_rng ) ); + + *olen = p - buf; + +cleanup: + mbedtls_ecp_point_free( &GB ); + mbedtls_ecp_point_free( &Xs ); + mbedtls_mpi_free( &xs ); return( ret ); } @@ -759,6 +841,11 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &cli, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_write_server_params( &srv, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &cli, buf, len ) == 0 ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); From ec0eece2baf720645106e2324cb226c434503930 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 19:13:20 +0200 Subject: [PATCH 20/87] Add read_client_params --- include/mbedtls/ecjpake.h | 15 +++++++++ library/ecjpake.c | 68 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 6cad35fc5..65aa69325 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -177,6 +177,21 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); +/* + * \brief Read and process ClientECJPAKEParams + * (the contents for the ClientKeyExchange) + * + * \param ctx Context to use + * \param buf Pointer to the message + * \param len Message length + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ); + /* * \brief Free a context's content * diff --git a/library/ecjpake.c b/library/ecjpake.c index d6087a040..a12bac05c 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -592,7 +592,7 @@ int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, const unsigned char *end = buf + len; size_t ec_len; - if( end < *p ) + if( end < p ) return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); mbedtls_ecp_point_init( &GB ); @@ -642,6 +642,50 @@ cleanup: return( ret ); } +/* + * Read and process ClientECJPAKEParams (7.4.2.6) + */ +int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ) +{ + int ret; + const unsigned char *p = buf; + const unsigned char *end = buf + len; + mbedtls_ecp_group grp; + mbedtls_ecp_point GA; + + mbedtls_ecp_group_init( &grp ); + mbedtls_ecp_point_init( &GA ); + + /* + * GA = X1 + X3 + X4 (7.4.2.6.1) + * We need that before parsing in order to check Xc as we read it + */ + MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GA, + &ctx->X1, &ctx->X3, &ctx->X4 ) ); + + /* + * struct { + * ECJPAKEKeyKP ecjpake_key_kp; + * } CLientECJPAKEParams; + */ + MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, + &GA, &ctx->Xp, "client", &p, end ) ); + + if( p != end ) + { + ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + goto cleanup; + } + +cleanup: + mbedtls_ecp_group_free( &grp ); + mbedtls_ecp_point_free( &GA ); + + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -768,6 +812,23 @@ static const unsigned char ecjpake_test_srv_kx[] = { 0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c }; +static const unsigned char ecjpake_test_cli_kx[] = { + 0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46, + 0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb, + 0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72, + 0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce, + 0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98, + 0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31, + 0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15, + 0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36, + 0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8, + 0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45, + 0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d, + 0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58, + 0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82, + 0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c +}; + /* For tests we don't need a secure RNG; * use the LGC from Numerical Recipes for simplicity */ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) @@ -886,6 +947,11 @@ int mbedtls_ecjpake_self_test( int verbose ) ecjpake_test_srv_kx, sizeof( ecjpake_test_srv_kx ) ) == 0 ); + /* Server reads client key exchange */ + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_params( &srv, + ecjpake_test_cli_kx, + sizeof( ecjpake_test_cli_kx ) ) == 0 ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); From 614bd5e919030ebb358744f94258d268ee8c894e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 20:19:16 +0200 Subject: [PATCH 21/87] Add write_client_params --- include/mbedtls/ecjpake.h | 19 ++++++++++++ library/ecjpake.c | 61 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 65aa69325..2207ad9f6 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -177,6 +177,25 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); +/* + * \brief Generate and write ClientECJPAKEParams + * (the contents for the ClientKeyExchange) + * + * \param ctx Context to use + * \param buf Buffer to write the contents to + * \param len Buffer size + * \param olen Will be updated with the number of bytes written + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + /* * \brief Read and process ClientECJPAKEParams * (the contents for the ClientKeyExchange) diff --git a/library/ecjpake.c b/library/ecjpake.c index a12bac05c..dffab222e 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -686,6 +686,62 @@ cleanup: return( ret ); } +/* + * Generate and write ClientECJPAKEParams (7.4.2.6) + */ +int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + mbedtls_ecp_point GA, Xc; + mbedtls_mpi xc; + unsigned char *p = buf; + const unsigned char *end = buf + len; + size_t ec_len; + + if( end < p ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + mbedtls_ecp_point_init( &GA ); + mbedtls_ecp_point_init( &Xc ); + mbedtls_mpi_init( &xc ); + + /* + * First generate private/public key pair (7.4.2.6.1) + * + * GA = X1 + X3 + X4 + * xc = x2 * s mod n + * Xc = xc * GA + */ + MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GA, + &ctx->X1, &ctx->X3, &ctx->X4 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xc, &ctx->xb, &ctx->s ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xc, &xc, &ctx->grp.N ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xc, &xc, &GA, f_rng, p_rng ) ); + + /* + * Now write things out + */ + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xc, + MBEDTLS_ECP_PF_UNCOMPRESSED, &ec_len, p, end - p ) ); + p += ec_len; + + MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, + &GA, &xc, &Xc, "client", + &p, end, f_rng, p_rng ) ); + + *olen = p - buf; + +cleanup: + mbedtls_ecp_point_free( &GA ); + mbedtls_ecp_point_free( &Xc ); + mbedtls_mpi_free( &xc ); + + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -907,6 +963,11 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &cli, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_write_client_params( &cli, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_tls_read_client_params( &srv, buf, len ) == 0 ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); From 6449391852d0ddfd96789989dbd20701a864e79e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 13 Aug 2015 20:19:51 +0200 Subject: [PATCH 22/87] Store our role in the context --- include/mbedtls/ecjpake.h | 8 ++++++++ library/ecjpake.c | 7 +++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 2207ad9f6..ba0a70219 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -30,10 +30,16 @@ extern "C" { #endif +typedef enum { + MBEDTLS_ECJPAKE_CLIENT, + MBEDTLS_ECJPAKE_SERVER, +} mbedtls_ecjpake_role; + typedef struct { const mbedtls_md_info_t *md_info; /**< Hash to use */ mbedtls_ecp_group grp; /**< Elliptic curve */ + mbedtls_ecjpake_role role; /**< Are we client or server? */ mbedtls_ecp_point X1; /**< Public key one */ mbedtls_ecp_point X2; /**< Public key two */ @@ -62,6 +68,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * standard are MBEDTLS_MD_SHA256/MBEDTLS_ECP_DP_SECP256R1. * * \param ctx context to set up + * \param role Our role: client or server * \param hash hash function to use (MBEDTLS_MD_XXX) * \param curve elliptic curve identifier (MBEDTLS_ECP_DP_XXX) * \param secret shared secret @@ -71,6 +78,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * a negative error code otherwise */ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, + mbedtls_ecjpake_role role, mbedtls_md_type_t hash, mbedtls_ecp_group_id curve, const unsigned char *secret, diff --git a/library/ecjpake.c b/library/ecjpake.c index dffab222e..651d3e73b 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -84,6 +84,7 @@ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) * Setup context */ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, + mbedtls_ecjpake_role role, mbedtls_md_type_t hash, mbedtls_ecp_group_id curve, const unsigned char *secret, @@ -91,6 +92,8 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, { int ret; + ctx->role = role; + if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL ) return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE ); @@ -932,12 +935,12 @@ int mbedtls_ecjpake_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #0 (setup): " ); - TEST_ASSERT( mbedtls_ecjpake_setup( &cli, + TEST_ASSERT( mbedtls_ecjpake_setup( &cli, MBEDTLS_ECJPAKE_CLIENT, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, ecjpake_test_password, sizeof( ecjpake_test_password ) ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_setup( &srv, + TEST_ASSERT( mbedtls_ecjpake_setup( &srv, MBEDTLS_ECJPAKE_SERVER, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, ecjpake_test_password, sizeof( ecjpake_test_password ) ) == 0 ); From 5f1882960900b29116326023b1787fe3a8190805 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 10:52:39 +0200 Subject: [PATCH 23/87] Add derive_pms, completing first working version --- include/mbedtls/ecjpake.h | 18 ++++++++ library/ecjpake.c | 88 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 104 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index ba0a70219..9cad2e045 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -219,6 +219,24 @@ int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); +/* + * \brief Derive the Pre-Master Secret used by TLS + * + * \param ctx + * \param buf Buffer to write the contents to + * \param len Buffer size + * \param olen Will be updated with the number of bytes written + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successfull, + * a negative error code otherwise + */ +int mbedtls_ecjpake_tls_derive_pms( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + /* * \brief Free a context's content * diff --git a/library/ecjpake.c b/library/ecjpake.c index 651d3e73b..63de6e666 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -745,6 +745,59 @@ cleanup: return( ret ); } +/* + * Derive PMS (7.4.2.7 / 7.4.2.8) + */ +int mbedtls_ecjpake_tls_derive_pms( mbedtls_ecjpake_context *ctx, + unsigned char *buf, size_t len, size_t *olen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + mbedtls_ecp_point K, *X42; + mbedtls_mpi xbs, one; + unsigned char kx[MBEDTLS_ECP_MAX_BYTES]; + size_t x_bytes; + + *olen = mbedtls_md_get_size( ctx->md_info ); + if( len < *olen ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + + mbedtls_ecp_point_init( &K ); + mbedtls_mpi_init( &xbs ); + mbedtls_mpi_init( &one ); + + MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) ); + X42 = ctx->role == MBEDTLS_ECJPAKE_CLIENT ? &ctx->X4 : &ctx->X2; + + /* + * Client: K = ( Xs - X4 * x2 * s ) * x2 + * Server: K = ( Xc - X2 * x4 * s ) * x4 + * Unified: K = ( Xp - X42 * xb * x ) * xb + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xbs, &ctx->xb, &ctx->s ) ); + xbs.s *= -1; + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xbs, &xbs, &ctx->grp.N ) ); + + MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K, + &one, &ctx->Xp, + &xbs, X42 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xb, &K, + f_rng, p_rng ) ); + + /* PMS = SHA-256( K.X ) */ + x_bytes = ( ctx->grp.pbits + 7 ) / 8; + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &K.X, kx, x_bytes ) ); + MBEDTLS_MPI_CHK( mbedtls_md( ctx->md_info, kx, x_bytes, buf ) ); + +cleanup: + mbedtls_ecp_point_free( &K ); + mbedtls_mpi_free( &xbs ); + mbedtls_mpi_free( &one ); + + return( ret ); +} + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) @@ -888,6 +941,12 @@ static const unsigned char ecjpake_test_cli_kx[] = { 0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c }; +static const unsigned char ecjpake_test_pms[] = { + 0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7, + 0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9, + 0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51 +}; + /* For tests we don't need a secure RNG; * use the LGC from Numerical Recipes for simplicity */ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) @@ -926,8 +985,8 @@ int mbedtls_ecjpake_self_test( int verbose ) int ret; mbedtls_ecjpake_context cli; mbedtls_ecjpake_context srv; - unsigned char buf[512]; - size_t len; + unsigned char buf[512], pms[32]; + size_t len, pmslen; mbedtls_ecjpake_init( &cli ); mbedtls_ecjpake_init( &srv ); @@ -966,11 +1025,20 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &cli, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &cli, + pms, sizeof( pms ), &pmslen, ecjpake_lgc, NULL ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_write_client_params( &cli, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); TEST_ASSERT( mbedtls_ecjpake_tls_read_client_params( &srv, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &srv, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( len == pmslen ); + TEST_ASSERT( memcmp( buf, pms, len ) == 0 ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -1016,6 +1084,22 @@ int mbedtls_ecjpake_self_test( int verbose ) ecjpake_test_cli_kx, sizeof( ecjpake_test_cli_kx ) ) == 0 ); + /* Server derives PMS */ + TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &srv, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( len == sizeof( ecjpake_test_pms ) ); + TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 ); + + memset( buf, 0, len ); /* Avoid interferences with next step */ + + /* Client derives PMS */ + TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &cli, + buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); + + TEST_ASSERT( len == sizeof( ecjpake_test_pms ) ); + TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); From e0ad57b0b3bf0b520f177ddc2ba21afe8e1b3933 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 11:10:39 +0200 Subject: [PATCH 24/87] Replace explicit IDs with table look-ups That's a first step towards merging symmetric version of different functions --- include/mbedtls/ecjpake.h | 2 +- library/ecjpake.c | 31 +++++++++++++++++++++++-------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 9cad2e045..2f1a8abca 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -31,7 +31,7 @@ extern "C" { #endif typedef enum { - MBEDTLS_ECJPAKE_CLIENT, + MBEDTLS_ECJPAKE_CLIENT = 0, MBEDTLS_ECJPAKE_SERVER, } mbedtls_ecjpake_role; diff --git a/library/ecjpake.c b/library/ecjpake.c index 63de6e666..84dce0457 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -36,6 +36,17 @@ #include +/* + * Convert a mbedtls_ecjpake_role to identifier string + */ +static const char * const ecjpake_id[] = { + "client", + "server" +}; + +#define ID_MINE ( ecjpake_id[ ctx->role ] ) +#define ID_PEER ( ecjpake_id[ 1 - ctx->role ] ) + /* * Initialize context */ @@ -460,7 +471,7 @@ int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, size_t len ) { return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->X1, &ctx->X2, "client", + &ctx->X1, &ctx->X2, ID_PEER, buf, len ) ); } @@ -472,7 +483,7 @@ int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, size_t len ) { return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->X3, &ctx->X4, "server", + &ctx->X3, &ctx->X4, ID_PEER, buf, len ) ); } @@ -486,7 +497,7 @@ int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, { return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, &ctx->xa, &ctx->X1, &ctx->xb, &ctx->X2, - "client", buf, len, olen, f_rng, p_rng ) ); + ID_MINE, buf, len, olen, f_rng, p_rng ) ); } /* @@ -499,7 +510,7 @@ int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, { return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, &ctx->xa, &ctx->X3, &ctx->xb, &ctx->X4, - "server", buf, len, olen, f_rng, p_rng ) ); + ID_MINE, buf, len, olen, f_rng, p_rng ) ); } /* @@ -556,7 +567,7 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, */ MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) ); MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, - &GB, &ctx->Xp, "server", &p, end ) ); + &GB, &ctx->Xp, ID_PEER, &p, end ) ); if( p != end ) { @@ -632,7 +643,7 @@ int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, p += ec_len; MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, - &GB, &xs, &Xs, "server", + &GB, &xs, &Xs, ID_MINE, &p, end, f_rng, p_rng ) ); *olen = p - buf; @@ -674,7 +685,7 @@ int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, * } CLientECJPAKEParams; */ MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, - &GA, &ctx->Xp, "client", &p, end ) ); + &GA, &ctx->Xp, ID_PEER, &p, end ) ); if( p != end ) { @@ -732,7 +743,7 @@ int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, p += ec_len; MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, - &GA, &xc, &Xc, "client", + &GA, &xc, &Xc, ID_MINE, &p, end, f_rng, p_rng ) ); *olen = p - buf; @@ -798,6 +809,10 @@ cleanup: return( ret ); } +#undef ID_MINE +#undef ID_PEER + + #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_PLATFORM_C) From 6b798b9dae0c2690f4dd74d9a52f81addf861f02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 11:18:30 +0200 Subject: [PATCH 25/87] Tune up some comments --- include/mbedtls/ecjpake.h | 22 ++++++++++++++++++---- library/ecjpake.c | 4 ++-- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 2f1a8abca..e3efe0a26 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -23,6 +23,14 @@ #ifndef MBEDTLS_ECJPAKE_H #define MBEDTLS_ECJPAKE_H +/* + * Implementation based on Chapter 7.4 of the Thread v1.0 Specification, + * available from the Thread Group http://threadgroup.org/ + * + * This file implements the EC J-PAKE algorithm, with payload serializations + * suitable for use in TLS, but the result could be used outside TLS. + */ + #include "ecp.h" #include "md.h" @@ -30,11 +38,17 @@ extern "C" { #endif +/** + * Roles in the EC J-PAKE exchange + */ typedef enum { - MBEDTLS_ECJPAKE_CLIENT = 0, - MBEDTLS_ECJPAKE_SERVER, + MBEDTLS_ECJPAKE_CLIENT = 0, /**< Client */ + MBEDTLS_ECJPAKE_SERVER, /**< Server */ } mbedtls_ecjpake_role; +/** + * EC J-PAKE context structure + */ typedef struct { const mbedtls_md_info_t *md_info; /**< Hash to use */ @@ -50,7 +64,7 @@ typedef struct mbedtls_mpi xa; /**< Our first secret (x1 or x3) */ mbedtls_mpi xb; /**< Our second secret (x2 or x4) */ - mbedtls_mpi s; /**< Pre-shared secret */ + mbedtls_mpi s; /**< Pre-shared secret (passphrase) */ } mbedtls_ecjpake_context; /* @@ -71,7 +85,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * \param role Our role: client or server * \param hash hash function to use (MBEDTLS_MD_XXX) * \param curve elliptic curve identifier (MBEDTLS_ECP_DP_XXX) - * \param secret shared secret + * \param secret pre-shared secret (passphrase) * \param len length of the shared secret * * \return 0 if successfull, diff --git a/library/ecjpake.c b/library/ecjpake.c index 84dce0457..987c7e396 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -20,8 +20,8 @@ */ /* - * We implement EC-JPAKE as defined in Chapter 7.4 of the Thread v1.0 - * Specification. References below are to this document. + * References in the code are to the Thread v1.0 Specification, + * available from the Thread Group http://threadgroup.org/ */ #if !defined(MBEDTLS_CONFIG_FILE) From ce4567614b8823dbe4a41a2cad808004f3944067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 11:54:35 +0200 Subject: [PATCH 26/87] Rename variable to prepare for cli/srv unification --- include/mbedtls/ecjpake.h | 24 ++++++---- library/ecjpake.c | 98 ++++++++++++++++++++------------------- 2 files changed, 67 insertions(+), 55 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index e3efe0a26..8d624d439 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -47,7 +47,15 @@ typedef enum { } mbedtls_ecjpake_role; /** - * EC J-PAKE context structure + * EC J-PAKE context structure. + * + * J-PAKE is a symmetric protocol, except for the identifiers used in + * Zero-Knowledge Proofs, and the serialization of the second message + * (KeyExchange) as defined by the Thread spec. + * + * In order to benefit from this symmetry, we choose a different naming + * convetion from the Thread v1.0 spec. Correspondance is indicated in the + * description as a pair C: , S: */ typedef struct { @@ -55,14 +63,14 @@ typedef struct mbedtls_ecp_group grp; /**< Elliptic curve */ mbedtls_ecjpake_role role; /**< Are we client or server? */ - mbedtls_ecp_point X1; /**< Public key one */ - mbedtls_ecp_point X2; /**< Public key two */ - mbedtls_ecp_point X3; /**< Public key three */ - mbedtls_ecp_point X4; /**< Public key four */ - mbedtls_ecp_point Xp; /**< Peer's public key (Xs or Xc) */ + mbedtls_ecp_point Xm1; /**< My public key 1 C: X1, S: X3 */ + mbedtls_ecp_point Xm2; /**< My public key 2 C: X2, S: X4 */ + mbedtls_ecp_point Xp1; /**< Peer public key 1 C: X3, S: X1 */ + mbedtls_ecp_point Xp2; /**< Peer public key 2 C: X4, S: X2 */ + mbedtls_ecp_point Xp; /**< Peer public key C: Xs, S: Xc */ - mbedtls_mpi xa; /**< Our first secret (x1 or x3) */ - mbedtls_mpi xb; /**< Our second secret (x2 or x4) */ + mbedtls_mpi xm1; /**< My private key 1 C: x1, S: x3 */ + mbedtls_mpi xm2; /**< My private key 2 C: x2, S: x4 */ mbedtls_mpi s; /**< Pre-shared secret (passphrase) */ } mbedtls_ecjpake_context; diff --git a/library/ecjpake.c b/library/ecjpake.c index 987c7e396..031ec34ce 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -58,15 +58,15 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ) ctx->md_info = NULL; mbedtls_ecp_group_init( &ctx->grp ); - mbedtls_ecp_point_init( &ctx->X1 ); - mbedtls_ecp_point_init( &ctx->X2 ); - mbedtls_ecp_point_init( &ctx->X3 ); - mbedtls_ecp_point_init( &ctx->X4 ); - mbedtls_ecp_point_init( &ctx->Xp ); + mbedtls_ecp_point_init( &ctx->Xm1 ); + mbedtls_ecp_point_init( &ctx->Xm2 ); + mbedtls_ecp_point_init( &ctx->Xp1 ); + mbedtls_ecp_point_init( &ctx->Xp2 ); + mbedtls_ecp_point_init( &ctx->Xp ); - mbedtls_mpi_init( &ctx->xa ); - mbedtls_mpi_init( &ctx->xb ); - mbedtls_mpi_init( &ctx->s ); + mbedtls_mpi_init( &ctx->xm1 ); + mbedtls_mpi_init( &ctx->xm2 ); + mbedtls_mpi_init( &ctx->s ); } /* @@ -80,15 +80,15 @@ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ) ctx->md_info = NULL; mbedtls_ecp_group_free( &ctx->grp ); - mbedtls_ecp_point_free( &ctx->X1 ); - mbedtls_ecp_point_free( &ctx->X2 ); - mbedtls_ecp_point_free( &ctx->X3 ); - mbedtls_ecp_point_free( &ctx->X4 ); - mbedtls_ecp_point_free( &ctx->Xp ); + mbedtls_ecp_point_free( &ctx->Xm1 ); + mbedtls_ecp_point_free( &ctx->Xm2 ); + mbedtls_ecp_point_free( &ctx->Xp1 ); + mbedtls_ecp_point_free( &ctx->Xp2 ); + mbedtls_ecp_point_free( &ctx->Xp ); - mbedtls_mpi_free( &ctx->xa ); - mbedtls_mpi_free( &ctx->xb ); - mbedtls_mpi_free( &ctx->s ); + mbedtls_mpi_free( &ctx->xm1 ); + mbedtls_mpi_free( &ctx->xm2 ); + mbedtls_mpi_free( &ctx->s ); } /* @@ -437,9 +437,9 @@ cleanup: static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, const mbedtls_ecp_point *G, - mbedtls_mpi *xa, + mbedtls_mpi *xm1, mbedtls_ecp_point *Xa, - mbedtls_mpi *xb, + mbedtls_mpi *xm2, mbedtls_ecp_point *Xb, const char *id, unsigned char *buf, @@ -452,9 +452,9 @@ static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, unsigned char *p = buf; const unsigned char *end = buf + len; - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xa, Xa, id, + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xm1, Xa, id, &p, end, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xb, Xb, id, + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xm2, Xb, id, &p, end, f_rng, p_rng ) ); *olen = p - buf; @@ -471,7 +471,7 @@ int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, size_t len ) { return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->X1, &ctx->X2, ID_PEER, + &ctx->Xp1, &ctx->Xp2, ID_PEER, buf, len ) ); } @@ -483,7 +483,7 @@ int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, size_t len ) { return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->X3, &ctx->X4, ID_PEER, + &ctx->Xp1, &ctx->Xp2, ID_PEER, buf, len ) ); } @@ -496,7 +496,7 @@ int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, void *p_rng ) { return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->xa, &ctx->X1, &ctx->xb, &ctx->X2, + &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2, ID_MINE, buf, len, olen, f_rng, p_rng ) ); } @@ -509,7 +509,7 @@ int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, void *p_rng ) { return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->xa, &ctx->X3, &ctx->xb, &ctx->X4, + &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2, ID_MINE, buf, len, olen, f_rng, p_rng ) ); } @@ -553,11 +553,12 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, mbedtls_ecp_point_init( &GB ); /* - * GB = X1 + X2 + X3 (7.4.2.5.1) - * We need that before parsing in order to check Xs as we read it + * Client: GB = X1 + X2 + X3 (7.4.2.5.1) + * Unified: GB = Xm1 + Xm2 + Xp1 + * We need that before parsing in order to check Xp as we read it */ MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GB, - &ctx->X1, &ctx->X2, &ctx->X3 ) ); + &ctx->Xm1, &ctx->Xm2, &ctx->Xp1 ) ); /* * struct { @@ -616,13 +617,14 @@ int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, /* * First generate private/public key pair (7.4.2.5.1) * - * GB = X1 + X2 + X3 + * Server: GB = X1 + X2 + X3 + * Unified: * xs = x4 * s mod n * Xs = xs * GB */ MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GB, - &ctx->X1, &ctx->X2, &ctx->X3 ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xs, &ctx->xb, &ctx->s ) ); + &ctx->Xp1, &ctx->Xp2, &ctx->Xm1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xs, &ctx->xm2, &ctx->s ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xs, &xs, &ctx->grp.N ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xs, &xs, &GB, f_rng, p_rng ) ); @@ -673,11 +675,12 @@ int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, mbedtls_ecp_point_init( &GA ); /* - * GA = X1 + X3 + X4 (7.4.2.6.1) + * Server: GA = X1 + X3 + X4 (7.4.2.6.1) + * Unified: G = Xp1 + Xm1 + Xm2 * We need that before parsing in order to check Xc as we read it */ MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GA, - &ctx->X1, &ctx->X3, &ctx->X4 ) ); + &ctx->Xp1, &ctx->Xm1, &ctx->Xm2 ) ); /* * struct { @@ -725,13 +728,14 @@ int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, /* * First generate private/public key pair (7.4.2.6.1) * - * GA = X1 + X3 + X4 + * Client: GA = X1 + X3 + X4 + * Unified: G = Xm1 + Xp1 + Xp2 * xc = x2 * s mod n * Xc = xc * GA */ MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GA, - &ctx->X1, &ctx->X3, &ctx->X4 ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xc, &ctx->xb, &ctx->s ) ); + &ctx->Xm1, &ctx->Xp1, &ctx->Xp2 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xc, &ctx->xm2, &ctx->s ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xc, &xc, &ctx->grp.N ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xc, &xc, &GA, f_rng, p_rng ) ); @@ -779,21 +783,21 @@ int mbedtls_ecjpake_tls_derive_pms( mbedtls_ecjpake_context *ctx, mbedtls_mpi_init( &one ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) ); - X42 = ctx->role == MBEDTLS_ECJPAKE_CLIENT ? &ctx->X4 : &ctx->X2; + X42 = ctx->role == MBEDTLS_ECJPAKE_CLIENT ? &ctx->Xp2 : &ctx->Xp2; /* * Client: K = ( Xs - X4 * x2 * s ) * x2 * Server: K = ( Xc - X2 * x4 * s ) * x4 - * Unified: K = ( Xp - X42 * xb * x ) * xb + * Unified: K = ( Xp - X42 * xm2 * x ) * xm2 */ - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xbs, &ctx->xb, &ctx->s ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xbs, &ctx->xm2, &ctx->s ) ); xbs.s *= -1; MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xbs, &xbs, &ctx->grp.N ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K, &one, &ctx->Xp, &xbs, X42 ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xb, &K, + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K, f_rng, p_rng ) ); /* PMS = SHA-256( K.X ) */ @@ -1061,13 +1065,13 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_printf( " ECJPAKE test #2 (reference handshake): " ); /* Simulate key generation on client, skip writing client_ext */ - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xa, + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xm1, ecjpake_test_x1, sizeof( ecjpake_test_x1 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xb, + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xm2, ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.X1, &cli.xa, + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.Xm1, &cli.xm1, &cli.grp.G, NULL, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.X2, &cli.xb, + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.Xm2, &cli.xm2, &cli.grp.G, NULL, NULL ) ); /* Server reads client ext */ @@ -1076,13 +1080,13 @@ int mbedtls_ecjpake_self_test( int verbose ) sizeof( ecjpake_test_cli_ext ) ) == 0 ); /* Simulate key generation on server, skip writing server_ext */ - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xa, + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xm1, ecjpake_test_x3, sizeof( ecjpake_test_x3 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xb, + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xm2, ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.X3, &srv.xa, + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.Xm1, &srv.xm1, &srv.grp.G, NULL, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.X4, &srv.xb, + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.Xm2, &srv.xm2, &srv.grp.G, NULL, NULL ) ); /* Client reads server ext and key exchange */ From e2d3a4e1b445442d34e7876839a4e09394a28534 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 12:03:04 +0200 Subject: [PATCH 27/87] Unify loading of test vectors in tests --- library/ecjpake.c | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 031ec34ce..0795c1d4f 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -966,6 +966,24 @@ static const unsigned char ecjpake_test_pms[] = { 0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51 }; +/* Load my private keys and generate the correponding public keys */ +static int ecjpake_test_load( mbedtls_ecjpake_context *ctx, + const unsigned char *xm1, size_t len1, + const unsigned char *xm2, size_t len2 ) +{ + int ret; + + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm1, xm1, len1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm2, xm2, len2 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm1, &ctx->xm1, + &ctx->grp.G, NULL, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm2, &ctx->xm2, + &ctx->grp.G, NULL, NULL ) ); + +cleanup: + return( ret ); +} + /* For tests we don't need a secure RNG; * use the LGC from Numerical Recipes for simplicity */ static int ecjpake_lgc( void *p, unsigned char *out, size_t len ) @@ -1065,14 +1083,9 @@ int mbedtls_ecjpake_self_test( int verbose ) mbedtls_printf( " ECJPAKE test #2 (reference handshake): " ); /* Simulate key generation on client, skip writing client_ext */ - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xm1, - ecjpake_test_x1, sizeof( ecjpake_test_x1 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &cli.xm2, + MBEDTLS_MPI_CHK( ecjpake_test_load( &cli, + ecjpake_test_x1, sizeof( ecjpake_test_x1 ), ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.Xm1, &cli.xm1, - &cli.grp.G, NULL, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &cli.grp, &cli.Xm2, &cli.xm2, - &cli.grp.G, NULL, NULL ) ); /* Server reads client ext */ TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &srv, @@ -1080,14 +1093,9 @@ int mbedtls_ecjpake_self_test( int verbose ) sizeof( ecjpake_test_cli_ext ) ) == 0 ); /* Simulate key generation on server, skip writing server_ext */ - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xm1, - ecjpake_test_x3, sizeof( ecjpake_test_x3 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &srv.xm2, + MBEDTLS_MPI_CHK( ecjpake_test_load( &srv, + ecjpake_test_x3, sizeof( ecjpake_test_x3 ), ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.Xm1, &srv.xm1, - &srv.grp.G, NULL, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &srv.grp, &srv.Xm2, &srv.xm2, - &srv.grp.G, NULL, NULL ) ); /* Client reads server ext and key exchange */ TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &cli, From d8204a7bea32ba790804df8a58aac419bb38891e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 13:36:55 +0200 Subject: [PATCH 28/87] Provide symmetric API for the first round --- include/mbedtls/ecjpake.h | 63 +++++++++++++-------------------------- library/ecjpake.c | 49 ++++++++---------------------- 2 files changed, 32 insertions(+), 80 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 8d624d439..8dc8244e7 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -27,8 +27,17 @@ * Implementation based on Chapter 7.4 of the Thread v1.0 Specification, * available from the Thread Group http://threadgroup.org/ * - * This file implements the EC J-PAKE algorithm, with payload serializations + * J-PAKE is a password-authenticated key exchange that allows deriving a + * strong shared secret from a (potentially low entropy) pre-shared + * passphrase, with forward secrecy and mutual authentication. + * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling + * + * This file implements the EC J-PAKE algorithm with payload serializations * suitable for use in TLS, but the result could be used outside TLS. + * + * As the J-PAKE algorithm is inherently symmetric, so is our API. + * Each party needs to send its first round message, in any order, to the + * other party, then each sends its second round message, in any order. */ #include "ecp.h" @@ -107,8 +116,9 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, size_t len ); /* - * \brief Generate and write contents of ClientHello extension - * (excluding extension type and length bytes) + * \brief Generate and write the first round message + * (TLS: contents of the Client/ServerHello extension, + * excluding extension type and length bytes) * * \param ctx Context to use * \param buf Buffer to write the contents to @@ -120,13 +130,14 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, * \return 0 if successfull, * a negative error code otherwise */ -int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /* - * \brief Read and process contents of the ClientHello extension - * (excluding extension type and length bytes) + * \brief Generate and write the first round message + * (TLS: contents of the Client/ServerHello extension, + * excluding extension type and length bytes) * * \param ctx Context to use * \param buf Pointer to extension contents @@ -135,43 +146,9 @@ int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, * \return 0 if successfull, * a negative error code otherwise */ -int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ); - -/* - * \brief Generate and write contents of ServerHello extension - * (excluding extension type and length bytes) - * - * \param ctx Context to use - * \param buf Buffer to write the contents to - * \param len Buffer size - * \param olen Will be updated with the number of bytes written - * \param f_rng RNG function - * \param p_rng RNG parameter - * - * \return 0 if successfull, - * a negative error code otherwise - */ -int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, - unsigned char *buf, size_t len, size_t *olen, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ); - -/* - * \brief Read and process contents of the ServerHello extension - * (excluding extension type and length bytes) - * - * \param ctx Context to use - * \param buf Pointer to extension contents - * \param len Extension length - * - * \return 0 if successfull, - * a negative error code otherwise - */ -int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ); +int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ); /* * \brief Generate and write ServerECJPAKEParams diff --git a/library/ecjpake.c b/library/ecjpake.c index 0795c1d4f..08d54d79a 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -464,11 +464,11 @@ cleanup: } /* - * Read the contents of the ClientHello extension + * Read and process the first round message */ -int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ) +int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, + const unsigned char *buf, + size_t len ) { return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, &ctx->Xp1, &ctx->Xp2, ID_PEER, @@ -476,34 +476,9 @@ int mbedtls_ecjpake_tls_read_client_ext( mbedtls_ecjpake_context *ctx, } /* - * Read the contents of the ServerHello extension + * Generate and write the first round message */ -int mbedtls_ecjpake_tls_read_server_ext( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ) -{ - return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->Xp1, &ctx->Xp2, ID_PEER, - buf, len ) ); -} - -/* - * Generate the contents of the ClientHello extension - */ -int mbedtls_ecjpake_tls_write_client_ext( mbedtls_ecjpake_context *ctx, - unsigned char *buf, size_t len, size_t *olen, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) -{ - return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, - &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2, - ID_MINE, buf, len, olen, f_rng, p_rng ) ); -} - -/* - * Generate the contents of the ServerHello extension - */ -int mbedtls_ecjpake_tls_write_server_ext( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) @@ -1047,15 +1022,15 @@ int mbedtls_ecjpake_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #1 (random handshake): " ); - TEST_ASSERT( mbedtls_ecjpake_tls_write_client_ext( &cli, + TEST_ASSERT( mbedtls_ecjpake_write_round_one( &cli, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &srv, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, buf, len ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_write_server_ext( &srv, + TEST_ASSERT( mbedtls_ecjpake_write_round_one( &srv, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &cli, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, buf, len ) == 0 ); TEST_ASSERT( mbedtls_ecjpake_tls_write_server_params( &srv, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); @@ -1088,7 +1063,7 @@ int mbedtls_ecjpake_self_test( int verbose ) ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) ); /* Server reads client ext */ - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_ext( &srv, + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, ecjpake_test_cli_ext, sizeof( ecjpake_test_cli_ext ) ) == 0 ); @@ -1098,7 +1073,7 @@ int mbedtls_ecjpake_self_test( int verbose ) ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) ); /* Client reads server ext and key exchange */ - TEST_ASSERT( mbedtls_ecjpake_tls_read_server_ext( &cli, + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, ecjpake_test_srv_ext, sizeof( ecjpake_test_srv_ext ) ) == 0 ); From e1927101fb750e97992ac2531b5b0c2a4bafc1a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 14:20:48 +0200 Subject: [PATCH 29/87] Unify round two --- include/mbedtls/ecjpake.h | 38 +------ library/ecjpake.c | 209 +++++++++++--------------------------- 2 files changed, 61 insertions(+), 186 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 8dc8244e7..56bf39739 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -150,40 +150,6 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); -/* - * \brief Generate and write ServerECJPAKEParams - * (the contents for the ServerKeyExchange) - * - * \param ctx Context to use - * \param buf Buffer to write the contents to - * \param len Buffer size - * \param olen Will be updated with the number of bytes written - * \param f_rng RNG function - * \param p_rng RNG parameter - * - * \return 0 if successfull, - * a negative error code otherwise - */ -int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, - unsigned char *buf, size_t len, size_t *olen, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ); - -/* - * \brief Read and process ServerECJPAKEParams - * (the contents for the ServerKeyExchange) - * - * \param ctx Context to use - * \param buf Pointer to the message - * \param len Message length - * - * \return 0 if successfull, - * a negative error code otherwise - */ -int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ); - /* * \brief Generate and write ClientECJPAKEParams * (the contents for the ClientKeyExchange) @@ -198,7 +164,7 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, * \return 0 if successfull, * a negative error code otherwise */ -int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); @@ -214,7 +180,7 @@ int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, * \return 0 if successfull, * a negative error code otherwise */ -int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); diff --git a/library/ecjpake.c b/library/ecjpake.c index 08d54d79a..e09d74279 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -512,9 +512,9 @@ cleanup: } /* - * Read and process ServerECJPAKEParams (7.4.2.5) + * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6) */ -int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ) { @@ -522,28 +522,30 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, const unsigned char *p = buf; const unsigned char *end = buf + len; mbedtls_ecp_group grp; - mbedtls_ecp_point GB; + mbedtls_ecp_point G; mbedtls_ecp_group_init( &grp ); - mbedtls_ecp_point_init( &GB ); + mbedtls_ecp_point_init( &G ); /* - * Client: GB = X1 + X2 + X3 (7.4.2.5.1) - * Unified: GB = Xm1 + Xm2 + Xp1 + * Server: GA = X3 + X4 + X1 (7.4.2.6.1) + * Client: GB = X1 + X2 + X3 (7.4.2.5.1) + * Unified: G = Xm1 + Xm2 + Xp1 * We need that before parsing in order to check Xp as we read it */ - MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GB, + MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G, &ctx->Xm1, &ctx->Xm2, &ctx->Xp1 ) ); /* * struct { - * ECParameters curve_params; + * ECParameters curve_params; // only client reading server msg * ECJPAKEKeyKP ecjpake_key_kp; - * } ServerECJPAKEParams; + * } Client/ServerECJPAKEParams; */ - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) ); + if( ctx->role == MBEDTLS_ECJPAKE_CLIENT ) + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) ); MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, - &GB, &ctx->Xp, ID_PEER, &p, end ) ); + &G, &ctx->Xp, ID_PEER, &p, end ) ); if( p != end ) { @@ -552,185 +554,92 @@ int mbedtls_ecjpake_tls_read_server_params( mbedtls_ecjpake_context *ctx, } /* - * Xs already checked, only thing left to check is the group + * Xs already checked, only thing left to check is the group, */ - if( grp.id != ctx->grp.id ) + if( ctx->role == MBEDTLS_ECJPAKE_CLIENT && grp.id != ctx->grp.id ) { ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; goto cleanup; } - cleanup: mbedtls_ecp_group_free( &grp ); - mbedtls_ecp_point_free( &GB ); + mbedtls_ecp_point_free( &G ); return( ret ); } /* - * Generate and write ServerECJPAKEParams (7.4.2.5) + * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6) */ -int mbedtls_ecjpake_tls_write_server_params( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret; - mbedtls_ecp_point GB, Xs; - mbedtls_mpi xs; + mbedtls_ecp_point G; /* C: GA, S: GB */ + mbedtls_ecp_point Xm; /* C: Xc, S: Xs */ + mbedtls_mpi xm; /* C: xc, S: xs */ unsigned char *p = buf; const unsigned char *end = buf + len; size_t ec_len; - if( end < p ) - return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); - - mbedtls_ecp_point_init( &GB ); - mbedtls_ecp_point_init( &Xs ); - mbedtls_mpi_init( &xs ); + mbedtls_ecp_point_init( &G ); + mbedtls_ecp_point_init( &Xm ); + mbedtls_mpi_init( &xm ); /* - * First generate private/public key pair (7.4.2.5.1) + * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1) * - * Server: GB = X1 + X2 + X3 - * Unified: - * xs = x4 * s mod n - * Xs = xs * GB + * Client: GA = X1 + X3 + X4 | xs = x2 * s | Xc = xc * GA + * Server: GB = X3 + X1 + X2 | xs = x4 * s | Xs = xs * GB + * Unified: G = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G */ - MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GB, + MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G, &ctx->Xp1, &ctx->Xp2, &ctx->Xm1 ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xs, &ctx->xm2, &ctx->s ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xs, &xs, &ctx->grp.N ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xs, &xs, &GB, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xm, &ctx->xm2, &ctx->s ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xm, &xm, &ctx->grp.N ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xm, &xm, &G, f_rng, p_rng ) ); /* * Now write things out + * + * struct { + * ECParameters curve_params; // only server writing its message + * ECJPAKEKeyKP ecjpake_key_kp; + * } Client/ServerECJPAKEParams; */ - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_group( &ctx->grp, &ec_len, - p, end - p ) ); - p += ec_len; + if( ctx->role == MBEDTLS_ECJPAKE_SERVER ) + { + if( end < p ) + { + ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; + goto cleanup; + } + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_group( &ctx->grp, &ec_len, + p, end - p ) ); + p += ec_len; + } if( end < p ) { ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL; goto cleanup; } - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xs, + MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xm, MBEDTLS_ECP_PF_UNCOMPRESSED, &ec_len, p, end - p ) ); p += ec_len; MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, - &GB, &xs, &Xs, ID_MINE, + &G, &xm, &Xm, ID_MINE, &p, end, f_rng, p_rng ) ); *olen = p - buf; cleanup: - mbedtls_ecp_point_free( &GB ); - mbedtls_ecp_point_free( &Xs ); - mbedtls_mpi_free( &xs ); - - return( ret ); -} - -/* - * Read and process ClientECJPAKEParams (7.4.2.6) - */ -int mbedtls_ecjpake_tls_read_client_params( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ) -{ - int ret; - const unsigned char *p = buf; - const unsigned char *end = buf + len; - mbedtls_ecp_group grp; - mbedtls_ecp_point GA; - - mbedtls_ecp_group_init( &grp ); - mbedtls_ecp_point_init( &GA ); - - /* - * Server: GA = X1 + X3 + X4 (7.4.2.6.1) - * Unified: G = Xp1 + Xm1 + Xm2 - * We need that before parsing in order to check Xc as we read it - */ - MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GA, - &ctx->Xp1, &ctx->Xm1, &ctx->Xm2 ) ); - - /* - * struct { - * ECJPAKEKeyKP ecjpake_key_kp; - * } CLientECJPAKEParams; - */ - MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, - &GA, &ctx->Xp, ID_PEER, &p, end ) ); - - if( p != end ) - { - ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - goto cleanup; - } - -cleanup: - mbedtls_ecp_group_free( &grp ); - mbedtls_ecp_point_free( &GA ); - - return( ret ); -} - -/* - * Generate and write ClientECJPAKEParams (7.4.2.6) - */ -int mbedtls_ecjpake_tls_write_client_params( mbedtls_ecjpake_context *ctx, - unsigned char *buf, size_t len, size_t *olen, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) -{ - int ret; - mbedtls_ecp_point GA, Xc; - mbedtls_mpi xc; - unsigned char *p = buf; - const unsigned char *end = buf + len; - size_t ec_len; - - if( end < p ) - return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); - - mbedtls_ecp_point_init( &GA ); - mbedtls_ecp_point_init( &Xc ); - mbedtls_mpi_init( &xc ); - - /* - * First generate private/public key pair (7.4.2.6.1) - * - * Client: GA = X1 + X3 + X4 - * Unified: G = Xm1 + Xp1 + Xp2 - * xc = x2 * s mod n - * Xc = xc * GA - */ - MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &GA, - &ctx->Xm1, &ctx->Xp1, &ctx->Xp2 ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xc, &ctx->xm2, &ctx->s ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xc, &xc, &ctx->grp.N ) ); - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xc, &xc, &GA, f_rng, p_rng ) ); - - /* - * Now write things out - */ - MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xc, - MBEDTLS_ECP_PF_UNCOMPRESSED, &ec_len, p, end - p ) ); - p += ec_len; - - MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, - &GA, &xc, &Xc, ID_MINE, - &p, end, f_rng, p_rng ) ); - - *olen = p - buf; - -cleanup: - mbedtls_ecp_point_free( &GA ); - mbedtls_ecp_point_free( &Xc ); - mbedtls_mpi_free( &xc ); + mbedtls_ecp_point_free( &G ); + mbedtls_ecp_point_free( &Xm ); + mbedtls_mpi_free( &xm ); return( ret ); } @@ -1032,18 +941,18 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, buf, len ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_write_server_params( &srv, + TEST_ASSERT( mbedtls_ecjpake_write_round_two( &srv, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &cli, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, buf, len ) == 0 ); TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &cli, pms, sizeof( pms ), &pmslen, ecjpake_lgc, NULL ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_write_client_params( &cli, + TEST_ASSERT( mbedtls_ecjpake_write_round_two( &cli, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_params( &srv, buf, len ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, buf, len ) == 0 ); TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &srv, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); @@ -1077,12 +986,12 @@ int mbedtls_ecjpake_self_test( int verbose ) ecjpake_test_srv_ext, sizeof( ecjpake_test_srv_ext ) ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_read_server_params( &cli, + TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, ecjpake_test_srv_kx, sizeof( ecjpake_test_srv_kx ) ) == 0 ); /* Server reads client key exchange */ - TEST_ASSERT( mbedtls_ecjpake_tls_read_client_params( &srv, + TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, ecjpake_test_cli_kx, sizeof( ecjpake_test_cli_kx ) ) == 0 ); From f7368c983acb9b67b6a7e7ee80ae12e5a898c663 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 14:33:05 +0200 Subject: [PATCH 30/87] Polish API and documentation --- include/mbedtls/ecjpake.h | 46 ++++++++++++++++++++------------------- library/ecjpake.c | 10 ++++----- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 56bf39739..59e80e50e 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -24,20 +24,20 @@ #define MBEDTLS_ECJPAKE_H /* - * Implementation based on Chapter 7.4 of the Thread v1.0 Specification, - * available from the Thread Group http://threadgroup.org/ - * * J-PAKE is a password-authenticated key exchange that allows deriving a * strong shared secret from a (potentially low entropy) pre-shared * passphrase, with forward secrecy and mutual authentication. * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling * - * This file implements the EC J-PAKE algorithm with payload serializations - * suitable for use in TLS, but the result could be used outside TLS. + * This file implements the Elliptic Curve variant of J-PAKE, + * as defined in Chapter 7.4 of the Thread v1.0 Specification, + * available to members of the Thread Group http://threadgroup.org/ * * As the J-PAKE algorithm is inherently symmetric, so is our API. * Each party needs to send its first round message, in any order, to the * other party, then each sends its second round message, in any order. + * The payloads are serialized in a way suitable for use in TLS, but could + * also be use outside TLS. */ #include "ecp.h" @@ -84,7 +84,7 @@ typedef struct mbedtls_mpi s; /**< Pre-shared secret (passphrase) */ } mbedtls_ecjpake_context; -/* +/** * \brief Initialize a context * (just makes it ready for setup() or free()). * @@ -92,7 +92,7 @@ typedef struct */ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); -/* +/** * \brief Set up a context for use * * \note Currently the only values for hash/curve allowed by the @@ -115,7 +115,7 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, const unsigned char *secret, size_t len ); -/* +/** * \brief Generate and write the first round message * (TLS: contents of the Client/ServerHello extension, * excluding extension type and length bytes) @@ -134,8 +134,9 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); -/* - * \brief Generate and write the first round message + +/** + * \brief Read and process the first round message * (TLS: contents of the Client/ServerHello extension, * excluding extension type and length bytes) * @@ -150,9 +151,9 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ); -/* - * \brief Generate and write ClientECJPAKEParams - * (the contents for the ClientKeyExchange) +/** + * \brief Generate and write the second round message + * (TLS: contents of the Client/ServerKeyExchange) * * \param ctx Context to use * \param buf Buffer to write the contents to @@ -169,9 +170,9 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); -/* - * \brief Read and process ClientECJPAKEParams - * (the contents for the ClientKeyExchange) +/** + * \brief Read and process the second round message + * (TLS: contents of the Client/ServerKeyExchange) * * \param ctx Context to use * \param buf Pointer to the message @@ -181,11 +182,12 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, * a negative error code otherwise */ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, - const unsigned char *buf, - size_t len ); + const unsigned char *buf, + size_t len ); -/* - * \brief Derive the Pre-Master Secret used by TLS +/** + * \brief Derive the shared secret + * (TLS: Pre-Master Secret) * * \param ctx * \param buf Buffer to write the contents to @@ -197,12 +199,12 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, * \return 0 if successfull, * a negative error code otherwise */ -int mbedtls_ecjpake_tls_derive_pms( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); -/* +/** * \brief Free a context's content * * \param ctx context to free diff --git a/library/ecjpake.c b/library/ecjpake.c index e09d74279..b0fda2013 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -647,7 +647,7 @@ cleanup: /* * Derive PMS (7.4.2.7 / 7.4.2.8) */ -int mbedtls_ecjpake_tls_derive_pms( mbedtls_ecjpake_context *ctx, +int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) @@ -946,7 +946,7 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, buf, len ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &cli, + TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli, pms, sizeof( pms ), &pmslen, ecjpake_lgc, NULL ) == 0 ); TEST_ASSERT( mbedtls_ecjpake_write_round_two( &cli, @@ -954,7 +954,7 @@ int mbedtls_ecjpake_self_test( int verbose ) TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, buf, len ) == 0 ); - TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &srv, + TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); TEST_ASSERT( len == pmslen ); @@ -996,7 +996,7 @@ int mbedtls_ecjpake_self_test( int verbose ) sizeof( ecjpake_test_cli_kx ) ) == 0 ); /* Server derives PMS */ - TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &srv, + TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); TEST_ASSERT( len == sizeof( ecjpake_test_pms ) ); @@ -1005,7 +1005,7 @@ int mbedtls_ecjpake_self_test( int verbose ) memset( buf, 0, len ); /* Avoid interferences with next step */ /* Client derives PMS */ - TEST_ASSERT( mbedtls_ecjpake_tls_derive_pms( &cli, + TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli, buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 ); TEST_ASSERT( len == sizeof( ecjpake_test_pms ) ); From c907081a20b21b57b518938042e619c67ac3035a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 14:48:50 +0200 Subject: [PATCH 31/87] Polish the source --- library/ecjpake.c | 63 ++++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index b0fda2013..8aa58477c 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -21,7 +21,7 @@ /* * References in the code are to the Thread v1.0 Specification, - * available from the Thread Group http://threadgroup.org/ + * available to members of the Thread Group http://threadgroup.org/ */ #if !defined(MBEDTLS_CONFIG_FILE) @@ -522,7 +522,7 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, const unsigned char *p = buf; const unsigned char *end = buf + len; mbedtls_ecp_group grp; - mbedtls_ecp_point G; + mbedtls_ecp_point G; /* C: GB, S: GA */ mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &G ); @@ -653,8 +653,8 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, void *p_rng ) { int ret; - mbedtls_ecp_point K, *X42; - mbedtls_mpi xbs, one; + mbedtls_ecp_point K; + mbedtls_mpi m_xm2_s, one; unsigned char kx[MBEDTLS_ECP_MAX_BYTES]; size_t x_bytes; @@ -663,24 +663,23 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); mbedtls_ecp_point_init( &K ); - mbedtls_mpi_init( &xbs ); + mbedtls_mpi_init( &m_xm2_s ); mbedtls_mpi_init( &one ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) ); - X42 = ctx->role == MBEDTLS_ECJPAKE_CLIENT ? &ctx->Xp2 : &ctx->Xp2; /* - * Client: K = ( Xs - X4 * x2 * s ) * x2 - * Server: K = ( Xc - X2 * x4 * s ) * x4 - * Unified: K = ( Xp - X42 * xm2 * x ) * xm2 + * Client: K = ( Xs - X4 * x2 * s ) * x2 + * Server: K = ( Xc - X2 * x4 * s ) * x4 + * Unified: K = ( Xp - Xp2 * xm2 * x ) * xm2 */ - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xbs, &ctx->xm2, &ctx->s ) ); - xbs.s *= -1; - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xbs, &xbs, &ctx->grp.N ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &m_xm2_s, &ctx->xm2, &ctx->s ) ); + m_xm2_s.s *= -1; + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &m_xm2_s, &m_xm2_s, &ctx->grp.N ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K, &one, &ctx->Xp, - &xbs, X42 ) ); + &m_xm2_s, &ctx->Xp2 ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K, f_rng, p_rng ) ); @@ -691,7 +690,7 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, cleanup: mbedtls_ecp_point_free( &K ); - mbedtls_mpi_free( &xbs ); + mbedtls_mpi_free( &m_xm2_s ); mbedtls_mpi_free( &one ); return( ret ); @@ -748,7 +747,7 @@ static const unsigned char ecjpake_test_x4[] = { 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1 }; -static const unsigned char ecjpake_test_cli_ext[] = { +static const unsigned char ecjpake_test_cli_one[] = { 0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, @@ -779,7 +778,7 @@ static const unsigned char ecjpake_test_cli_ext[] = { 0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0 }; -static const unsigned char ecjpake_test_srv_ext[] = { +static const unsigned char ecjpake_test_srv_one[] = { 0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, @@ -810,7 +809,7 @@ static const unsigned char ecjpake_test_srv_ext[] = { 0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12 }; -static const unsigned char ecjpake_test_srv_kx[] = { +static const unsigned char ecjpake_test_srv_two[] = { 0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23, 0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c, 0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f, @@ -827,7 +826,7 @@ static const unsigned char ecjpake_test_srv_kx[] = { 0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c }; -static const unsigned char ecjpake_test_cli_kx[] = { +static const unsigned char ecjpake_test_cli_two[] = { 0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46, 0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb, 0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72, @@ -966,34 +965,32 @@ int mbedtls_ecjpake_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " ECJPAKE test #2 (reference handshake): " ); - /* Simulate key generation on client, skip writing client_ext */ + /* Simulate generation of round one */ MBEDTLS_MPI_CHK( ecjpake_test_load( &cli, ecjpake_test_x1, sizeof( ecjpake_test_x1 ), ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) ); - /* Server reads client ext */ - TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, - ecjpake_test_cli_ext, - sizeof( ecjpake_test_cli_ext ) ) == 0 ); - - /* Simulate key generation on server, skip writing server_ext */ MBEDTLS_MPI_CHK( ecjpake_test_load( &srv, ecjpake_test_x3, sizeof( ecjpake_test_x3 ), ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) ); - /* Client reads server ext and key exchange */ + /* Read round one */ + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, + ecjpake_test_cli_one, + sizeof( ecjpake_test_cli_one ) ) == 0 ); + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, - ecjpake_test_srv_ext, - sizeof( ecjpake_test_srv_ext ) ) == 0 ); + ecjpake_test_srv_one, + sizeof( ecjpake_test_srv_one ) ) == 0 ); + /* Skip generation of round two, read round two */ TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, - ecjpake_test_srv_kx, - sizeof( ecjpake_test_srv_kx ) ) == 0 ); + ecjpake_test_srv_two, + sizeof( ecjpake_test_srv_two ) ) == 0 ); - /* Server reads client key exchange */ TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, - ecjpake_test_cli_kx, - sizeof( ecjpake_test_cli_kx ) ) == 0 ); + ecjpake_test_cli_two, + sizeof( ecjpake_test_cli_two ) ) == 0 ); /* Server derives PMS */ TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv, From 55f3d84faa25184f92a351b3a7430fd2d49d13b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 15:08:43 +0200 Subject: [PATCH 32/87] fixup-include --- include/mbedtls/ecjpake.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 59e80e50e..809684831 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -189,7 +189,7 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, * \brief Derive the shared secret * (TLS: Pre-Master Secret) * - * \param ctx + * \param ctx Context to use * \param buf Buffer to write the contents to * \param len Buffer size * \param olen Will be updated with the number of bytes written From d0d8a935b255707975b54c1079f88353731464b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 15:14:50 +0200 Subject: [PATCH 33/87] Blind operations on the secret I'm not sure this is necessary, because it is only multiplied by xm2 which is already random and secret, but OTOH, xm2 is related to a public value, so let's add blinding with a random value that's only use for blinding, just to be extra sure. --- library/ecjpake.c | 44 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 8aa58477c..8a8f0e29a 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -111,7 +111,6 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, curve ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->s, secret, len ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->s, &ctx->s, &ctx->grp.N ) ); cleanup: if( ret != 0 ) @@ -568,6 +567,37 @@ cleanup: return( ret ); } +/* + * Compute R = +/- X * S mod N, taking care not to leak S + */ +static int ecjpake_mul_secret( mbedtls_mpi *R, int sign, + const mbedtls_mpi *X, + const mbedtls_mpi *S, + const mbedtls_mpi *N, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + mbedtls_mpi b; /* Blinding value, then s + N * blinding */ + + mbedtls_mpi_init( &b ); + + /* b = s + rnd-128-bit * N */ + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &b, 16, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &b, &b, N ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &b, &b, S ) ); + + /* R = sign * X * b mod N */ + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( R, X, &b ) ); + R->s *= sign; + MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( R, R, N ) ); + +cleanup: + mbedtls_mpi_free( &b ); + + return( ret ); +} + /* * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6) */ @@ -597,8 +627,8 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, */ MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G, &ctx->Xp1, &ctx->Xp2, &ctx->Xm1 ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &xm, &ctx->xm2, &ctx->s ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &xm, &xm, &ctx->grp.N ) ); + MBEDTLS_MPI_CHK( ecjpake_mul_secret( &xm, 1, &ctx->xm2, &ctx->s, + &ctx->grp.N, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xm, &xm, &G, f_rng, p_rng ) ); /* @@ -671,12 +701,10 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, /* * Client: K = ( Xs - X4 * x2 * s ) * x2 * Server: K = ( Xc - X2 * x4 * s ) * x4 - * Unified: K = ( Xp - Xp2 * xm2 * x ) * xm2 + * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2 */ - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &m_xm2_s, &ctx->xm2, &ctx->s ) ); - m_xm2_s.s *= -1; - MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &m_xm2_s, &m_xm2_s, &ctx->grp.N ) ); - + MBEDTLS_MPI_CHK( ecjpake_mul_secret( &m_xm2_s, -1, &ctx->xm2, &ctx->s, + &ctx->grp.N, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K, &one, &ctx->Xp, &m_xm2_s, &ctx->Xp2 ) ); From bbe4e52c3bddddfdc304c36d97c637c8a1f85417 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 14 Aug 2015 17:12:50 +0200 Subject: [PATCH 34/87] Start adding tests for EC J-PAKE round one --- tests/suites/test_suite_ecjpake.data | 12 ++++++++++++ tests/suites/test_suite_ecjpake.function | 24 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_ecjpake.data b/tests/suites/test_suite_ecjpake.data index 3aff2eddb..67f9ece33 100644 --- a/tests/suites/test_suite_ecjpake.data +++ b/tests/suites/test_suite_ecjpake.data @@ -1,2 +1,14 @@ ECJPAKE selftest ecjpake_selftest: + +ECJPAKE round one: client, valid +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":0 + +ECJPAKE round one: server, valid +read_round_one:MBEDTLS_ECJPAKE_SERVER:"4104accf0106ef858fa2d919331346805a78b58bbad0b844e5c7892879146187dd2666ada781bb7f111372251a8910621f634df128ac48e381fd6ef9060731f694a441041dd0bd5d4566c9bed9ce7de701b5e82e08e84b730466018ab903c79eb982172236c0c1728ae4bf73610d34de44246ef3d9c05a2236fb66a6583d7449308babce2072fe16662992e9235c25002f11b15087b82738e03c945bf7a2995dda1e98345841047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b4104a49558d32ed1ebfc1816af4ff09b55fcb4ca47b2a02d1e7caf1179ea3fe1395b22b861964016fabaf72c975695d93d4df0e5197fe9f040634ed59764937787be20bc4deebbf9b8d60a335f046ca3aa941e45864c7cadef9cf75b3d8b010e443ef0":0 + +ECJPAKE round one: role mismatch +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104accf0106ef858fa2d919331346805a78b58bbad0b844e5c7892879146187dd2666ada781bb7f111372251a8910621f634df128ac48e381fd6ef9060731f694a441041dd0bd5d4566c9bed9ce7de701b5e82e08e84b730466018ab903c79eb982172236c0c1728ae4bf73610d34de44246ef3d9c05a2236fb66a6583d7449308babce2072fe16662992e9235c25002f11b15087b82738e03c945bf7a2995dda1e98345841047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b4104a49558d32ed1ebfc1816af4ff09b55fcb4ca47b2a02d1e7caf1179ea3fe1395b22b861964016fabaf72c975695d93d4df0e5197fe9f040634ed59764937787be20bc4deebbf9b8d60a335f046ca3aa941e45864c7cadef9cf75b3d8b010e443ef0":MBEDTLS_ERR_ECP_VERIFY_FAILED + +ECJPAKE round one: client, trailing byte +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1200":MBEDTLS_ERR_ECP_BAD_INPUT_DATA diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function index 44a1f009b..c2f35bdd4 100644 --- a/tests/suites/test_suite_ecjpake.function +++ b/tests/suites/test_suite_ecjpake.function @@ -13,3 +13,27 @@ void ecjpake_selftest() TEST_ASSERT( mbedtls_ecjpake_self_test( 0 ) == 0 ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */ +void read_round_one( int role, char *data, int ref_ret ) +{ + mbedtls_ecjpake_context ctx; + const unsigned char pw[] = {}; + unsigned char *msg; + size_t len; + + mbedtls_ecjpake_init( &ctx ); + + msg = unhexify_alloc( data, &len ); + TEST_ASSERT( msg != NULL ); + + TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, role, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, 0 ) == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &ctx, msg, len ) == ref_ret ); + +exit: + mbedtls_ecjpake_free( &ctx ); + mbedtls_free( msg ); +} +/* END_CASE */ From 3059095e867268222cdfc8d5d8e8abd63581cb1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 17 Aug 2015 10:37:40 +0200 Subject: [PATCH 35/87] Complete tests for reading round one Also change the code to forbid public keys being 0 --- library/ecjpake.c | 6 ++ tests/suites/test_suite_ecjpake.data | 98 +++++++++++++++++++++++++++- 2 files changed, 103 insertions(+), 1 deletion(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 8a8f0e29a..4ffeaa3a6 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -355,6 +355,12 @@ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, * } ECJPAKEKeyKP; */ MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, p, end - *p ) ); + if( mbedtls_ecp_is_zero( X ) ) + { + ret = MBEDTLS_ERR_ECP_INVALID_KEY; + goto cleanup; + } + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, G, X, id, p, end ) ); cleanup: diff --git a/tests/suites/test_suite_ecjpake.data b/tests/suites/test_suite_ecjpake.data index 67f9ece33..10b823429 100644 --- a/tests/suites/test_suite_ecjpake.data +++ b/tests/suites/test_suite_ecjpake.data @@ -10,5 +10,101 @@ read_round_one:MBEDTLS_ECJPAKE_SERVER:"4104accf0106ef858fa2d919331346805a78b58bb ECJPAKE round one: role mismatch read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104accf0106ef858fa2d919331346805a78b58bbad0b844e5c7892879146187dd2666ada781bb7f111372251a8910621f634df128ac48e381fd6ef9060731f694a441041dd0bd5d4566c9bed9ce7de701b5e82e08e84b730466018ab903c79eb982172236c0c1728ae4bf73610d34de44246ef3d9c05a2236fb66a6583d7449308babce2072fe16662992e9235c25002f11b15087b82738e03c945bf7a2995dda1e98345841047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b4104a49558d32ed1ebfc1816af4ff09b55fcb4ca47b2a02d1e7caf1179ea3fe1395b22b861964016fabaf72c975695d93d4df0e5197fe9f040634ed59764937787be20bc4deebbf9b8d60a335f046ca3aa941e45864c7cadef9cf75b3d8b010e443ef0":MBEDTLS_ERR_ECP_VERIFY_FAILED -ECJPAKE round one: client, trailing byte +ECJPAKE round one: trailing byte read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1200":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: no data +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: length of first point too small +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: length of first point too big +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: no point data +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"0104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: first point is zero +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"0100":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round one: KKP1: unknown first point format +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41057ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round one: KKP1: nothing after first point +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: length of second point too small +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: length of second point too big +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: no second point data +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: unknow second point format +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410509f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round one: KKP1: nothing after second point +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: zero-length r +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51600":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round one: KKP1: no data for r +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51601":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP1: corrupted r +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373515":MBEDTLS_ERR_ECP_VERIFY_FAILED + +ECJPAKE round one: KKP1: X not on the curve +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2a410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373514":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round one: KKP2: no data +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: length of first point too small +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1200":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: length of first point too big +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1201":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: no point data +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb120104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: first point is zero +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb120100":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round one: KKP2: unknown first point format +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241057ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round one: KKP2: nothing after first point +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: length of second point too small +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: length of second point too big +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: no second point data +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: unknow second point format +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410509f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round one: KKP2: nothing after second point +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: zero-length r +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51600":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round one: KKP2: no data for r +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51601":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round one: KKP2: corrupted r +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373515":MBEDTLS_ERR_ECP_VERIFY_FAILED + +ECJPAKE round one: KKP2: X not on the curve +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2a410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373514":MBEDTLS_ERR_ECP_INVALID_KEY From d9802af1d06c41450f5242792c0673c531b8f500 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 17 Aug 2015 12:47:38 +0200 Subject: [PATCH 36/87] Add tests for round 2 Also move one check earlier as it makes more sense --- library/ecjpake.c | 16 +-- tests/suites/test_suite_ecjpake.data | 124 ++++++++++++++++++- tests/suites/test_suite_ecjpake.function | 149 +++++++++++++++++++++++ 3 files changed, 279 insertions(+), 10 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index 4ffeaa3a6..f5863bc4c 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -548,7 +548,15 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, * } Client/ServerECJPAKEParams; */ if( ctx->role == MBEDTLS_ECJPAKE_CLIENT ) + { MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) ); + if( grp.id != ctx->grp.id ) + { + ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; + goto cleanup; + } + } + MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, &G, &ctx->Xp, ID_PEER, &p, end ) ); @@ -558,14 +566,6 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, goto cleanup; } - /* - * Xs already checked, only thing left to check is the group, - */ - if( ctx->role == MBEDTLS_ECJPAKE_CLIENT && grp.id != ctx->grp.id ) - { - ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; - goto cleanup; - } cleanup: mbedtls_ecp_group_free( &grp ); mbedtls_ecp_point_free( &G ); diff --git a/tests/suites/test_suite_ecjpake.data b/tests/suites/test_suite_ecjpake.data index 10b823429..1a772a965 100644 --- a/tests/suites/test_suite_ecjpake.data +++ b/tests/suites/test_suite_ecjpake.data @@ -41,7 +41,7 @@ ECJPAKE round one: KKP1: length of second point too big read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA ECJPAKE round one: KKP1: no second point data -read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b0104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA ECJPAKE round one: KKP1: unknow second point format read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410509f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE @@ -89,7 +89,7 @@ ECJPAKE round one: KKP2: length of second point too big read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA ECJPAKE round one: KKP2: no second point data -read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA +read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b0104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA ECJPAKE round one: KKP2: unknow second point format read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410509f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE @@ -108,3 +108,123 @@ read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5 ECJPAKE round one: KKP2: X not on the curve read_round_one:MBEDTLS_ECJPAKE_CLIENT:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2a410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373514":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round two client: valid +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836c":0 + +ECJPAKE round two client: trailing byte +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836c00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: no data +read_round_two_cli:"":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: ECParams too short +read_round_two_cli:"0300":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: ECParams not named curve +read_round_two_cli:"010017":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: ECParams wrong curve +read_round_two_cli:"030016":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round two client: no data after ECParams +read_round_two_cli:"030017":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: length of first point too small +read_round_two_cli:"03001700":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: length of first point too big +read_round_two_cli:"03001701":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: no first point data +read_round_two_cli:"0300170104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: first point is zero +read_round_two_cli:"0300170100":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round two client: unknown first point format +read_round_two_cli:"03001741050fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a6":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round two client: nothing after first point +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a6":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: length of second point too small +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a600":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: length of second point too big +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a601":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: no second point data +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a60104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: unknown second point format +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641055516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c8":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round two client: nothing after second point +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c8":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: zero-length r +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c800":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round two client: no data for r +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c801":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two client: corrupted r +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836d":MBEDTLS_ERR_ECP_VERIFY_FAILED + +ECJPAKE round two client: X not on the curve +read_round_two_cli:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a741045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836c":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round two server: valid +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54c":0 + +ECJPAKE round two server: trailing byte +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54c00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: no data +read_round_two_srv:"":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: length of forst point too small +read_round_two_srv:"00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: length of first point too big +read_round_two_srv:"01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: no first point data +read_round_two_srv:"0104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: first point is zero +read_round_two_srv:"0100":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round two server: unknown first point format +read_round_two_srv:"410569d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round two server: nothing after first point +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: length of second point too small +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee00":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: length of second point too big +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee01":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: no second point data +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee0104":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: unknown second point format +read_round_two_srv:"410569d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE + +ECJPAKE round two server: nothing after second point +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: zero-length r +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d00":MBEDTLS_ERR_ECP_INVALID_KEY + +ECJPAKE round two server: no data for r +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d20":MBEDTLS_ERR_ECP_BAD_INPUT_DATA + +ECJPAKE round two server: corrupted r +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54d":MBEDTLS_ERR_ECP_VERIFY_FAILED + +ECJPAKE round two server: X not on curve +read_round_two_srv:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ef4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54c":MBEDTLS_ERR_ECP_INVALID_KEY diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function index c2f35bdd4..784c81e87 100644 --- a/tests/suites/test_suite_ecjpake.function +++ b/tests/suites/test_suite_ecjpake.function @@ -1,5 +1,94 @@ /* BEGIN_HEADER */ #include "mbedtls/ecjpake.h" + +static const unsigned char ecjpake_test_x1[] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, + 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21 +}; + +static const unsigned char ecjpake_test_x2[] = { + 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, + 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, + 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81 +}; + +static const unsigned char ecjpake_test_x3[] = { + 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, + 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, + 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81 +}; + +static const unsigned char ecjpake_test_x4[] = { + 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, + 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, + 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1 +}; + +static const unsigned char ecjpake_test_X1[] = { + 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33, + 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5, + 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, 0xa7, + 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62, 0x1f, + 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9, 0x06, + 0x07, 0x31, 0xf6, 0x94, 0xa4 +}; + +static const unsigned char ecjpake_test_X2[] = { + 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, + 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, + 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, + 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, + 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, + 0x2b, 0xb0, 0x13, 0xbb, 0x2b +}; + +static const unsigned char ecjpake_test_X3[] = { + 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, + 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, + 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, + 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, + 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, + 0x2b, 0xb0, 0x13, 0xbb, 0x2b +}; + +static const unsigned char ecjpake_test_X4[] = { + 0x04, 0x19, 0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, + 0xee, 0x0f, 0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, + 0x70, 0xf8, 0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, + 0xfe, 0xc7, 0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, + 0xc4, 0xea, 0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, + 0x1a, 0xc5, 0x6a, 0x56, 0x12 +}; + +/* Load my private and public keys, and peer's public keys */ +static int ecjpake_test_load( mbedtls_ecjpake_context *ctx, + const unsigned char *xm1, size_t len_xm1, + const unsigned char *xm2, size_t len_xm2, + const unsigned char *Xm1, size_t len_Xm1, + const unsigned char *Xm2, size_t len_Xm2, + const unsigned char *Xp1, size_t len_Xp1, + const unsigned char *Xp2, size_t len_Xp2 ) +{ + int ret; + + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm1, xm1, len_xm1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm2, xm2, len_xm2 ) ); + + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp, + &ctx->Xm1, Xm1, len_Xm1 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp, + &ctx->Xm2, Xm2, len_Xm2 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp, + &ctx->Xp1, Xp1, len_Xp1 ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp, + &ctx->Xp2, Xp2, len_Xp2 ) ); + +cleanup: + return( ret ); +} + +#define ADD_SIZE( x ) x, sizeof( x ) /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -37,3 +126,63 @@ exit: mbedtls_free( msg ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */ +void read_round_two_cli( char *data, int ref_ret ) +{ + mbedtls_ecjpake_context ctx; + const unsigned char pw[] = {}; + unsigned char *msg; + size_t len; + + mbedtls_ecjpake_init( &ctx ); + + msg = unhexify_alloc( data, &len ); + TEST_ASSERT( msg != NULL ); + + TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_ECJPAKE_CLIENT, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, 0 ) == 0 ); + + TEST_ASSERT( ecjpake_test_load( &ctx, + ADD_SIZE( ecjpake_test_x1 ), ADD_SIZE( ecjpake_test_x2 ), + ADD_SIZE( ecjpake_test_X1 ), ADD_SIZE( ecjpake_test_X2 ), + ADD_SIZE( ecjpake_test_X3 ), ADD_SIZE( ecjpake_test_X4 ) ) + == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg, len ) == ref_ret ); + +exit: + mbedtls_ecjpake_free( &ctx ); + mbedtls_free( msg ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */ +void read_round_two_srv( char *data, int ref_ret ) +{ + mbedtls_ecjpake_context ctx; + const unsigned char pw[] = {}; + unsigned char *msg; + size_t len; + + mbedtls_ecjpake_init( &ctx ); + + msg = unhexify_alloc( data, &len ); + TEST_ASSERT( msg != NULL ); + + TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_ECJPAKE_SERVER, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, 0 ) == 0 ); + + TEST_ASSERT( ecjpake_test_load( &ctx, + ADD_SIZE( ecjpake_test_x3 ), ADD_SIZE( ecjpake_test_x4 ), + ADD_SIZE( ecjpake_test_X3 ), ADD_SIZE( ecjpake_test_X4 ), + ADD_SIZE( ecjpake_test_X1 ), ADD_SIZE( ecjpake_test_X2 ) ) + == 0 ); + + TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg, len ) == ref_ret ); + +exit: + mbedtls_ecjpake_free( &ctx ); + mbedtls_free( msg ); +} +/* END_CASE */ From cd345898a0e39e086fa015f5cfe7e182b0c7b259 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 18 Aug 2015 21:05:18 +0200 Subject: [PATCH 37/87] Fix #ifdef in test suite --- tests/suites/test_suite_ecjpake.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function index 784c81e87..8d867b736 100644 --- a/tests/suites/test_suite_ecjpake.function +++ b/tests/suites/test_suite_ecjpake.function @@ -1,6 +1,7 @@ /* BEGIN_HEADER */ #include "mbedtls/ecjpake.h" +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_SHA256_C) static const unsigned char ecjpake_test_x1[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, @@ -89,6 +90,7 @@ cleanup: } #define ADD_SIZE( x ) x, sizeof( x ) +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */ /* END_HEADER */ /* BEGIN_DEPENDENCIES From f472179d44c81de9fd54d115284b552b37a9b8bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 10:53:51 +0200 Subject: [PATCH 38/87] Adjust dependencies for EC extensions The Thread spec says we need those for EC J-PAKE too. However, we won't be using the information, so we can skip the parsing functions in an EC J-PAKE only config; keep the writing functions in order to comply with the spec. --- include/mbedtls/ssl_internal.h | 3 ++- library/ssl_cli.c | 10 ++++++---- library/ssl_srv.c | 8 +++++--- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 73279a5ae..e9d06daa0 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -168,7 +168,8 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ #endif -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 5a9c43222..ba6a6166d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -208,7 +208,8 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -277,7 +278,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, @@ -771,7 +772,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; @@ -1507,7 +1509,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index ca1e7b804..afac3e108 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1976,7 +1976,8 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -2004,7 +2005,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_SSL_ALPN ) static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, @@ -2290,7 +2291,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif From 76cfd3f97feca19ce73b6ea69707aaf85d62f4e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 12:10:54 +0200 Subject: [PATCH 39/87] Add EC J-PAKE context in handshake structure --- include/mbedtls/ssl_internal.h | 7 +++++++ library/ssl_tls.c | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index e9d06daa0..dc2ddc192 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -41,6 +41,10 @@ #include "sha512.h" #endif +#if defined(MBEDTLS_ECJPAKE_C) +#include "ecjpake.h" +#endif + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && !defined(inline) #define inline __inline #endif @@ -168,6 +172,9 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ #endif +#if defined(MBEDTLS_ECJPAKE_C) + mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ +#endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_ECJPAKE_C) const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 14ee521ca..93055eb94 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4932,6 +4932,9 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif +#if defined(MBEDTLS_ECJPAKE_C) + mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); +#endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; @@ -6590,6 +6593,9 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif +#if defined(MBEDTLS_ECJPAKE_C) + mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); +#endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) /* explicit void pointer cast for buggy MS compiler */ From 7002f4a560cc44defb176f7f9273eae1cfa2371e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 12:43:43 +0200 Subject: [PATCH 40/87] Add mbedtls_ssl_set_hs_ecjpake_password() --- include/mbedtls/ssl.h | 23 +++++++++++++++++++++++ library/ssl_tls.c | 26 ++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index bd88918ca..51a3a0638 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1671,6 +1671,29 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, void *p_sni ); #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ +#if defined(MBEDTLS_ECJPAKE_C) +/** + * \brief Set the EC J-PAKE password for current handshake. + * + * \note An internal copy is made, and destroyed as soon as the + * handshake is completed, or when the SSL context is reset or + * freed. + * + * \note The SSL context needs to be already set up. The right place + * to call this function is between \c mbedtls_ssl_setup() or + * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). + * + * \param ssl SSL context + * \param pw EC J-PAKE password (pre-shared secret) + * \param pw_len length of pw in bytes + * + * \return 0 on success, or a negative error code. + */ +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ); +#endif /*MBEDTLS_ECJPAKE_C */ + #if defined(MBEDTLS_SSL_ALPN) /** * \brief Set the supported Application Layer Protocols. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 93055eb94..3fe2824f8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5451,6 +5451,32 @@ void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ +#if defined(MBEDTLS_ECJPAKE_C) +/* + * Set EC J-PAKE password for current handshake + */ +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ) +{ + mbedtls_ecjpake_role role; + + if( ssl->handshake == NULL && ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + role = MBEDTLS_ECJPAKE_SERVER; + else + role = MBEDTLS_ECJPAKE_CLIENT; + + return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, + role, + MBEDTLS_MD_SHA256, + MBEDTLS_ECP_DP_SECP256R1, + pw, pw_len ) ); +} +#endif /* MBEDTLS_ECJPAKE_C */ + #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, From b813accf8463c042e7904aa89d0b8eb1947be1fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 15:34:09 +0200 Subject: [PATCH 41/87] Add mbedtls_ecjpake_check(), tells if set up This will be used in SSL to avoid the computation-heavy processing of EC J-PAKE hello extensions in case we don't have an EC J-PAKE password --- include/mbedtls/ecjpake.h | 10 ++++++++++ library/ecjpake.c | 15 +++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 809684831..c1aa8cf1b 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -115,6 +115,16 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, const unsigned char *secret, size_t len ); +/* + * \brief Check if a context is ready for use + * + * \param ctx Context to check + * + * \return 0 if the context is ready for use, + * MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise + */ +int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx ); + /** * \brief Generate and write the first round message * (TLS: contents of the Client/ServerHello extension, diff --git a/library/ecjpake.c b/library/ecjpake.c index f5863bc4c..0535a570f 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -119,6 +119,21 @@ cleanup: return( ret ); } +/* + * Check if context is ready for use + */ +int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx ) +{ + if( ctx->md_info == NULL || + ctx->grp.id == MBEDTLS_ECP_DP_NONE || + ctx->s.p == NULL ) + { + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + } + + return( 0 ); +} + /* * Write a point plus its length to a buffer */ From 294139b57a13663d0073d031d2ee2bf8b14cbac0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 16:55:05 +0200 Subject: [PATCH 42/87] Add client extension writing --- include/mbedtls/ssl.h | 2 ++ library/ssl_cli.c | 47 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 51a3a0638..eed441319 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -349,6 +349,8 @@ #define MBEDTLS_TLS_EXT_SESSION_TICKET 35 +#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ + #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01 /* diff --git a/library/ssl_cli.c b/library/ssl_cli.c index ba6a6166d..bab63a711 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -280,6 +280,48 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#if defined(MBEDTLS_ECJPAKE_C) +static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t *olen ) +{ + int ret; + unsigned char *p = buf; + const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + size_t kkpp_len; + + *olen = 0; + + /* Skip costly extension if we can't use EC J-PAKE anyway */ + if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + return; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); + + if( end - p < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return; + } + + *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); + + if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, + p + 2, end - p - 2, &kkpp_len, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); + return; + } + + *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); + + *olen = kkpp_len + 4; +} +#endif /* MBEDTLS_ECJPAKE_C */ + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, unsigned char *buf, @@ -781,6 +823,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif +#if defined(MBEDTLS_ECJPAKE_C) + ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); + ext_len += olen; +#endif + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; From 557535d8c4a40fcafdf6613cbc9e1193ee515443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 17:53:32 +0200 Subject: [PATCH 43/87] Add ECJPAKE key exchange --- include/mbedtls/check_config.h | 6 ++++++ include/mbedtls/config.h | 17 +++++++++++++++++ include/mbedtls/ssl.h | 3 +++ include/mbedtls/ssl_ciphersuites.h | 1 + library/ssl_cli.c | 2 +- library/ssl_tls.c | 1 + library/version_features.c | 3 +++ 7 files changed, 32 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ee89c9fad..e0eec0564 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -192,6 +192,12 @@ #error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites" #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) || \ + !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ) +#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) ) #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index fa202756f..baa5a7a9b 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -694,6 +694,23 @@ */ #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +/** + * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + * + * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. + * + * \warning Those are currently experimental. + * + * Requires: MBEDTLS_ECJPAKE_C + * MBEDTLS_SHA256_C + * MBEDTLS_ECP_DP_SECP256R1_ENABLED + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 + */ +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + /** * \def MBEDTLS_PK_PARSE_EC_EXTENDED * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index eed441319..04c309830 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -389,6 +389,9 @@ union mbedtls_ssl_premaster_secret unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES + MBEDTLS_PSK_MAX_LEN]; /* RFC 5489 2 */ #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + unsigned char _pms_ecjpake[32]; /* Thread spec: SHA-256 output */ +#endif }; #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 75d4a8a01..35a65c89d 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -244,6 +244,7 @@ typedef enum { MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, + MBEDTLS_KEY_EXCHANGE_ECJPAKE, } mbedtls_key_exchange_type_t; #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index bab63a711..cacab330a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1556,7 +1556,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3fe2824f8..2f5ca9fa8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7160,6 +7160,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, case MBEDTLS_KEY_EXCHANGE_PSK: case MBEDTLS_KEY_EXCHANGE_DHE_PSK: case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: usage = 0; } } diff --git a/library/version_features.c b/library/version_features.c index fa7a99809..e786d7d91 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -264,6 +264,9 @@ static const char *features[] = { #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED", #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED", +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) "MBEDTLS_PK_PARSE_EC_EXTENDED", #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ From 538cb7b0b4c4022ca89f982f746de679e4f4af01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 15 Sep 2015 18:03:28 +0200 Subject: [PATCH 44/87] Add the ECJPAKE ciphersuite --- include/mbedtls/ssl_ciphersuites.h | 2 ++ library/ssl_ciphersuites.c | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 35a65c89d..9cf3f4258 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -229,6 +229,8 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 0xC0FF /**< experimental */ + /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange. * Reminder: update MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED below. */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 8bad7abd7..949b9ed64 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -40,7 +40,7 @@ * * Current rule (except rc4, weak and null which come last): * 1. By key exchange: - * Forward-secure non-PSK > forward-secure PSK > other non-PSK > other PSK + * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK * 2. By key length and cipher: * AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8 @@ -131,6 +131,9 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + /* The ECJPAKE suite */ + MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, + /* All AES-256 suites */ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_RSA_WITH_AES_256_CCM, @@ -1510,6 +1513,18 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_ARC4_C */ #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_CCM_C) + { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8", + MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_CIPHERSUITE_SHORT_TAG }, +#endif /* MBEDTLS_CCM_C */ +#endif /* MBEDTLS_AES_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES) #if defined(MBEDTLS_CIPHER_NULL_CIPHER) #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) From ddf97a6c92cbfe66264e84addcb60dbd1a1f51d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 09:58:31 +0200 Subject: [PATCH 45/87] Skip ECJPAKE suite in ClientHello if no pw set up When we don't have a password, we want to skip the costly process of generating the extension. So for consistency don't offer the ciphersuite without the extension. --- library/ssl_cli.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index cacab330a..e8cb0f143 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -723,6 +723,12 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) continue; #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + continue; +#endif + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", ciphersuites[i] ) ); From eef142d7538e3b8211cafbdc1c1ab4aeac44dd21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 10:05:04 +0200 Subject: [PATCH 46/87] Depend on ECJPAKE key exchange, not module This is more consistent, as it doesn't make any sense for a user to be able to set up an EC J-PAKE password with TLS if the corresponding key exchange is disabled. Arguably this is what we should de for other key exchanges as well instead of depending on ECDH_C etc, but this is an independent issue, so let's just do the right thing with the new key exchange and fix the other ones later. (This is a marginal issue anyway, since people who disable all ECDH key exchange are likely to also disable ECDH_C in order to minimize footprint.) --- include/mbedtls/ssl.h | 4 ++-- include/mbedtls/ssl_internal.h | 6 +++--- library/ssl_cli.c | 12 ++++++------ library/ssl_srv.c | 6 +++--- library/ssl_tls.c | 8 ++++---- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 04c309830..3d73da975 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1676,7 +1676,7 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, void *p_sni ); #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /** * \brief Set the EC J-PAKE password for current handshake. * @@ -1697,7 +1697,7 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ); -#endif /*MBEDTLS_ECJPAKE_C */ +#endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_ALPN) /** diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index dc2ddc192..d9e3e5c8f 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -41,7 +41,7 @@ #include "sha512.h" #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #include "ecjpake.h" #endif @@ -172,11 +172,11 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e8cb0f143..2d32071e7 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -209,7 +209,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -278,9 +278,9 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -320,7 +320,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, *olen = kkpp_len + 4; } -#endif /* MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, @@ -821,7 +821,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; @@ -829,7 +829,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif diff --git a/library/ssl_srv.c b/library/ssl_srv.c index afac3e108..67dad5fff 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1977,7 +1977,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -2005,7 +2005,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_ALPN ) static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, @@ -2292,7 +2292,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2f5ca9fa8..84211bbc0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4932,7 +4932,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); #endif @@ -5451,7 +5451,7 @@ void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * Set EC J-PAKE password for current handshake */ @@ -5475,7 +5475,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); } -#endif /* MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, @@ -6619,7 +6619,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); #endif From 70905a78558cecdaebea3b55b1eccf5d41783fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 11:08:34 +0200 Subject: [PATCH 47/87] Add ecjpake_pw option to ssl_client2/server2 --- programs/ssl/ssl_client2.c | 26 ++++++++++++++++++++++++++ programs/ssl/ssl_server2.c | 26 ++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 99c2d2a5e..53ec635af 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -75,6 +75,7 @@ int main( void ) #define DFL_KEY_FILE "" #define DFL_PSK "" #define DFL_PSK_IDENTITY "Client_identity" +#define DFL_ECJPAKE_PW NULL #define DFL_FORCE_CIPHER 0 #define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY -2 @@ -210,6 +211,13 @@ int main( void ) #define USAGE_RENEGO "" #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#define USAGE_ECJPAKE \ + " ecjpake_pw=%%s default: none (disabled)\n" +#else +#define USAGE_ECJPAKE "" +#endif + #define USAGE \ "\n usage: ssl_client2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -232,6 +240,7 @@ int main( void ) USAGE_IO \ "\n" \ USAGE_PSK \ + USAGE_ECJPAKE \ "\n" \ " allow_legacy=%%d default: (library default: no)\n" \ USAGE_RENEGO \ @@ -277,6 +286,7 @@ struct options const char *key_file; /* the file with the client key */ const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ + const char *ecjpake_pw; /* the EC J-PAKE password */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ @@ -466,6 +476,7 @@ int main( int argc, char *argv[] ) opt.key_file = DFL_KEY_FILE; opt.psk = DFL_PSK; opt.psk_identity = DFL_PSK_IDENTITY; + opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; @@ -553,6 +564,8 @@ int main( int argc, char *argv[] ) opt.psk = q; else if( strcmp( p, "psk_identity" ) == 0 ) opt.psk_identity = q; + else if( strcmp( p, "ecjpake_pw" ) == 0 ) + opt.ecjpake_pw = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q ); @@ -1194,6 +1207,19 @@ int main( int argc, char *argv[] ) } #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( opt.ecjpake_pw != DFL_ECJPAKE_PW ) + { + if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( &ssl, + (const unsigned char *) opt.ecjpake_pw, + strlen( opt.ecjpake_pw ) ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n", ret ); + goto exit; + } + } +#endif + if( opt.nbio == 2 ) mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL ); else diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f169291eb..3f88452b6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -102,6 +102,7 @@ int main( void ) #define DFL_KEY_FILE2 "" #define DFL_PSK "" #define DFL_PSK_IDENTITY "Client_identity" +#define DFL_ECJPAKE_PW NULL #define DFL_PSK_LIST NULL #define DFL_FORCE_CIPHER 0 #define DFL_VERSION_SUITES NULL @@ -293,6 +294,13 @@ int main( void ) #define USAGE_RENEGO "" #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#define USAGE_ECJPAKE \ + " ecjpake_pw=%%s default: none (disabled)\n" +#else +#define USAGE_ECJPAKE "" +#endif + #define USAGE \ "\n usage: ssl_server2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -314,6 +322,7 @@ int main( void ) USAGE_SNI \ "\n" \ USAGE_PSK \ + USAGE_ECJPAKE \ "\n" \ " allow_legacy=%%d default: (library default: no)\n" \ USAGE_RENEGO \ @@ -358,6 +367,7 @@ struct options const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ char *psk_list; /* list of PSK id/key pairs for callback */ + const char *ecjpake_pw; /* the EC J-PAKE password */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ const char *version_suites; /* per-version ciphersuites */ int renegotiation; /* enable / disable renegotiation */ @@ -900,6 +910,7 @@ int main( int argc, char *argv[] ) opt.psk = DFL_PSK; opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; + opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.version_suites = DFL_VERSION_SUITES; opt.renegotiation = DFL_RENEGOTIATION; @@ -985,6 +996,8 @@ int main( int argc, char *argv[] ) opt.psk_identity = q; else if( strcmp( p, "psk_list" ) == 0 ) opt.psk_list = q; + else if( strcmp( p, "ecjpake_pw" ) == 0 ) + opt.ecjpake_pw = q; else if( strcmp( p, "force_ciphersuite" ) == 0 ) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q ); @@ -1898,6 +1911,19 @@ reset: } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( opt.ecjpake_pw != DFL_ECJPAKE_PW ) + { + if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( &ssl, + (const unsigned char *) opt.ecjpake_pw, + strlen( opt.ecjpake_pw ) ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n", ret ); + goto exit; + } + } +#endif + mbedtls_printf( " ok\n" ); /* From 60884a15973e644d25c3ebfafbd13f6e9f794e72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 11:13:41 +0200 Subject: [PATCH 48/87] Improve debug formatting of ciphersuites --- library/ssl_cli.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 2d32071e7..6b8236d45 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -729,8 +729,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) continue; #endif - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", - ciphersuites[i] ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", + ciphersuites[i] ) ); n++; *p++ = (unsigned char)( ciphersuites[i] >> 8 ); @@ -1424,7 +1424,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); @@ -1439,6 +1439,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); + i = 0; while( 1 ) { From c1b46d0242dc88da143842c16b99397c7add6dde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 11:18:32 +0200 Subject: [PATCH 49/87] Fix bug in server parsing point formats extension This bug becomes noticeable when the extension following the "supported point formats" extension has a number starting with 0x01, which is the case of the EC J-PAKE extension, which explains what I noticed the bug now. This will be immediately backported to the stable branches, see the corresponding commits for impact analysis. --- library/ssl_srv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 67dad5fff..aab25e22e 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -299,7 +299,7 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); } - p = buf + 2; + p = buf + 1; while( list_size > 0 ) { if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || From e511b4e7cb7316b244d02e667c3f7667159d0ee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 14:11:09 +0200 Subject: [PATCH 50/87] Ignore ECJPAKE suite if not configured on server --- library/ssl_srv.c | 11 +++++++++++ tests/ssl-opt.sh | 21 +++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index aab25e22e..6676c18a0 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -707,6 +707,17 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, } #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " + "ecjpake not configured" ) ); + return( 0 ); + } +#endif + + #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && ( ssl->handshake->curves == NULL || diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 77db588db..20ee6bc15 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2499,6 +2499,27 @@ run_test "PSK callback: wrong key" \ -S "SSL - Unknown identity received" \ -s "SSL - Verification of the message MAC failed" +# Tests for EC J-PAKE + +run_test "ECJPAKE: client not configured" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3" \ + 0 \ + -C "add ciphersuite: c0ff" \ + -C "adding ecjpake_kkpp extension" \ + -S "ciphersuite mismatch: ecjpake not configured" \ + -S "None of the common ciphersuites is usable" + +run_test "ECJPAKE: server not configured" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3 ecjpake_pw=bla \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 1 \ + -c "add ciphersuite: c0ff" \ + -c "adding ecjpake_kkpp extension" \ + -s "ciphersuite mismatch: ecjpake not configured" \ + -s "None of the common ciphersuites is usable" + # Tests for ciphersuites per version run_test "Per-version suites: SSL3" \ From bf57be690e2e20a08cc64a75ffd6e64222ee3bc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 15:04:01 +0200 Subject: [PATCH 51/87] Add server extension parsing Only accept EC J-PAKE ciphersuite if extension was present and OK (single flag for both), and ignore extension if we have no password. --- include/mbedtls/ssl_internal.h | 1 + library/ssl_srv.c | 43 +++++++++++++++++++++++++++++++--- tests/ssl-opt.sh | 16 +++++++++++++ 3 files changed, 57 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index d9e3e5c8f..b74cca2df 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -150,6 +150,7 @@ * of state of the renegotiation flag, so no indicator is required) */ #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) +#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) #ifdef __cplusplus extern "C" { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 6676c18a0..9088965b4 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -318,6 +318,33 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + int ret; + + if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); + return( 0 ); + } + + if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, + buf, len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); + return( ret ); + } + + /* Only mark the extension as OK when we're sure it is */ + ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; + + return( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, @@ -709,10 +736,10 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && - mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " - "ecjpake not configured" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " + "not configured or ext missing" ) ); return( 0 ); } #endif @@ -1571,6 +1598,16 @@ read_record_header: break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); + + ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 20ee6bc15..8051aed42 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2507,6 +2507,8 @@ run_test "ECJPAKE: client not configured" \ 0 \ -C "add ciphersuite: c0ff" \ -C "adding ecjpake_kkpp extension" \ + -S "found ecjpake kkpp extension" \ + -S "skip ecjpake kkpp extension" \ -S "ciphersuite mismatch: ecjpake not configured" \ -S "None of the common ciphersuites is usable" @@ -2517,9 +2519,23 @@ run_test "ECJPAKE: server not configured" \ 1 \ -c "add ciphersuite: c0ff" \ -c "adding ecjpake_kkpp extension" \ + -s "found ecjpake kkpp extension" \ + -s "skip ecjpake kkpp extension" \ -s "ciphersuite mismatch: ecjpake not configured" \ -s "None of the common ciphersuites is usable" +run_test "ECJPAKE: working, TLS" \ + "$P_SRV debug_level=3 ecjpake_pw=bla" \ + "$P_CLI debug_level=3 ecjpake_pw=bla \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 1 \ + -c "add ciphersuite: c0ff" \ + -c "adding ecjpake_kkpp extension" \ + -s "found ecjpake kkpp extension" \ + -S "skip ecjpake kkpp extension" \ + -S "ciphersuite mismatch: ecjpake not configured" \ + -S "None of the common ciphersuites is usable" + # Tests for ciphersuites per version run_test "Per-version suites: SSL3" \ From 55c7f991120f850a8b8704ca685dca76e7ab1a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 15:35:27 +0200 Subject: [PATCH 52/87] Add server writing of the extension --- library/ssl_srv.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ tests/ssl-opt.sh | 3 +++ 2 files changed, 51 insertions(+) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 9088965b4..b5256d3aa 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2055,6 +2055,49 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t *olen ) +{ + int ret; + unsigned char *p = buf; + const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + size_t kkpp_len; + + *olen = 0; + + /* Skip costly computation if not needed */ + if( ssl->transform_negotiate->ciphersuite_info->key_exchange != + MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + return; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); + + if( end - p < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return; + } + + *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); + + if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, + p + 2, end - p - 2, &kkpp_len, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); + return; + } + + *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); + + *olen = kkpp_len + 4; +} +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_SSL_ALPN ) static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -2345,6 +2388,11 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); + ext_len += olen; +#endif + #if defined(MBEDTLS_SSL_ALPN) ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8051aed42..4c65d8440 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2510,6 +2510,7 @@ run_test "ECJPAKE: client not configured" \ -S "found ecjpake kkpp extension" \ -S "skip ecjpake kkpp extension" \ -S "ciphersuite mismatch: ecjpake not configured" \ + -S "server hello, ecjpake kkpp extension" \ -S "None of the common ciphersuites is usable" run_test "ECJPAKE: server not configured" \ @@ -2522,6 +2523,7 @@ run_test "ECJPAKE: server not configured" \ -s "found ecjpake kkpp extension" \ -s "skip ecjpake kkpp extension" \ -s "ciphersuite mismatch: ecjpake not configured" \ + -S "server hello, ecjpake kkpp extension" \ -s "None of the common ciphersuites is usable" run_test "ECJPAKE: working, TLS" \ @@ -2534,6 +2536,7 @@ run_test "ECJPAKE: working, TLS" \ -s "found ecjpake kkpp extension" \ -S "skip ecjpake kkpp extension" \ -S "ciphersuite mismatch: ecjpake not configured" \ + -s "server hello, ecjpake kkpp extension" \ -S "None of the common ciphersuites is usable" # Tests for ciphersuites per version From 0a1324aaa16c3bf91fe97600bb63f1116669a00f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 16:01:00 +0200 Subject: [PATCH 53/87] Add client-side extension parsing --- library/ssl_cli.c | 38 ++++++++++++++++++++++++++++++++++++++ tests/ssl-opt.sh | 3 +++ 2 files changed, 41 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 6b8236d45..e1cd245ad 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1076,6 +1076,31 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + int ret; + + if( ssl->transform_negotiate->ciphersuite_info->key_exchange != + MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); + return( 0 ); + } + + if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, + buf, len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); + return( ret ); + } + + return( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_SSL_ALPN) static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -1577,6 +1602,19 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); + + if( ( ret = ssl_parse_ecjpake_kkpp( ssl, + ext + 4, ext_size ) ) != 0 ) + { + return( ret ); + } + + break; +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_SSL_ALPN) case MBEDTLS_TLS_EXT_ALPN: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4c65d8440..2527a863a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2511,6 +2511,7 @@ run_test "ECJPAKE: client not configured" \ -S "skip ecjpake kkpp extension" \ -S "ciphersuite mismatch: ecjpake not configured" \ -S "server hello, ecjpake kkpp extension" \ + -C "found ecjpake_kkpp extension" \ -S "None of the common ciphersuites is usable" run_test "ECJPAKE: server not configured" \ @@ -2524,6 +2525,7 @@ run_test "ECJPAKE: server not configured" \ -s "skip ecjpake kkpp extension" \ -s "ciphersuite mismatch: ecjpake not configured" \ -S "server hello, ecjpake kkpp extension" \ + -C "found ecjpake_kkpp extension" \ -s "None of the common ciphersuites is usable" run_test "ECJPAKE: working, TLS" \ @@ -2537,6 +2539,7 @@ run_test "ECJPAKE: working, TLS" \ -S "skip ecjpake kkpp extension" \ -S "ciphersuite mismatch: ecjpake not configured" \ -s "server hello, ecjpake kkpp extension" \ + -c "found ecjpake_kkpp extension" \ -S "None of the common ciphersuites is usable" # Tests for ciphersuites per version From 25dbeb002dbdec3acc5b28a658f713c3868d267a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 17:30:03 +0200 Subject: [PATCH 54/87] Skip certificate-related messages with ECJPAKE --- library/ssl_cli.c | 12 ++++++++---- library/ssl_srv.c | 8 ++++++-- library/ssl_tls.c | 12 ++++++++---- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e1cd245ad..f567cabc1 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2318,7 +2318,8 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); ssl->state++; @@ -2342,7 +2343,8 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); ssl->state++; @@ -2766,7 +2768,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); ssl->state++; @@ -2798,7 +2801,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); ssl->state++; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index b5256d3aa..d6aee0c62 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2431,7 +2431,8 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); ssl->state++; @@ -2467,6 +2468,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || authmode == MBEDTLS_SSL_VERIFY_NONE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); @@ -3455,7 +3457,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); ssl->state++; @@ -3485,6 +3488,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || ssl->session_negotiate->peer_cert == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 84211bbc0..6f4703c21 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3754,7 +3754,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); ssl->state++; @@ -3773,7 +3774,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); ssl->state++; @@ -3795,7 +3797,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); ssl->state++; @@ -3910,7 +3913,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); ssl->state++; From 0f1660ab4f1dc966c0298ab102476c7588edcafb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 22:41:06 +0200 Subject: [PATCH 55/87] Implement key exchange messages and PMS derivation This completes the first working version. No interop testing done yet. --- library/ssl_cli.c | 38 ++++++++++++++++++++++++++++++++++++++ library/ssl_srv.c | 41 +++++++++++++++++++++++++++++++++++++++++ tests/ssl-opt.sh | 2 +- 3 files changed, 80 insertions(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index f567cabc1..3b7dde076 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2120,6 +2120,19 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, + p, end - p ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } + } + else +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -2724,6 +2737,31 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) return( ret ); } else +#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + i = 4; + + ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, + ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, + ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); + return( ret ); + } + + ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, + ssl->handshake->premaster, 32, &ssl->handshake->pmslen, + ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); + return( ret ); + } + } + else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ { ((void) ciphersuite_info); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d6aee0c62..8be7ac586 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2675,6 +2675,25 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) } #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + size_t jlen; + const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + + ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, + p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); + return( ret ); + } + + p += jlen; + n += jlen; + } +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || @@ -3426,6 +3445,28 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, + p, end - p ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } + + ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, + ssl->handshake->premaster, 32, &ssl->handshake->pmslen, + ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); + return( ret ); + } + } + else +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2527a863a..cac039a44 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2532,7 +2532,7 @@ run_test "ECJPAKE: working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 1 \ + 0 \ -c "add ciphersuite: c0ff" \ -c "adding ecjpake_kkpp extension" \ -s "found ecjpake kkpp extension" \ From 921f2d02cf248114d2e4b61f3b33e65a28b4fab0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 22:52:18 +0200 Subject: [PATCH 56/87] Add test cases with DTLS and/or password mismatch --- tests/ssl-opt.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index cac039a44..5c0e86638 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2540,7 +2540,29 @@ run_test "ECJPAKE: working, TLS" \ -S "ciphersuite mismatch: ecjpake not configured" \ -s "server hello, ecjpake kkpp extension" \ -c "found ecjpake_kkpp extension" \ - -S "None of the common ciphersuites is usable" + -S "None of the common ciphersuites is usable" \ + -S "SSL - Verification of the message MAC failed" + +run_test "ECJPAKE: password mismatch, TLS" \ + "$P_SRV debug_level=3 ecjpake_pw=bla" \ + "$P_CLI debug_level=3 ecjpake_pw=bad \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 1 \ + -s "SSL - Verification of the message MAC failed" + +run_test "ECJPAKE: working, DTLS" \ + "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ + "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 0 \ + -S "SSL - Verification of the message MAC failed" + +run_test "ECJPAKE: password mismatch, DTLS" \ + "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ + "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 1 \ + -s "SSL - Verification of the message MAC failed" # Tests for ciphersuites per version From 75df902740a5f1129726067761f8e458d14932c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 23:21:01 +0200 Subject: [PATCH 57/87] Add warning on config options Note to self: actually disable before merging that branch! --- include/mbedtls/config.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index baa5a7a9b..11435df8d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -699,7 +699,9 @@ * * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. * - * \warning Those are currently experimental. + * \warning This is currently experimental. EC J-PAKE support is based on the + * Thread v1.0.0 specification; incompatible changes to the specification + * might still happen. For this reason, this is disabled by default. * * Requires: MBEDTLS_ECJPAKE_C * MBEDTLS_SHA256_C @@ -1692,6 +1694,10 @@ * * Enable the elliptic curve J-PAKE library. * + * \warning This is currently experimental. EC J-PAKE support is based on the + * Thread v1.0.0 specification; incompatible changes to the specification + * might still happen. For this reason, this is disabled by default. + * * Module: library/ecjpake.c * Caller: * From 6657b8da3ba79bdced1f3095b02d35fe0cca5e59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 17 Sep 2015 13:46:21 +0200 Subject: [PATCH 58/87] Fix curve-dependency test --- tests/scripts/curves.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl index 545b3b725..06128f78a 100755 --- a/tests/scripts/curves.pl +++ b/tests/scripts/curves.pl @@ -23,6 +23,8 @@ sub abort { for my $curve (@curves) { system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n"; + # depends on a specific curve + system( "scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED" ) and die; system( "make clean" ) and die; print "\n******************************************\n"; @@ -32,7 +34,7 @@ for my $curve (@curves) { system( "scripts/config.pl unset $curve" ) and abort "Failed to disable $curve\n"; - system( "make mbedtls" ) and abort "Failed to build lib: $curve\n"; + system( "make lib" ) and abort "Failed to build lib: $curve\n"; system( "cd tests && make" ) and abort "Failed to build tests: $curve\n"; system( "make test" ) and abort "Failed test suite: $curve\n"; From 77c0646ef2523bfab89d65e705be5a9e8defe20c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 17 Sep 2015 13:59:49 +0200 Subject: [PATCH 59/87] Add cache for EC J-PAKE client extension Not used yet, just add the variables and cleanup code. --- include/mbedtls/ssl_internal.h | 4 ++++ library/ssl_tls.c | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index b74cca2df..68e45a081 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -175,6 +175,10 @@ struct mbedtls_ssl_handshake_params #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ +#if defined(MBEDTLS_SSL_CLI_C) + unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ + size_t ecjpake_cache_len; /*!< Length of cached data */ +#endif #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6f4703c21..c1bccbecc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4938,6 +4938,10 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); +#if defined(MBEDTLS_SSL_CLI_C) + handshake->ecjpake_cache = NULL; + handshake->ecjpake_cache_len = 0; +#endif #endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -6625,6 +6629,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); +#if defined(MBEDTLS_SSL_CLI_C) + mbedtls_free( handshake->ecjpake_cache ); + handshake->ecjpake_cache = NULL; + handshake->ecjpake_cache_len = 0; +#endif #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) From d0d8cb36a4dd722c38a54e2fd380325074a9b617 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 17 Sep 2015 14:16:30 +0200 Subject: [PATCH 60/87] Cache ClientHello extension This extension is quite costly to generate, and we don't want to re-do it again when the server performs a DTLS HelloVerify. So, cache the result the first time and re-use if/when we build a new ClientHello. Note: re-send due to timeouts are different, as the whole message is cached already, so they don't need any special support. --- library/ssl_cli.c | 50 ++++++++++++++++++++++++++++++++++++++++++----- tests/ssl-opt.sh | 12 ++++++++++++ 2 files changed, 57 insertions(+), 5 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 3b7dde076..c0386b697 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -307,12 +307,47 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); - if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, - p + 2, end - p - 2, &kkpp_len, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + /* + * We may need to send ClientHello multiple times for Hello verification. + * We don't want to compute fresh values every time (both for performance + * and consistency reasons), so cache the extension content. + */ + if( ssl->handshake->ecjpake_cache == NULL || + ssl->handshake->ecjpake_cache_len == 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); - return; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); + + if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, + p + 2, end - p - 2, &kkpp_len, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); + return; + } + + ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); + if( ssl->handshake->ecjpake_cache == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); + return; + } + + memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); + ssl->handshake->ecjpake_cache_len = kkpp_len; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); + + kkpp_len = ssl->handshake->ecjpake_cache_len; + + if( (size_t)( end - p - 2 ) < kkpp_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return; + } + + memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); } *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); @@ -1090,6 +1125,11 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, return( 0 ); } + /* If we got here, we no longer need our cached extension */ + mbedtls_free( ssl->handshake->ecjpake_cache ); + ssl->handshake->ecjpake_cache = NULL; + ssl->handshake->ecjpake_cache_len = 0; + if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5c0e86638..198288d13 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2535,6 +2535,7 @@ run_test "ECJPAKE: working, TLS" \ 0 \ -c "add ciphersuite: c0ff" \ -c "adding ecjpake_kkpp extension" \ + -C "re-using cached ecjpake parameters" \ -s "found ecjpake kkpp extension" \ -S "skip ecjpake kkpp extension" \ -S "ciphersuite mismatch: ecjpake not configured" \ @@ -2548,6 +2549,7 @@ run_test "ECJPAKE: password mismatch, TLS" \ "$P_CLI debug_level=3 ecjpake_pw=bad \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ 1 \ + -C "re-using cached ecjpake parameters" \ -s "SSL - Verification of the message MAC failed" run_test "ECJPAKE: working, DTLS" \ @@ -2555,6 +2557,15 @@ run_test "ECJPAKE: working, DTLS" \ "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ 0 \ + -c "re-using cached ecjpake parameters" \ + -S "SSL - Verification of the message MAC failed" + +run_test "ECJPAKE: working, DTLS, no cookie" \ + "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \ + "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 0 \ + -C "re-using cached ecjpake parameters" \ -S "SSL - Verification of the message MAC failed" run_test "ECJPAKE: password mismatch, DTLS" \ @@ -2562,6 +2573,7 @@ run_test "ECJPAKE: password mismatch, DTLS" \ "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ 1 \ + -c "re-using cached ecjpake parameters" \ -s "SSL - Verification of the message MAC failed" # Tests for ciphersuites per version From faee44ded16eb289fe449693c1691763e8390b4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 Sep 2015 22:19:58 +0200 Subject: [PATCH 61/87] Avoid false positives in bounds check The size of the buffer already accounts for the extra data before the actual message, so the allowed length is SSL_MAX_CONTENT_LEN starting from _msg --- library/ssl_cli.c | 2 +- library/ssl_srv.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c0386b697..49ea5a200 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -287,7 +287,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret; unsigned char *p = buf; - const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; size_t kkpp_len; *olen = 0; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 8be7ac586..ce833ef29 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2062,7 +2062,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret; unsigned char *p = buf; - const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; size_t kkpp_len; *olen = 0; @@ -2679,7 +2679,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { size_t jlen; - const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng ); From 7cdad7708ec43f340d221d703d6983672cab6927 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Fri, 2 Oct 2015 13:31:41 +0100 Subject: [PATCH 62/87] Add point format handling --- include/mbedtls/ecjpake.h | 1 + library/ecjpake.c | 46 ++++++++++++++++++++++++--------------- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index c1aa8cf1b..3bbf27edf 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -71,6 +71,7 @@ typedef struct const mbedtls_md_info_t *md_info; /**< Hash to use */ mbedtls_ecp_group grp; /**< Elliptic curve */ mbedtls_ecjpake_role role; /**< Are we client or server? */ + int point_format; /**< Format for point export */ mbedtls_ecp_point Xm1; /**< My public key 1 C: X1, S: X3 */ mbedtls_ecp_point Xm2; /**< My public key 2 C: X2, S: X4 */ diff --git a/library/ecjpake.c b/library/ecjpake.c index 0535a570f..6a7245215 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -140,6 +140,7 @@ int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx ) static int ecjpake_write_len_point( unsigned char **p, const unsigned char *end, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *P ) { int ret; @@ -149,7 +150,7 @@ static int ecjpake_write_len_point( unsigned char **p, if( end < *p || end - *p < 5 ) return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); - ret = mbedtls_ecp_point_write_binary( grp, P, MBEDTLS_ECP_PF_UNCOMPRESSED, + ret = mbedtls_ecp_point_write_binary( grp, P, pf, &len, *p + 4, end - ( *p + 4 ) ); if( ret != 0 ) return( ret ); @@ -175,6 +176,7 @@ static int ecjpake_write_len_point( unsigned char **p, */ static int ecjpake_hash( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, const mbedtls_ecp_point *V, const mbedtls_ecp_point *X, @@ -189,9 +191,9 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, unsigned char hash[MBEDTLS_MD_MAX_SIZE]; /* Write things to temporary buffer */ - MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, G ) ); - MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, V ) ); - MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, X ) ); + MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, G ) ); + MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, V ) ); + MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, X ) ); if( end < p || (size_t)( end - p ) < id_len ) return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); @@ -221,6 +223,7 @@ cleanup: */ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, const mbedtls_ecp_point *X, const char *id, @@ -268,7 +271,7 @@ static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info, /* * Verification */ - MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp, &VV, &h, X, &r, G ) ); @@ -292,6 +295,7 @@ cleanup: */ static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, const mbedtls_mpi *x, const mbedtls_ecp_point *X, @@ -317,14 +321,14 @@ static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info, /* Compute signature */ MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, &v, &V, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, G, &V, X, id, &h ) ); + MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */ /* Write it out */ MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V, - MBEDTLS_ECP_PF_UNCOMPRESSED, &len, *p, end - *p ) ); + pf, &len, *p, end - *p ) ); *p += len; len = mbedtls_mpi_size( &h ); /* actually r */ @@ -352,6 +356,7 @@ cleanup: */ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, mbedtls_ecp_point *X, const char *id, @@ -376,7 +381,7 @@ static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info, goto cleanup; } - MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, G, X, id, p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, pf, G, X, id, p, end ) ); cleanup: return( ret ); @@ -388,6 +393,7 @@ cleanup: */ static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, mbedtls_mpi *x, mbedtls_ecp_point *X, @@ -407,11 +413,11 @@ static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info, MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, x, X, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, X, - MBEDTLS_ECP_PF_UNCOMPRESSED, &len, *p, end - *p ) ); + pf, &len, *p, end - *p ) ); *p += len; /* Generate and write proof */ - MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, G, x, X, id, + MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, pf, G, x, X, id, p, end, f_rng, p_rng ) ); cleanup: @@ -424,6 +430,7 @@ cleanup: */ static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, mbedtls_ecp_point *Xa, mbedtls_ecp_point *Xb, @@ -440,8 +447,8 @@ static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info, * ECJPAKEKeyKP ecjpake_key_kp_pair_list[2]; * } ECJPAKEKeyKPPairList; */ - MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, G, Xa, id, &p, end ) ); - MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, G, Xb, id, &p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xa, id, &p, end ) ); + MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xb, id, &p, end ) ); if( p != end ) ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; @@ -456,6 +463,7 @@ cleanup: */ static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, const mbedtls_ecp_group *grp, + const int pf, const mbedtls_ecp_point *G, mbedtls_mpi *xm1, mbedtls_ecp_point *Xa, @@ -472,9 +480,9 @@ static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info, unsigned char *p = buf; const unsigned char *end = buf + len; - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xm1, Xa, id, + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm1, Xa, id, &p, end, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, G, xm2, Xb, id, + MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm2, Xb, id, &p, end, f_rng, p_rng ) ); *olen = p - buf; @@ -490,7 +498,8 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len ) { - return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, &ctx->grp.G, + return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, ctx->point_format, + &ctx->grp.G, &ctx->Xp1, &ctx->Xp2, ID_PEER, buf, len ) ); } @@ -503,7 +512,8 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, &ctx->grp.G, + return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, ctx->point_format, + &ctx->grp.G, &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2, ID_MINE, buf, len, olen, f_rng, p_rng ) ); } @@ -573,6 +583,7 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx, } MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp, + ctx->point_format, &G, &ctx->Xp, ID_PEER, &p, end ) ); if( p != end ) @@ -678,10 +689,11 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx, goto cleanup; } MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xm, - MBEDTLS_ECP_PF_UNCOMPRESSED, &ec_len, p, end - p ) ); + ctx->point_format, &ec_len, p, end - p ) ); p += ec_len; MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp, + ctx->point_format, &G, &xm, &Xm, ID_MINE, &p, end, f_rng, p_rng ) ); From e8377d66b77368dcf6d693647c66169f84346ce5 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Fri, 2 Oct 2015 13:32:17 +0100 Subject: [PATCH 63/87] Clean up compilation warnings --- library/pkparse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/pkparse.c b/library/pkparse.c index bddcf5d3a..275429e60 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -1181,6 +1181,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, return( ret ); #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ #else + ((void) ret); ((void) pwd); ((void) pwdlen); #endif /* MBEDTLS_PEM_PARSE_C */ From 4feb7ae8c20c9ca525c668fb00ea93b4610a7f9e Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Fri, 2 Oct 2015 13:33:37 +0100 Subject: [PATCH 64/87] Added key export API --- include/mbedtls/config.h | 10 ++++++++ include/mbedtls/ssl.h | 55 ++++++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 20 +++++++++++++++ 3 files changed, 85 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 11435df8d..58342798a 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1178,6 +1178,16 @@ */ #define MBEDTLS_SSL_SESSION_TICKETS +/** + * \def MBEDTLS_SSL_EXPORT_KEYS + * + * Enable support for exporting key block and master key. + * This is required for certain users of TLS, e.g. EAP-TLS. + * + * Comment this macro to disable support for key export + */ +#define MBEDTLS_SSL_EXPORT_KEYS + /** * \def MBEDTLS_SSL_SERVER_NAME_INDICATION * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3d73da975..1a9f1a9cd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -544,6 +544,13 @@ struct mbedtls_ssl_config void *p_ticket; /*!< context for the ticket callbacks */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + /** Callback to export key block and master key */ + int (*f_export_keys)( void *, const unsigned char *, + const unsigned char *, size_t, size_t, size_t ); + void *p_export_keys; /*!< context for key export callback */ +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */ mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ @@ -1071,6 +1078,34 @@ typedef int mbedtls_ssl_ticket_write_t( void *p_ticket, size_t *tlen, uint32_t *lifetime ); +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +/** + * \brief Callback type: Export key block and master key + * + * \note This is required for certain uses of TLS, e.g. EAP-TLS + * (RFC 5216). The key pointers are ephemeral and therefore + * must not be stored. The keys should not be copied + * verbatim and should be used specifically for key + * derivation purposes + * + * \param p_expkey Context for the callback + * \param kb Pointer to key block + * \param mk Pointer to master key + * \param maclen MAC length + * \param keylen Key length + * \param ivlen IV length + * + * \return 0 if successful, or + * a specific MBEDTLS_ERR_XXX code. + */ +typedef int mbedtls_ssl_export_keys_t( void *p_expkey, + const unsigned char *kb, + const unsigned char *mk, + size_t maclen, + size_t keylen, + size_t ivlen ); +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + /** * \brief Callback type: parse and load session ticket * @@ -1120,6 +1155,26 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, void *p_ticket ); #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +/** + * \brief Configure key export callback. + * (Default: none.) + * + * \note This is required for certain uses of TLS, e.g. EAP-TLS + * (RFC 5216). The key pointers are ephemeral and therefore + * must not be stored. The keys should not be copied + * verbatim and should be used specifically for key + * derivation purposes + * + * \param conf SSL configuration context + * \param f_export_keys Callback for exporting keys + * \param p_export_key Context shared by the callback + */ +void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, + mbedtls_ssl_export_keys_t *f_export_keys, + void *p_export_keys ); +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + /** * \brief Callback type: generate a cookie * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c1bccbecc..a42fcc528 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -862,6 +862,16 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( ssl->conf->f_export_keys != NULL) + { + ssl->conf->f_export_keys( ssl->conf->p_export_keys, + keyblk, session->master, + transform->maclen, transform->keylen, + iv_copy_len ); + } +#endif + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, cipher_info ) ) != 0 ) { @@ -5807,6 +5817,16 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, #endif #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) +void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, + mbedtls_ssl_export_keys_t *f_export_keys, + void *p_export_keys ) +{ + conf->f_export_keys = f_export_keys; + conf->p_export_keys = p_export_keys; +} +#endif + /* * SSL get accessors */ From 136884c29b3148f9eeb24e744069ade60755aa99 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Fri, 2 Oct 2015 13:34:31 +0100 Subject: [PATCH 65/87] Use MBEDTLS_ECJPAKE_C def. for correct conditional compilation --- library/ssl_cli.c | 23 +++++++++++++++-------- library/ssl_srv.c | 25 +++++++++++++++++-------- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 49ea5a200..f2e7ae759 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -209,7 +209,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + defined(MBEDTLS_ECJPAKE_C) static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -278,7 +278,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, @@ -287,7 +287,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret; unsigned char *p = buf; - const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; size_t kkpp_len; *olen = 0; @@ -856,7 +856,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + defined(MBEDTLS_ECJPAKE_C) ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; @@ -1076,7 +1076,8 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -1097,7 +1098,12 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED ) { +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ssl->handshake->ecdh_ctx.point_format = p[0]; +#endif +#if defined(MBEDTLS_ECJPAKE_C) + ssl->handshake->ecjpake_ctx.point_format = p[0]; +#endif MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -1109,7 +1115,7 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, @@ -1629,7 +1635,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); @@ -1640,7 +1647,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } break; -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: diff --git a/library/ssl_srv.c b/library/ssl_srv.c index ce833ef29..20fc899c6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -232,7 +232,8 @@ have_sig_alg: #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -305,7 +306,12 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED ) { +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ssl->handshake->ecdh_ctx.point_format = p[0]; +#endif +#if defined(MBEDTLS_ECJPAKE_C) + ssl->handshake->ecjpake_ctx.point_format = p[0]; +#endif MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -316,7 +322,7 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, @@ -1579,7 +1585,8 @@ read_record_header: #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); @@ -1596,7 +1603,7 @@ read_record_header: if( ret != 0 ) return( ret ); break; -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: @@ -2062,7 +2069,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret; unsigned char *p = buf; - const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; size_t kkpp_len; *olen = 0; @@ -2383,7 +2390,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + defined(MBEDTLS_ECJPAKE_C) ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif @@ -2639,12 +2646,14 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) unsigned char *p = ssl->out_msg + 4; unsigned char *dig_signed = p; size_t dig_signed_len = 0, len; ((void) dig_signed); ((void) dig_signed_len); + ((void) len); #endif MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); @@ -2679,7 +2688,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { size_t jlen; - const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng ); From 39a60de410f075081491c610781692d8bbae3c28 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Fri, 2 Oct 2015 13:57:59 +0100 Subject: [PATCH 66/87] Correct overwritten fixes --- library/ssl_cli.c | 2 +- library/ssl_srv.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index f2e7ae759..82f8d8343 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -287,7 +287,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret; unsigned char *p = buf; - const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; size_t kkpp_len; *olen = 0; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 20fc899c6..1ae47c209 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2069,7 +2069,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { int ret; unsigned char *p = buf; - const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; size_t kkpp_len; *olen = 0; @@ -2688,7 +2688,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { size_t jlen; - const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN; + const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng ); From ae8535db38a490809c22a891d5e3a3344773c13e Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Tue, 6 Oct 2015 17:11:18 +0100 Subject: [PATCH 67/87] Changed defs. back to MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED --- library/ssl_cli.c | 21 ++++++++++++--------- library/ssl_srv.c | 14 ++++++++------ 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 82f8d8343..42174dbf4 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -209,7 +209,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -267,7 +267,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); *p++ = 0x00; @@ -278,7 +278,8 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, @@ -856,7 +857,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; @@ -1077,7 +1078,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -1101,7 +1102,7 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ssl->handshake->ecdh_ctx.point_format = p[0]; #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl->handshake->ecjpake_ctx.point_format = p[0]; #endif MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); @@ -1115,7 +1116,8 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, @@ -1636,7 +1638,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); @@ -1647,7 +1649,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } break; -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 1ae47c209..a0a4aa4b6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -233,7 +233,7 @@ have_sig_alg: MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -309,7 +309,7 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ssl->handshake->ecdh_ctx.point_format = p[0]; #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl->handshake->ecjpake_ctx.point_format = p[0]; #endif MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); @@ -322,7 +322,8 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, @@ -1586,7 +1587,7 @@ read_record_header: MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); @@ -1603,7 +1604,8 @@ read_record_header: if( ret != 0 ) return( ret ); break; -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: @@ -2390,7 +2392,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif From 4289c0d1fabef0f444f0a7920f674961a81a92a8 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Tue, 6 Oct 2015 17:20:41 +0100 Subject: [PATCH 68/87] Typo in parameter name --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 1a9f1a9cd..c3cd006e3 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1168,7 +1168,7 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, * * \param conf SSL configuration context * \param f_export_keys Callback for exporting keys - * \param p_export_key Context shared by the callback + * \param p_export_keys Context shared by the callback */ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, mbedtls_ssl_export_keys_t *f_export_keys, From 4d284d271bb62b09466be0a58bdf1a069a5e0600 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Thu, 8 Oct 2015 16:56:26 +0100 Subject: [PATCH 69/87] Added feature MBEDTLS_SSL_EXPORT_KEYS --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index e786d7d91..ca040ab76 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -378,6 +378,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_SESSION_TICKETS) "MBEDTLS_SSL_SESSION_TICKETS", #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + "MBEDTLS_SSL_EXPORT_KEYS", +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) "MBEDTLS_SSL_SERVER_NAME_INDICATION", #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ From dd0e9a8456c4555b848a5e69acdd7a4d542e0ff2 Mon Sep 17 00:00:00 2001 From: Robert Cragie Date: Thu, 8 Oct 2015 17:24:08 +0100 Subject: [PATCH 70/87] Minimal config file for ECJPAKE --- configs/config-ecjpake.h | 2493 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 2493 insertions(+) create mode 100644 configs/config-ecjpake.h diff --git a/configs/config-ecjpake.h b/configs/config-ecjpake.h new file mode 100644 index 000000000..e8db44c7d --- /dev/null +++ b/configs/config-ecjpake.h @@ -0,0 +1,2493 @@ +/** + * \file config.h + * + * \brief Configuration options (set of defines) + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/* + * This set of compile-time options may be used to enable + * or disable features selectively, and reduce the global + * memory footprint. + */ +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + +/** + * \name SECTION: System support + * + * This section sets system specific settings. + * \{ + */ + +/** + * \def MBEDTLS_HAVE_ASM + * + * The compiler has support for asm(). + * + * Requires support for asm() in compiler. + * + * Used in: + * library/timing.c + * library/padlock.c + * include/mbedtls/bn_mul.h + * + * Comment to disable the use of assembly code. + */ +//#define MBEDTLS_HAVE_ASM + +/** + * \def MBEDTLS_HAVE_SSE2 + * + * CPU supports SSE2 instruction set. + * + * Uncomment if the CPU supports SSE2 (IA-32 specific). + */ +//#define MBEDTLS_HAVE_SSE2 + +/** + * \def MBEDTLS_HAVE_TIME + * + * System has time.h and time(). + * The time does not need to be correct, only time differences are used, + * by contrast with MBEDTLS_HAVE_TIME_DATE + * + * Comment if your system does not support time functions + */ +//#define MBEDTLS_HAVE_TIME + +/** + * \def MBEDTLS_HAVE_TIME_DATE + * + * System has time.h and time(), gmtime() and the clock is correct. + * The time needs to be correct (not necesarily very accurate, but at least + * the date should be correct). This is used to verify the validity period of + * X.509 certificates. + * + * Comment if your system does not have a correct clock. + */ +//#define MBEDTLS_HAVE_TIME_DATE + +/** + * \def MBEDTLS_PLATFORM_MEMORY + * + * Enable the memory allocation layer. + * + * By default mbed TLS uses the system-provided calloc() and free(). + * This allows different allocators (self-implemented or provided) to be + * provided to the platform abstraction layer. + * + * Enabling MBEDTLS_PLATFORM_MEMORY without the + * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide + * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and + * free() function pointer at runtime. + * + * Enabling MBEDTLS_PLATFORM_MEMORY and specifying + * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the + * alternate function at compile time. + * + * Requires: MBEDTLS_PLATFORM_C + * + * Enable this layer to allow use of alternative memory allocators. + */ +//#define MBEDTLS_PLATFORM_MEMORY + +/** + * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + * + * Do not assign standard functions in the platform layer (e.g. calloc() to + * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) + * + * This makes sure there are no linking errors on platforms that do not support + * these functions. You will HAVE to provide alternatives, either at runtime + * via the platform_set_xxx() functions or at compile time by setting + * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a + * MBEDTLS_PLATFORM_XXX_MACRO. + * + * Requires: MBEDTLS_PLATFORM_C + * + * Uncomment to prevent default assignment of standard functions in the + * platform layer. + */ +//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + +/** + * \def MBEDTLS_PLATFORM_XXX_ALT + * + * Uncomment a macro to let mbed TLS support the function in the platform + * abstraction layer. + * + * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will + * provide a function "mbedtls_platform_set_printf()" that allows you to set an + * alternative printf function pointer. + * + * All these define require MBEDTLS_PLATFORM_C to be defined! + * + * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows; + * it will be enabled automatically by check_config.h + * + * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as + * MBEDTLS_PLATFORM_XXX_MACRO! + * + * Uncomment a macro to enable alternate implementation of specific base + * platform function + */ +//#define MBEDTLS_PLATFORM_EXIT_ALT +//#define MBEDTLS_PLATFORM_FPRINTF_ALT +//#define MBEDTLS_PLATFORM_PRINTF_ALT +//#define MBEDTLS_PLATFORM_SNPRINTF_ALT + +/** + * \def MBEDTLS_DEPRECATED_WARNING + * + * Mark deprecated functions so that they generate a warning if used. + * Functions deprecated in one version will usually be removed in the next + * version. You can enable this to help you prepare the transition to a new + * major version by making sure your code is not using these functions. + * + * This only works with GCC and Clang. With other compilers, you may want to + * use MBEDTLS_DEPRECATED_REMOVED + * + * Uncomment to get warnings on using deprecated functions. + */ +//#define MBEDTLS_DEPRECATED_WARNING + +/** + * \def MBEDTLS_DEPRECATED_REMOVED + * + * Remove deprecated functions so that they generate an error if used. + * Functions deprecated in one version will usually be removed in the next + * version. You can enable this to help you prepare the transition to a new + * major version by making sure your code is not using these functions. + * + * Uncomment to get errors on using deprecated functions. + */ +//#define MBEDTLS_DEPRECATED_REMOVED + +/* \} name SECTION: System support */ + +/** + * \name SECTION: mbed TLS feature support + * + * This section sets support for features that are or are not needed + * within the modules that are enabled. + * \{ + */ + +/** + * \def MBEDTLS_TIMING_ALT + * + * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(), + * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() + * + * Only works if you have MBEDTLS_TIMING_C enabled. + * + * You will need to provide a header "timing_alt.h" and an implementation at + * compile time. + */ +//#define MBEDTLS_TIMING_ALT + +/** + * \def MBEDTLS__MODULE_NAME__ALT + * + * Uncomment a macro to let mbed TLS use your alternate core implementation of + * a symmetric crypto or hash module (e.g. platform specific assembly + * optimized implementations). Keep in mind that the function prototypes + * should remain the same. + * + * This replaces the whole module. If you only want to replace one of the + * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. + * + * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer + * provide the "struct mbedtls_aes_context" definition and omit the base function + * declarations and implementations. "aes_alt.h" will be included from + * "aes.h" to include the new function definitions. + * + * Uncomment a macro to enable alternate implementation of the corresponding + * module. + */ +//#define MBEDTLS_AES_ALT +//#define MBEDTLS_ARC4_ALT +//#define MBEDTLS_BLOWFISH_ALT +//#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_DES_ALT +//#define MBEDTLS_XTEA_ALT +//#define MBEDTLS_MD2_ALT +//#define MBEDTLS_MD4_ALT +//#define MBEDTLS_MD5_ALT +//#define MBEDTLS_RIPEMD160_ALT +//#define MBEDTLS_SHA1_ALT +//#define MBEDTLS_SHA256_ALT +//#define MBEDTLS_SHA512_ALT + +/** + * \def MBEDTLS__FUNCTION_NAME__ALT + * + * Uncomment a macro to let mbed TLS use you alternate core implementation of + * symmetric crypto or hash function. Keep in mind that function prototypes + * should remain the same. + * + * This replaces only one function. The header file from mbed TLS is still + * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. + * + * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will + * no longer provide the mbedtls_sha1_process() function, but it will still provide + * the other function (using your mbedtls_sha1_process() function) and the definition + * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible + * with this definition. + * + * Note: if you use the AES_xxx_ALT macros, then is is recommended to also set + * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES + * tables. + * + * Uncomment a macro to enable alternate implementation of the corresponding + * function. + */ +//#define MBEDTLS_MD2_PROCESS_ALT +//#define MBEDTLS_MD4_PROCESS_ALT +//#define MBEDTLS_MD5_PROCESS_ALT +//#define MBEDTLS_RIPEMD160_PROCESS_ALT +//#define MBEDTLS_SHA1_PROCESS_ALT +//#define MBEDTLS_SHA256_PROCESS_ALT +//#define MBEDTLS_SHA512_PROCESS_ALT +//#define MBEDTLS_DES_SETKEY_ALT +//#define MBEDTLS_DES_CRYPT_ECB_ALT +//#define MBEDTLS_DES3_CRYPT_ECB_ALT +//#define MBEDTLS_AES_SETKEY_ENC_ALT +//#define MBEDTLS_AES_SETKEY_DEC_ALT +//#define MBEDTLS_AES_ENCRYPT_ALT +//#define MBEDTLS_AES_DECRYPT_ALT + +/** + * \def MBEDTLS_ENTROPY_HARDWARE_ALT + * + * Uncomment this macro to let mbed TLS use your own implementation of a + * hardware entropy collector. + * + * Your function must be called \c mbedtls_hardware_poll(), have the same + * prototype as declared in entropy_poll.h, and accept NULL as first argument. + * + * Uncomment to use your own hardware entropy collector. + */ +//#define MBEDTLS_ENTROPY_HARDWARE_ALT + +/** + * \def MBEDTLS_AES_ROM_TABLES + * + * Store the AES tables in ROM. + * + * Uncomment this macro to store the AES tables in ROM. + */ +//#define MBEDTLS_AES_ROM_TABLES + +/** + * \def MBEDTLS_CAMELLIA_SMALL_MEMORY + * + * Use less ROM for the Camellia implementation (saves about 768 bytes). + * + * Uncomment this macro to use less memory for Camellia. + */ +//#define MBEDTLS_CAMELLIA_SMALL_MEMORY + +/** + * \def MBEDTLS_CIPHER_MODE_CBC + * + * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. + */ +//#define MBEDTLS_CIPHER_MODE_CBC + +/** + * \def MBEDTLS_CIPHER_MODE_CFB + * + * Enable Cipher Feedback mode (CFB) for symmetric ciphers. + */ +//#define MBEDTLS_CIPHER_MODE_CFB + +/** + * \def MBEDTLS_CIPHER_MODE_CTR + * + * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. + */ +#define MBEDTLS_CIPHER_MODE_CTR + +/** + * \def MBEDTLS_CIPHER_NULL_CIPHER + * + * Enable NULL cipher. + * Warning: Only do so when you know what you are doing. This allows for + * encryption or channels without any security! + * + * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable + * the following ciphersuites: + * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA + * MBEDTLS_TLS_RSA_WITH_NULL_SHA256 + * MBEDTLS_TLS_RSA_WITH_NULL_SHA + * MBEDTLS_TLS_RSA_WITH_NULL_MD5 + * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA + * MBEDTLS_TLS_PSK_WITH_NULL_SHA384 + * MBEDTLS_TLS_PSK_WITH_NULL_SHA256 + * MBEDTLS_TLS_PSK_WITH_NULL_SHA + * + * Uncomment this macro to enable the NULL cipher and ciphersuites + */ +//#define MBEDTLS_CIPHER_NULL_CIPHER + +/** + * \def MBEDTLS_CIPHER_PADDING_XXX + * + * Uncomment or comment macros to add support for specific padding modes + * in the cipher layer with cipher modes that support padding (e.g. CBC) + * + * If you disable all padding modes, only full blocks can be used with CBC. + * + * Enable padding modes in the cipher layer. + */ +//#define MBEDTLS_CIPHER_PADDING_PKCS7 +//#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +//#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +//#define MBEDTLS_CIPHER_PADDING_ZEROS + +/** + * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES + * + * Enable weak ciphersuites in SSL / TLS. + * Warning: Only do so when you know what you are doing. This allows for + * channels with virtually no security at all! + * + * This enables the following ciphersuites: + * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA + * + * Uncomment this macro to enable weak ciphersuites + */ +//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES + +/** + * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES + * + * Remove RC4 ciphersuites by default in SSL / TLS. + * This flag removes the ciphersuites based on RC4 from the default list as + * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to + * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them + * explicitly. + * + * Uncomment this macro to remove RC4 ciphersuites by default. + */ +#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES + +/** + * \def MBEDTLS_ECP_XXXX_ENABLED + * + * Enables specific curves within the Elliptic Curve module. + * By default all supported curves are enabled. + * + * Comment macros to disable the curve and functions for it + */ +//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +//#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +//#define MBEDTLS_ECP_DP_BP256R1_ENABLED +//#define MBEDTLS_ECP_DP_BP384R1_ENABLED +//#define MBEDTLS_ECP_DP_BP512R1_ENABLED +//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED + +/** + * \def MBEDTLS_ECP_NIST_OPTIM + * + * Enable specific 'modulo p' routines for each NIST prime. + * Depending on the prime and architecture, makes operations 4 to 8 times + * faster on the corresponding curve. + * + * Comment this macro to disable NIST curves optimisation. + */ +#define MBEDTLS_ECP_NIST_OPTIM + +/** + * \def MBEDTLS_ECDSA_DETERMINISTIC + * + * Enable deterministic ECDSA (RFC 6979). + * Standard ECDSA is "fragile" in the sense that lack of entropy when signing + * may result in a compromise of the long-term signing key. This is avoided by + * the deterministic variant. + * + * Requires: MBEDTLS_HMAC_DRBG_C + * + * Comment this macro to disable deterministic ECDSA. + */ +//#define MBEDTLS_ECDSA_DETERMINISTIC + +/** + * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + * + * Enable the PSK based ciphersuite modes in SSL / TLS. + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA + */ +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + * + * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_DHM_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + */ +//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + * + * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA + */ +//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + * + * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA + */ +//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + * + * Enable the RSA-only based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 + */ +//#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + * + * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + */ +//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + * + * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA + */ +//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + * + * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + */ +//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + * + * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + */ +//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + * + * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 + */ +//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + * + * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. + * + * \warning This is currently experimental. EC J-PAKE support is based on the + * Thread v1.0.0 specification; incompatible changes to the specification + * might still happen. For this reason, this is disabled by default. + * + * Requires: MBEDTLS_ECJPAKE_C + * MBEDTLS_SHA256_C + * MBEDTLS_ECP_DP_SECP256R1_ENABLED + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 + */ +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + +/** + * \def MBEDTLS_PK_PARSE_EC_EXTENDED + * + * Enhance support for reading EC keys using variants of SEC1 not allowed by + * RFC 5915 and RFC 5480. + * + * Currently this means parsing the SpecifiedECDomain choice of EC + * parameters (only known groups are supported, not arbitrary domains, to + * avoid validation issues). + * + * Disable if you only need to support RFC 5915 + 5480 key formats. + */ +//#define MBEDTLS_PK_PARSE_EC_EXTENDED + +/** + * \def MBEDTLS_ERROR_STRERROR_DUMMY + * + * Enable a dummy error function to make use of mbedtls_strerror() in + * third party libraries easier when MBEDTLS_ERROR_C is disabled + * (no effect when MBEDTLS_ERROR_C is enabled). + * + * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're + * not using mbedtls_strerror() or error_strerror() in your application. + * + * Disable if you run into name conflicts and want to really remove the + * mbedtls_strerror() + */ +#define MBEDTLS_ERROR_STRERROR_DUMMY + +/** + * \def MBEDTLS_GENPRIME + * + * Enable the prime-number generation code. + * + * Requires: MBEDTLS_BIGNUM_C + */ +#define MBEDTLS_GENPRIME + +/** + * \def MBEDTLS_FS_IO + * + * Enable functions that use the filesystem. + */ +#define MBEDTLS_FS_IO + +/** + * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES + * + * Do not add default entropy sources. These are the platform specific, + * mbedtls_timing_hardclock and HAVEGE based poll functions. + * + * This is useful to have more control over the added entropy sources in an + * application. + * + * Uncomment this macro to prevent loading of default entropy functions. + */ +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES + +/** + * \def MBEDTLS_NO_PLATFORM_ENTROPY + * + * Do not use built-in platform entropy functions. + * This is useful if your platform does not support + * standards like the /dev/urandom or Windows CryptoAPI. + * + * Uncomment this macro to disable the built-in platform entropy functions. + */ +//#define MBEDTLS_NO_PLATFORM_ENTROPY + +/** + * \def MBEDTLS_ENTROPY_FORCE_SHA256 + * + * Force the entropy accumulator to use a SHA-256 accumulator instead of the + * default SHA-512 based one (if both are available). + * + * Requires: MBEDTLS_SHA256_C + * + * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option + * if you have performance concerns. + * + * This option is only useful if both MBEDTLS_SHA256_C and + * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. + */ +//#define MBEDTLS_ENTROPY_FORCE_SHA256 + +/** + * \def MBEDTLS_MEMORY_DEBUG + * + * Enable debugging of buffer allocator memory issues. Automatically prints + * (to stderr) all (fatal) messages on memory allocation issues. Enables + * function for 'debug output' of allocated memory. + * + * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C + * + * Uncomment this macro to let the buffer allocator print out error messages. + */ +//#define MBEDTLS_MEMORY_DEBUG + +/** + * \def MBEDTLS_MEMORY_BACKTRACE + * + * Include backtrace information with each allocated block. + * + * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C + * GLIBC-compatible backtrace() an backtrace_symbols() support + * + * Uncomment this macro to include backtrace information + */ +//#define MBEDTLS_MEMORY_BACKTRACE + +/** + * \def MBEDTLS_PK_RSA_ALT_SUPPORT + * + * Support external private RSA keys (eg from a HSM) in the PK layer. + * + * Comment this macro to disable support for external private RSA keys. + */ +//#define MBEDTLS_PK_RSA_ALT_SUPPORT + +/** + * \def MBEDTLS_PKCS1_V15 + * + * Enable support for PKCS#1 v1.5 encoding. + * + * Requires: MBEDTLS_RSA_C + * + * This enables support for PKCS#1 v1.5 operations. + */ +//#define MBEDTLS_PKCS1_V15 + +/** + * \def MBEDTLS_PKCS1_V21 + * + * Enable support for PKCS#1 v2.1 encoding. + * + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C + * + * This enables support for RSAES-OAEP and RSASSA-PSS operations. + */ +//#define MBEDTLS_PKCS1_V21 + +/** + * \def MBEDTLS_RSA_NO_CRT + * + * Do not use the Chinese Remainder Theorem for the RSA private operation. + * + * Uncomment this macro to disable the use of CRT in RSA. + * + */ +//#define MBEDTLS_RSA_NO_CRT + +/** + * \def MBEDTLS_SELF_TEST + * + * Enable the checkup functions (*_self_test). + */ +//#define MBEDTLS_SELF_TEST + +/** + * \def MBEDTLS_SHA256_SMALLER + * + * Enable an implementation of SHA-256 that has lower ROM footprint but also + * lower performance. + * + * The default implementation is meant to be a reasonnable compromise between + * performance and size. This version optimizes more aggressively for size at + * the expense of performance. Eg on Cortex-M4 it reduces the size of + * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about + * 30%. + * + * Uncomment to enable the smaller implementation of SHA256. + */ +//#define MBEDTLS_SHA256_SMALLER + +/** + * \def MBEDTLS_SSL_AEAD_RANDOM_IV + * + * Generate a random IV rather than using the record sequence number as a + * nonce for ciphersuites using and AEAD algorithm (GCM or CCM). + * + * Using the sequence number is generally recommended. + * + * Uncomment this macro to always use random IVs with AEAD ciphersuites. + */ +//#define MBEDTLS_SSL_AEAD_RANDOM_IV + +/** + * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES + * + * Enable sending of alert messages in case of encountered errors as per RFC. + * If you choose not to send the alert messages, mbed TLS can still communicate + * with other servers, only debugging of failures is harder. + * + * The advantage of not sending alert messages, is that no information is given + * about reasons for failures thus preventing adversaries of gaining intel. + * + * Enable sending of all alert messages + */ +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES + +/** + * \def MBEDTLS_SSL_DEBUG_ALL + * + * Enable the debug messages in SSL module for all issues. + * Debug messages have been disabled in some places to prevent timing + * attacks due to (unbalanced) debugging function calls. + * + * If you need all error reporting you should enable this during debugging, + * but remove this for production servers that should log as well. + * + * Uncomment this macro to report all debug messages on errors introducing + * a timing side-channel. + * + */ +//#define MBEDTLS_SSL_DEBUG_ALL + +/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC + * + * Enable support for Encrypt-then-MAC, RFC 7366. + * + * This allows peers that both support it to use a more robust protection for + * ciphersuites using CBC, providing deep resistance against timing attacks + * on the padding or underlying cipher. + * + * This only affects CBC ciphersuites, and is useless if none is defined. + * + * Requires: MBEDTLS_SSL_PROTO_TLS1 or + * MBEDTLS_SSL_PROTO_TLS1_1 or + * MBEDTLS_SSL_PROTO_TLS1_2 + * + * Comment this macro to disable support for Encrypt-then-MAC + */ +//#define MBEDTLS_SSL_ENCRYPT_THEN_MAC + +/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET + * + * Enable support for Extended Master Secret, aka Session Hash + * (draft-ietf-tls-session-hash-02). + * + * This was introduced as "the proper fix" to the Triple Handshake familiy of + * attacks, but it is recommended to always use it (even if you disable + * renegotiation), since it actually fixes a more fundamental issue in the + * original SSL/TLS design, and has implications beyond Triple Handshake. + * + * Requires: MBEDTLS_SSL_PROTO_TLS1 or + * MBEDTLS_SSL_PROTO_TLS1_1 or + * MBEDTLS_SSL_PROTO_TLS1_2 + * + * Comment this macro to disable support for Extended Master Secret. + */ +//#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET + +/** + * \def MBEDTLS_SSL_FALLBACK_SCSV + * + * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). + * + * For servers, it is recommended to always enable this, unless you support + * only one version of TLS, or know for sure that none of your clients + * implements a fallback strategy. + * + * For clients, you only need this if you're using a fallback strategy, which + * is not recommended in the first place, unless you absolutely need it to + * interoperate with buggy (version-intolerant) servers. + * + * Comment this macro to disable support for FALLBACK_SCSV + */ +//#define MBEDTLS_SSL_FALLBACK_SCSV + +/** + * \def MBEDTLS_SSL_HW_RECORD_ACCEL + * + * Enable hooking functions in SSL module for hardware acceleration of + * individual records. + * + * Uncomment this macro to enable hooking functions. + */ +//#define MBEDTLS_SSL_HW_RECORD_ACCEL + +/** + * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING + * + * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. + * + * This is a countermeasure to the BEAST attack, which also minimizes the risk + * of interoperability issues compared to sending 0-length records. + * + * Comment this macro to disable 1/n-1 record splitting. + */ +//#define MBEDTLS_SSL_CBC_RECORD_SPLITTING + +/** + * \def MBEDTLS_SSL_RENEGOTIATION + * + * Disable support for TLS renegotiation. + * + * The two main uses of renegotiation are (1) refresh keys on long-lived + * connections and (2) client authentication after the initial handshake. + * If you don't need renegotiation, it's probably better to disable it, since + * it has been associated with security issues in the past and is easy to + * misuse/misunderstand. + * + * Comment this to disable support for renegotiation. + */ +//#define MBEDTLS_SSL_RENEGOTIATION + +/** + * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO + * + * Enable support for receiving and parsing SSLv2 Client Hello messages for the + * SSL Server module (MBEDTLS_SSL_SRV_C). + * + * Uncomment this macro to enable support for SSLv2 Client Hello messages. + */ +//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO + +/** + * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE + * + * Pick the ciphersuite according to the client's preferences rather than ours + * in the SSL Server module (MBEDTLS_SSL_SRV_C). + * + * Uncomment this macro to respect client's ciphersuite order + */ +//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE + +/** + * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + * + * Enable support for RFC 6066 max_fragment_length extension in SSL. + * + * Comment this macro to disable support for the max_fragment_length extension + */ +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + +/** + * \def MBEDTLS_SSL_PROTO_SSL3 + * + * Enable support for SSL 3.0. + * + * Requires: MBEDTLS_MD5_C + * MBEDTLS_SHA1_C + * + * Comment this macro to disable support for SSL 3.0 + */ +//#define MBEDTLS_SSL_PROTO_SSL3 + +/** + * \def MBEDTLS_SSL_PROTO_TLS1 + * + * Enable support for TLS 1.0. + * + * Requires: MBEDTLS_MD5_C + * MBEDTLS_SHA1_C + * + * Comment this macro to disable support for TLS 1.0 + */ +//#define MBEDTLS_SSL_PROTO_TLS1 + +/** + * \def MBEDTLS_SSL_PROTO_TLS1_1 + * + * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). + * + * Requires: MBEDTLS_MD5_C + * MBEDTLS_SHA1_C + * + * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 + */ +//#define MBEDTLS_SSL_PROTO_TLS1_1 + +/** + * \def MBEDTLS_SSL_PROTO_TLS1_2 + * + * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). + * + * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C + * (Depends on ciphersuites) + * + * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 + */ +#define MBEDTLS_SSL_PROTO_TLS1_2 + +/** + * \def MBEDTLS_SSL_PROTO_DTLS + * + * Enable support for DTLS (all available versions). + * + * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, + * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. + * + * Requires: MBEDTLS_SSL_PROTO_TLS1_1 + * or MBEDTLS_SSL_PROTO_TLS1_2 + * + * Comment this macro to disable support for DTLS + */ +#define MBEDTLS_SSL_PROTO_DTLS + +/** + * \def MBEDTLS_SSL_ALPN + * + * Enable support for RFC 7301 Application Layer Protocol Negotiation. + * + * Comment this macro to disable support for ALPN. + */ +//#define MBEDTLS_SSL_ALPN + +/** + * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY + * + * Enable support for the anti-replay mechanism in DTLS. + * + * Requires: MBEDTLS_SSL_TLS_C + * MBEDTLS_SSL_PROTO_DTLS + * + * \warning Disabling this is often a security risk! + * See mbedtls_ssl_conf_dtls_anti_replay() for details. + * + * Comment this to disable anti-replay in DTLS. + */ +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY + +/** + * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY + * + * Enable support for HelloVerifyRequest on DTLS servers. + * + * This feature is highly recommended to prevent DTLS servers being used as + * amplifiers in DoS attacks against other hosts. It should always be enabled + * unless you know for sure amplification cannot be a problem in the + * environment in which your server operates. + * + * \warning Disabling this can ba a security risk! (see above) + * + * Requires: MBEDTLS_SSL_PROTO_DTLS + * + * Comment this to disable support for HelloVerifyRequest. + */ +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY + +/** + * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT + * + * Enable support for a limit of records with bad MAC. + * + * See mbedtls_ssl_conf_dtls_badmac_limit(). + * + * Requires: MBEDTLS_SSL_PROTO_DTLS + */ +#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT + +/** + * \def MBEDTLS_SSL_SESSION_TICKETS + * + * Enable support for RFC 5077 session tickets in SSL. + * Client-side, provides full support for session tickets (maintainance of a + * session store remains the responsibility of the application, though). + * Server-side, you also need to provide callbacks for writing and parsing + * tickets, including authenticated encryption and key management. Example + * callbacks are provided by MBEDTLS_SSL_TICKET_C. + * + * Comment this macro to disable support for SSL session tickets + */ +//#define MBEDTLS_SSL_SESSION_TICKETS + +/** + * \def MBEDTLS_SSL_EXPORT_KEYS + * + * Enable support for exporting key block and master key. + * This is required for certain users of TLS, e.g. EAP-TLS. + * + * Comment this macro to disable support for key export + */ +#define MBEDTLS_SSL_EXPORT_KEYS + +/** + * \def MBEDTLS_SSL_SERVER_NAME_INDICATION + * + * Enable support for RFC 6066 server name indication (SNI) in SSL. + * + * Requires: MBEDTLS_X509_CRT_PARSE_C + * + * Comment this macro to disable support for server name indication in SSL + */ +//#define MBEDTLS_SSL_SERVER_NAME_INDICATION + +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC + * + * Enable support for RFC 6066 truncated HMAC in SSL. + * + * Comment this macro to disable support for truncated HMAC in SSL + */ +//#define MBEDTLS_SSL_TRUNCATED_HMAC + +/** + * \def MBEDTLS_THREADING_ALT + * + * Provide your own alternate threading implementation. + * + * Requires: MBEDTLS_THREADING_C + * + * Uncomment this to allow your own alternate threading implementation. + */ +//#define MBEDTLS_THREADING_ALT + +/** + * \def MBEDTLS_THREADING_PTHREAD + * + * Enable the pthread wrapper layer for the threading layer. + * + * Requires: MBEDTLS_THREADING_C + * + * Uncomment this to enable pthread mutexes. + */ +//#define MBEDTLS_THREADING_PTHREAD + +/** + * \def MBEDTLS_VERSION_FEATURES + * + * Allow run-time checking of compile-time enabled features. Thus allowing users + * to check at run-time if the library is for instance compiled with threading + * support via mbedtls_version_check_feature(). + * + * Requires: MBEDTLS_VERSION_C + * + * Comment this to disable run-time checking and save ROM space + */ +//#define MBEDTLS_VERSION_FEATURES + +/** + * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an extension in a v1 or v2 certificate. + * + * Uncomment to prevent an error. + */ +//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 + +/** + * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an unknown critical extension. + * + * Uncomment to prevent an error. + */ +//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + +/** + * \def MBEDTLS_X509_CHECK_KEY_USAGE + * + * Enable verification of the keyUsage extension (CA and leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused + * (intermediate) CA and leaf certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip keyUsage checking for both CA and leaf certificates. + */ +//#define MBEDTLS_X509_CHECK_KEY_USAGE + +/** + * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + * + * Enable verification of the extendedKeyUsage extension (leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip extendedKeyUsage checking for certificates. + */ +//#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + +/** + * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT + * + * Enable parsing and verification of X.509 certificates, CRLs and CSRS + * signed with RSASSA-PSS (aka PKCS#1 v2.1). + * + * Comment this macro to disallow using RSASSA-PSS in certificates. + */ +//#define MBEDTLS_X509_RSASSA_PSS_SUPPORT + +/** + * \def MBEDTLS_ZLIB_SUPPORT + * + * If set, the SSL/TLS module uses ZLIB to support compression and + * decompression of packet data. + * + * \warning TLS-level compression MAY REDUCE SECURITY! See for example the + * CRIME attack. Before enabling this option, you should examine with care if + * CRIME or similar exploits may be a applicable to your use case. + * + * \note Currently compression can't be used with DTLS. + * + * Used in: library/ssl_tls.c + * library/ssl_cli.c + * library/ssl_srv.c + * + * This feature requires zlib library and headers to be present. + * + * Uncomment to enable use of ZLIB + */ +//#define MBEDTLS_ZLIB_SUPPORT +/* \} name SECTION: mbed TLS feature support */ + +/** + * \name SECTION: mbed TLS modules + * + * This section enables or disables entire modules in mbed TLS + * \{ + */ + +/** + * \def MBEDTLS_AESNI_C + * + * Enable AES-NI support on x86-64. + * + * Module: library/aesni.c + * Caller: library/aes.c + * + * Requires: MBEDTLS_HAVE_ASM + * + * This modules adds support for the AES-NI instructions on x86-64 + */ +//#define MBEDTLS_AESNI_C + +/** + * \def MBEDTLS_AES_C + * + * Enable the AES block cipher. + * + * Module: library/aes.c + * Caller: library/ssl_tls.c + * library/pem.c + * library/ctr_drbg.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA + * + * PEM_PARSE uses AES for decrypting encrypted keys. + */ +#define MBEDTLS_AES_C + +/** + * \def MBEDTLS_ARC4_C + * + * Enable the ARCFOUR stream cipher. + * + * Module: library/arc4.c + * Caller: library/ssl_tls.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 + * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA + * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA + */ +//#define MBEDTLS_ARC4_C + +/** + * \def MBEDTLS_ASN1_PARSE_C + * + * Enable the generic ASN1 parser. + * + * Module: library/asn1.c + * Caller: library/x509.c + * library/dhm.c + * library/pkcs12.c + * library/pkcs5.c + * library/pkparse.c + */ +#define MBEDTLS_ASN1_PARSE_C + +/** + * \def MBEDTLS_ASN1_WRITE_C + * + * Enable the generic ASN1 writer. + * + * Module: library/asn1write.c + * Caller: library/ecdsa.c + * library/pkwrite.c + * library/x509_create.c + * library/x509write_crt.c + * library/mbedtls_x509write_csr.c + */ +#define MBEDTLS_ASN1_WRITE_C + +/** + * \def MBEDTLS_BASE64_C + * + * Enable the Base64 module. + * + * Module: library/base64.c + * Caller: library/pem.c + * + * This module is required for PEM support (required by X.509). + */ +//#define MBEDTLS_BASE64_C + +/** + * \def MBEDTLS_BIGNUM_C + * + * Enable the multi-precision integer library. + * + * Module: library/bignum.c + * Caller: library/dhm.c + * library/ecp.c + * library/ecdsa.c + * library/rsa.c + * library/ssl_tls.c + * + * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. + */ +#define MBEDTLS_BIGNUM_C + +/** + * \def MBEDTLS_BLOWFISH_C + * + * Enable the Blowfish block cipher. + * + * Module: library/blowfish.c + */ +//#define MBEDTLS_BLOWFISH_C + +/** + * \def MBEDTLS_CAMELLIA_C + * + * Enable the Camellia block cipher. + * + * Module: library/camellia.c + * Caller: library/ssl_tls.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 + */ +//#define MBEDTLS_CAMELLIA_C + +/** + * \def MBEDTLS_CCM_C + * + * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. + * + * Module: library/ccm.c + * + * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C + * + * This module enables the AES-CCM ciphersuites, if other requisites are + * enabled as well. + */ +#define MBEDTLS_CCM_C + +/** + * \def MBEDTLS_CERTS_C + * + * Enable the test certificates. + * + * Module: library/certs.c + * Caller: + * + * This module is used for testing (ssl_client/server). + */ +//#define MBEDTLS_CERTS_C + +/** + * \def MBEDTLS_CIPHER_C + * + * Enable the generic cipher layer. + * + * Module: library/cipher.c + * Caller: library/ssl_tls.c + * + * Uncomment to enable generic cipher wrappers. + */ +#define MBEDTLS_CIPHER_C + +/** + * \def MBEDTLS_CTR_DRBG_C + * + * Enable the CTR_DRBG AES-256-based random generator. + * + * Module: library/ctr_drbg.c + * Caller: + * + * Requires: MBEDTLS_AES_C + * + * This module provides the CTR_DRBG AES-256 random number generator. + */ +//#define MBEDTLS_CTR_DRBG_C + +/** + * \def MBEDTLS_DEBUG_C + * + * Enable the debug functions. + * + * Module: library/debug.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * This module provides debugging functions. + */ +#define MBEDTLS_DEBUG_C + +/** + * \def MBEDTLS_DES_C + * + * Enable the DES block cipher. + * + * Module: library/des.c + * Caller: library/pem.c + * library/ssl_tls.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA + * + * PEM_PARSE uses DES/3DES for decrypting encrypted keys. + */ +//#define MBEDTLS_DES_C + +/** + * \def MBEDTLS_DHM_C + * + * Enable the Diffie-Hellman-Merkle module. + * + * Module: library/dhm.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * + * This module is used by the following key exchanges: + * DHE-RSA, DHE-PSK + */ +//#define MBEDTLS_DHM_C + +/** + * \def MBEDTLS_ECDH_C + * + * Enable the elliptic curve Diffie-Hellman library. + * + * Module: library/ecdh.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * + * This module is used by the following key exchanges: + * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK + * + * Requires: MBEDTLS_ECP_C + */ +//#define MBEDTLS_ECDH_C + +/** + * \def MBEDTLS_ECDSA_C + * + * Enable the elliptic curve DSA library. + * + * Module: library/ecdsa.c + * Caller: + * + * This module is used by the following key exchanges: + * ECDHE-ECDSA + * + * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C + */ +//#define MBEDTLS_ECDSA_C + +/** + * \def MBEDTLS_ECJPAKE_C + * + * Enable the elliptic curve J-PAKE library. + * + * \warning This is currently experimental. EC J-PAKE support is based on the + * Thread v1.0.0 specification; incompatible changes to the specification + * might still happen. For this reason, this is disabled by default. + * + * Module: library/ecjpake.c + * Caller: + * + * This module is used by the following key exchanges: + * ECJPAKE + * + * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C + */ +#define MBEDTLS_ECJPAKE_C + +/** + * \def MBEDTLS_ECP_C + * + * Enable the elliptic curve over GF(p) library. + * + * Module: library/ecp.c + * Caller: library/ecdh.c + * library/ecdsa.c + * library/ecjpake.c + * + * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED + */ +#define MBEDTLS_ECP_C + +/** + * \def MBEDTLS_ENTROPY_C + * + * Enable the platform-specific entropy code. + * + * Module: library/entropy.c + * Caller: + * + * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C + * + * This module provides a generic entropy pool + */ +#define MBEDTLS_ENTROPY_C + +/** + * \def MBEDTLS_ERROR_C + * + * Enable error code to error string conversion. + * + * Module: library/error.c + * Caller: + * + * This module enables mbedtls_strerror(). + */ +#define MBEDTLS_ERROR_C + +/** + * \def MBEDTLS_GCM_C + * + * Enable the Galois/Counter Mode (GCM) for AES. + * + * Module: library/gcm.c + * + * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C + * + * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other + * requisites are enabled as well. + */ +//#define MBEDTLS_GCM_C + +/** + * \def MBEDTLS_HAVEGE_C + * + * Enable the HAVEGE random generator. + * + * Warning: the HAVEGE random generator is not suitable for virtualized + * environments + * + * Warning: the HAVEGE random generator is dependent on timing and specific + * processor traits. It is therefore not advised to use HAVEGE as + * your applications primary random generator or primary entropy pool + * input. As a secondary input to your entropy pool, it IS able add + * the (limited) extra entropy it provides. + * + * Module: library/havege.c + * Caller: + * + * Requires: MBEDTLS_TIMING_C + * + * Uncomment to enable the HAVEGE random generator. + */ +//#define MBEDTLS_HAVEGE_C + +/** + * \def MBEDTLS_HMAC_DRBG_C + * + * Enable the HMAC_DRBG random generator. + * + * Module: library/hmac_drbg.c + * Caller: + * + * Requires: MBEDTLS_MD_C + * + * Uncomment to enable the HMAC_DRBG random number geerator. + */ +#define MBEDTLS_HMAC_DRBG_C + +/** + * \def MBEDTLS_MD_C + * + * Enable the generic message digest layer. + * + * Module: library/mbedtls_md.c + * Caller: + * + * Uncomment to enable generic message digest wrappers. + */ +#define MBEDTLS_MD_C + +/** + * \def MBEDTLS_MD2_C + * + * Enable the MD2 hash algorithm. + * + * Module: library/mbedtls_md2.c + * Caller: + * + * Uncomment to enable support for (rare) MD2-signed X.509 certs. + */ +//#define MBEDTLS_MD2_C + +/** + * \def MBEDTLS_MD4_C + * + * Enable the MD4 hash algorithm. + * + * Module: library/mbedtls_md4.c + * Caller: + * + * Uncomment to enable support for (rare) MD4-signed X.509 certs. + */ +//#define MBEDTLS_MD4_C + +/** + * \def MBEDTLS_MD5_C + * + * Enable the MD5 hash algorithm. + * + * Module: library/mbedtls_md5.c + * Caller: library/mbedtls_md.c + * library/pem.c + * library/ssl_tls.c + * + * This module is required for SSL/TLS and X.509. + * PEM_PARSE uses MD5 for decrypting encrypted keys. + */ +//#define MBEDTLS_MD5_C + +/** + * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C + * + * Enable the buffer allocator implementation that makes use of a (stack) + * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() + * calls) + * + * Module: library/memory_buffer_alloc.c + * + * Requires: MBEDTLS_PLATFORM_C + * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) + * + * Enable this module to enable the buffer memory allocator. + */ +//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C + +/** + * \def MBEDTLS_NET_C + * + * Enable the TCP/IP networking routines. + * + * Module: library/net.c + * + * This module provides TCP/IP networking routines. + */ +//#define MBEDTLS_NET_C + +/** + * \def MBEDTLS_OID_C + * + * Enable the OID database. + * + * Module: library/oid.c + * Caller: library/asn1write.c + * library/pkcs5.c + * library/pkparse.c + * library/pkwrite.c + * library/rsa.c + * library/x509.c + * library/x509_create.c + * library/mbedtls_x509_crl.c + * library/mbedtls_x509_crt.c + * library/mbedtls_x509_csr.c + * library/x509write_crt.c + * library/mbedtls_x509write_csr.c + * + * This modules translates between OIDs and internal values. + */ +#define MBEDTLS_OID_C + +/** + * \def MBEDTLS_PADLOCK_C + * + * Enable VIA Padlock support on x86. + * + * Module: library/padlock.c + * Caller: library/aes.c + * + * Requires: MBEDTLS_HAVE_ASM + * + * This modules adds support for the VIA PadLock on x86. + */ +//#define MBEDTLS_PADLOCK_C + +/** + * \def MBEDTLS_PEM_PARSE_C + * + * Enable PEM decoding / parsing. + * + * Module: library/pem.c + * Caller: library/dhm.c + * library/pkparse.c + * library/mbedtls_x509_crl.c + * library/mbedtls_x509_crt.c + * library/mbedtls_x509_csr.c + * + * Requires: MBEDTLS_BASE64_C + * + * This modules adds support for decoding / parsing PEM files. + */ +//#define MBEDTLS_PEM_PARSE_C + +/** + * \def MBEDTLS_PEM_WRITE_C + * + * Enable PEM encoding / writing. + * + * Module: library/pem.c + * Caller: library/pkwrite.c + * library/x509write_crt.c + * library/mbedtls_x509write_csr.c + * + * Requires: MBEDTLS_BASE64_C + * + * This modules adds support for encoding / writing PEM files. + */ +//#define MBEDTLS_PEM_WRITE_C + +/** + * \def MBEDTLS_PK_C + * + * Enable the generic public (asymetric) key layer. + * + * Module: library/pk.c + * Caller: library/ssl_tls.c + * library/ssl_cli.c + * library/ssl_srv.c + * + * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C + * + * Uncomment to enable generic public key wrappers. + */ +#define MBEDTLS_PK_C + +/** + * \def MBEDTLS_PK_PARSE_C + * + * Enable the generic public (asymetric) key parser. + * + * Module: library/pkparse.c + * Caller: library/mbedtls_x509_crt.c + * library/mbedtls_x509_csr.c + * + * Requires: MBEDTLS_PK_C + * + * Uncomment to enable generic public key parse functions. + */ +#define MBEDTLS_PK_PARSE_C + +/** + * \def MBEDTLS_PK_WRITE_C + * + * Enable the generic public (asymetric) key writer. + * + * Module: library/pkwrite.c + * Caller: library/x509write.c + * + * Requires: MBEDTLS_PK_C + * + * Uncomment to enable generic public key write functions. + */ +#define MBEDTLS_PK_WRITE_C + +/** + * \def MBEDTLS_PKCS5_C + * + * Enable PKCS#5 functions. + * + * Module: library/pkcs5.c + * + * Requires: MBEDTLS_MD_C + * + * This module adds support for the PKCS#5 functions. + */ +//#define MBEDTLS_PKCS5_C + +/** + * \def MBEDTLS_PKCS11_C + * + * Enable wrapper for PKCS#11 smartcard support. + * + * Module: library/pkcs11.c + * Caller: library/pk.c + * + * Requires: MBEDTLS_PK_C + * + * This module enables SSL/TLS PKCS #11 smartcard support. + * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) + */ +//#define MBEDTLS_PKCS11_C + +/** + * \def MBEDTLS_PKCS12_C + * + * Enable PKCS#12 PBE functions. + * Adds algorithms for parsing PKCS#8 encrypted private keys + * + * Module: library/pkcs12.c + * Caller: library/pkparse.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Can use: MBEDTLS_ARC4_C + * + * This module enables PKCS#12 functions. + */ +//#define MBEDTLS_PKCS12_C + +/** + * \def MBEDTLS_PLATFORM_C + * + * Enable the platform abstraction layer that allows you to re-assign + * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). + * + * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT + * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned + * above to be specified at runtime or compile time respectively. + * + * \note This abstraction layer must be enabled on Windows (including MSYS2) + * as other module rely on it for a fixed snprintf implementation. + * + * Module: library/platform.c + * Caller: Most other .c files + * + * This module enables abstraction of common (libc) functions. + */ +#define MBEDTLS_PLATFORM_C + +/** + * \def MBEDTLS_RIPEMD160_C + * + * Enable the RIPEMD-160 hash algorithm. + * + * Module: library/mbedtls_ripemd160.c + * Caller: library/mbedtls_md.c + * + */ +//#define MBEDTLS_RIPEMD160_C + +/** + * \def MBEDTLS_RSA_C + * + * Enable the RSA public-key cryptosystem. + * + * Module: library/rsa.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * library/x509.c + * + * This module is used by the following key exchanges: + * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C + */ +//#define MBEDTLS_RSA_C + +/** + * \def MBEDTLS_SHA1_C + * + * Enable the SHA1 cryptographic hash algorithm. + * + * Module: library/mbedtls_sha1.c + * Caller: library/mbedtls_md.c + * library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * library/x509write_crt.c + * + * This module is required for SSL/TLS and SHA1-signed certificates. + */ +//#define MBEDTLS_SHA1_C + +/** + * \def MBEDTLS_SHA256_C + * + * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. + * + * Module: library/mbedtls_sha256.c + * Caller: library/entropy.c + * library/mbedtls_md.c + * library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * This module adds support for SHA-224 and SHA-256. + * This module is required for the SSL/TLS 1.2 PRF function. + */ +#define MBEDTLS_SHA256_C + +/** + * \def MBEDTLS_SHA512_C + * + * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. + * + * Module: library/mbedtls_sha512.c + * Caller: library/entropy.c + * library/mbedtls_md.c + * library/ssl_cli.c + * library/ssl_srv.c + * + * This module adds support for SHA-384 and SHA-512. + */ +//#define MBEDTLS_SHA512_C + +/** + * \def MBEDTLS_SSL_CACHE_C + * + * Enable simple SSL cache implementation. + * + * Module: library/ssl_cache.c + * Caller: + * + * Requires: MBEDTLS_SSL_CACHE_C + */ +//#define MBEDTLS_SSL_CACHE_C + +/** + * \def MBEDTLS_SSL_COOKIE_C + * + * Enable basic implementation of DTLS cookies for hello verification. + * + * Module: library/ssl_cookie.c + * Caller: + */ +#define MBEDTLS_SSL_COOKIE_C + +/** + * \def MBEDTLS_SSL_TICKET_C + * + * Enable an implementation of TLS server-side callbacks for session tickets. + * + * Module: library/ssl_ticket.c + * Caller: + * + * Requires: MBEDTLS_CIPHER_C + */ +//#define MBEDTLS_SSL_TICKET_C + +/** + * \def MBEDTLS_SSL_CLI_C + * + * Enable the SSL/TLS client code. + * + * Module: library/ssl_cli.c + * Caller: + * + * Requires: MBEDTLS_SSL_TLS_C + * + * This module is required for SSL/TLS client support. + */ +#define MBEDTLS_SSL_CLI_C + +/** + * \def MBEDTLS_SSL_SRV_C + * + * Enable the SSL/TLS server code. + * + * Module: library/ssl_srv.c + * Caller: + * + * Requires: MBEDTLS_SSL_TLS_C + * + * This module is required for SSL/TLS server support. + */ +#define MBEDTLS_SSL_SRV_C + +/** + * \def MBEDTLS_SSL_TLS_C + * + * Enable the generic SSL/TLS code. + * + * Module: library/ssl_tls.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * and at least one of the MBEDTLS_SSL_PROTO_XXX defines + * + * This module is required for SSL/TLS. + */ +#define MBEDTLS_SSL_TLS_C + +/** + * \def MBEDTLS_THREADING_C + * + * Enable the threading abstraction layer. + * By default mbed TLS assumes it is used in a non-threaded environment or that + * contexts are not shared between threads. If you do intend to use contexts + * between threads, you will need to enable this layer to prevent race + * conditions. + * + * Module: library/threading.c + * + * This allows different threading implementations (self-implemented or + * provided). + * + * You will have to enable either MBEDTLS_THREADING_ALT or + * MBEDTLS_THREADING_PTHREAD. + * + * Enable this layer to allow use of mutexes within mbed TLS + */ +//#define MBEDTLS_THREADING_C + +/** + * \def MBEDTLS_TIMING_C + * + * Enable the portable timing interface. + * + * Module: library/timing.c + * Caller: library/havege.c + * + * This module is used by the HAVEGE random number generator. + */ +//#define MBEDTLS_TIMING_C + +/** + * \def MBEDTLS_VERSION_C + * + * Enable run-time version information. + * + * Module: library/version.c + * + * This module provides run-time version information. + */ +#define MBEDTLS_VERSION_C + +/** + * \def MBEDTLS_X509_USE_C + * + * Enable X.509 core for using certificates. + * + * Module: library/x509.c + * Caller: library/mbedtls_x509_crl.c + * library/mbedtls_x509_crt.c + * library/mbedtls_x509_csr.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, + * MBEDTLS_PK_PARSE_C + * + * This module is required for the X.509 parsing modules. + */ +//#define MBEDTLS_X509_USE_C + +/** + * \def MBEDTLS_X509_CRT_PARSE_C + * + * Enable X.509 certificate parsing. + * + * Module: library/mbedtls_x509_crt.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 certificate parsing. + */ +//#define MBEDTLS_X509_CRT_PARSE_C + +/** + * \def MBEDTLS_X509_CRL_PARSE_C + * + * Enable X.509 CRL parsing. + * + * Module: library/mbedtls_x509_crl.c + * Caller: library/mbedtls_x509_crt.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 CRL parsing. + */ +//#define MBEDTLS_X509_CRL_PARSE_C + +/** + * \def MBEDTLS_X509_CSR_PARSE_C + * + * Enable X.509 Certificate Signing Request (CSR) parsing. + * + * Module: library/mbedtls_x509_csr.c + * Caller: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is used for reading X.509 certificate request. + */ +//#define MBEDTLS_X509_CSR_PARSE_C + +/** + * \def MBEDTLS_X509_CREATE_C + * + * Enable X.509 core for creating certificates. + * + * Module: library/x509_create.c + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C + * + * This module is the basis for creating X.509 certificates and CSRs. + */ +//#define MBEDTLS_X509_CREATE_C + +/** + * \def MBEDTLS_X509_CRT_WRITE_C + * + * Enable creating X.509 certificates. + * + * Module: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate creation. + */ +//#define MBEDTLS_X509_CRT_WRITE_C + +/** + * \def MBEDTLS_X509_CSR_WRITE_C + * + * Enable creating X.509 Certificate Signing Requests (CSR). + * + * Module: library/x509_csr_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate request writing. + */ +//#define MBEDTLS_X509_CSR_WRITE_C + +/** + * \def MBEDTLS_XTEA_C + * + * Enable the XTEA block cipher. + * + * Module: library/xtea.c + * Caller: + */ +//#define MBEDTLS_XTEA_C + +/* \} name SECTION: mbed TLS modules */ + +/** + * \name SECTION: Module configuration options + * + * This section allows for the setting of module specific sizes and + * configuration options. The default values are already present in the + * relevant header files and should suffice for the regular use cases. + * + * Our advice is to enable options and change their values here + * only if you have a good reason and know the consequences. + * + * Please check the respective header file for documentation on these + * parameters (to prevent duplicate documentation). + * \{ + */ + +/* MPI / BIGNUM options */ +//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ +//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ + +/* CTR_DRBG options */ +//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ +//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ +//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ +//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ +//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ + +/* HMAC_DRBG options */ +//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ +//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ +//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ +//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ + +/* ECP options */ +//#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ +//#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ +//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ + +/* Entropy options */ +//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ +//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ + +/* Memory buffer allocator options */ +//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ + +/* Platform options */ +//#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ +//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ +//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ +//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ +//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ +/* Note: your snprintf must correclty zero-terminate the buffer! */ +//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ + +/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ +/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ +//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ +/* Note: your snprintf must correclty zero-terminate the buffer! */ +//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ + +/* SSL Cache options */ +//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ +//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ + +/* SSL options */ +//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ +//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ +//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ +//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ + +/** + * Complete list of ciphersuites to use, in order of preference. + * + * \warning No dependency checking is done on that field! This option can only + * be used to restrict the set of available ciphersuites. It is your + * responsibility to make sure the needed modules are active. + * + * Use this to save a few hundred bytes of ROM (default ordering of all + * available ciphersuites) and a few to a few hundred bytes of RAM. + * + * The value below is only an example, not the default. + */ +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + +/* X509 options */ +//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ + +/* \} name SECTION: Module configuration options */ + +#if defined(TARGET_LIKE_MBED) +#include "mbedtls/target_config.h" +#endif + +/* + * Allow user to override any previous default. + * + * Use two macro names for that, as: + * - with yotta the prefix YOTTA_CFG_ is forced + * - without yotta is looks weird to have a YOTTA prefix. + */ +#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) +#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE +#elif defined(MBEDTLS_USER_CONFIG_FILE) +#include MBEDTLS_USER_CONFIG_FILE +#endif + +#include "check_config.h" + +#endif /* MBEDTLS_CONFIG_H */ From b7da19493986198e6d8bc02ea84da1d43a23d436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Oct 2015 13:35:22 +0200 Subject: [PATCH 71/87] ecjpake: fix uninitialize member --- library/ecjpake.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ecjpake.c b/library/ecjpake.c index 6a7245215..fd54a7d2d 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -57,6 +57,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ) ctx->md_info = NULL; mbedtls_ecp_group_init( &ctx->grp ); + ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED; mbedtls_ecp_point_init( &ctx->Xm1 ); mbedtls_ecp_point_init( &ctx->Xm2 ); From 024b6df3b1093f95cb715a6f838cbcc67df4a2ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Oct 2015 13:52:53 +0200 Subject: [PATCH 72/87] Improve key export API and documentation - "master secret" is the usual name - move key block arg closer to the related lengths - document lengths Also fix some trailing whitespace while at it --- include/mbedtls/config.h | 2 +- include/mbedtls/ssl.h | 29 +++++++++++++---------------- library/ssl_tls.c | 8 ++++---- 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 58342798a..9c96a0511 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1181,7 +1181,7 @@ /** * \def MBEDTLS_SSL_EXPORT_KEYS * - * Enable support for exporting key block and master key. + * Enable support for exporting key block and master secret. * This is required for certain users of TLS, e.g. EAP-TLS. * * Comment this macro to disable support for key export diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c3cd006e3..e6b73d08e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -545,7 +545,7 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) - /** Callback to export key block and master key */ + /** Callback to export key block and master secret */ int (*f_export_keys)( void *, const unsigned char *, const unsigned char *, size_t, size_t, size_t ); void *p_export_keys; /*!< context for key export callback */ @@ -1080,17 +1080,18 @@ typedef int mbedtls_ssl_ticket_write_t( void *p_ticket, #if defined(MBEDTLS_SSL_EXPORT_KEYS) /** - * \brief Callback type: Export key block and master key + * \brief Callback type: Export key block and master secret * * \note This is required for certain uses of TLS, e.g. EAP-TLS - * (RFC 5216). The key pointers are ephemeral and therefore - * must not be stored. The keys should not be copied - * verbatim and should be used specifically for key - * derivation purposes + * (RFC 5216) and Thread. The key pointers are ephemeral and + * therefore must not be stored. The master secret and keys + * should not be used directly except as an input to a key + * derivation function. * * \param p_expkey Context for the callback - * \param kb Pointer to key block - * \param mk Pointer to master key + * \param ms Pointer to master secret (fixed length: 48 bytes) + * \param kb Pointer to key block, see RFC 5246 section 6.3 + * (variable length: 2 * maclen + 2 * keylen + 2 * ivlen). * \param maclen MAC length * \param keylen Key length * \param ivlen IV length @@ -1099,13 +1100,13 @@ typedef int mbedtls_ssl_ticket_write_t( void *p_ticket, * a specific MBEDTLS_ERR_XXX code. */ typedef int mbedtls_ssl_export_keys_t( void *p_expkey, + const unsigned char *ms, const unsigned char *kb, - const unsigned char *mk, size_t maclen, size_t keylen, size_t ivlen ); #endif /* MBEDTLS_SSL_EXPORT_KEYS */ - + /** * \brief Callback type: parse and load session ticket * @@ -1160,15 +1161,11 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, * \brief Configure key export callback. * (Default: none.) * - * \note This is required for certain uses of TLS, e.g. EAP-TLS - * (RFC 5216). The key pointers are ephemeral and therefore - * must not be stored. The keys should not be copied - * verbatim and should be used specifically for key - * derivation purposes + * \note See \c mbedtls_ssl_export_keys_t. * * \param conf SSL configuration context * \param f_export_keys Callback for exporting keys - * \param p_export_keys Context shared by the callback + * \param p_export_keys Context for the callback */ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, mbedtls_ssl_export_keys_t *f_export_keys, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a42fcc528..bc8215889 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -862,11 +862,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - if( ssl->conf->f_export_keys != NULL) +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( ssl->conf->f_export_keys != NULL ) { - ssl->conf->f_export_keys( ssl->conf->p_export_keys, - keyblk, session->master, + ssl->conf->f_export_keys( ssl->conf->p_export_keys, + session->master, keyblk, transform->maclen, transform->keylen, iv_copy_len ); } From 9f52cac4bc11fcc75319a73a8a73c7f8f2328b7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Oct 2015 14:06:07 +0200 Subject: [PATCH 73/87] Rename config-ecjpake to thread and minify it - in the future thread might need more than just EC J-PAKE - use the same format as the other mini configurations (no doxygen doc, only showing what is enabled) --- configs/config-ecjpake.h | 2493 -------------------------------------- configs/config-thread.h | 80 ++ 2 files changed, 80 insertions(+), 2493 deletions(-) delete mode 100644 configs/config-ecjpake.h create mode 100644 configs/config-thread.h diff --git a/configs/config-ecjpake.h b/configs/config-ecjpake.h deleted file mode 100644 index e8db44c7d..000000000 --- a/configs/config-ecjpake.h +++ /dev/null @@ -1,2493 +0,0 @@ -/** - * \file config.h - * - * \brief Configuration options (set of defines) - * - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * This file is part of mbed TLS (https://tls.mbed.org) - */ - -/* - * This set of compile-time options may be used to enable - * or disable features selectively, and reduce the global - * memory footprint. - */ -#ifndef MBEDTLS_CONFIG_H -#define MBEDTLS_CONFIG_H - -#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) -#define _CRT_SECURE_NO_DEPRECATE 1 -#endif - -/** - * \name SECTION: System support - * - * This section sets system specific settings. - * \{ - */ - -/** - * \def MBEDTLS_HAVE_ASM - * - * The compiler has support for asm(). - * - * Requires support for asm() in compiler. - * - * Used in: - * library/timing.c - * library/padlock.c - * include/mbedtls/bn_mul.h - * - * Comment to disable the use of assembly code. - */ -//#define MBEDTLS_HAVE_ASM - -/** - * \def MBEDTLS_HAVE_SSE2 - * - * CPU supports SSE2 instruction set. - * - * Uncomment if the CPU supports SSE2 (IA-32 specific). - */ -//#define MBEDTLS_HAVE_SSE2 - -/** - * \def MBEDTLS_HAVE_TIME - * - * System has time.h and time(). - * The time does not need to be correct, only time differences are used, - * by contrast with MBEDTLS_HAVE_TIME_DATE - * - * Comment if your system does not support time functions - */ -//#define MBEDTLS_HAVE_TIME - -/** - * \def MBEDTLS_HAVE_TIME_DATE - * - * System has time.h and time(), gmtime() and the clock is correct. - * The time needs to be correct (not necesarily very accurate, but at least - * the date should be correct). This is used to verify the validity period of - * X.509 certificates. - * - * Comment if your system does not have a correct clock. - */ -//#define MBEDTLS_HAVE_TIME_DATE - -/** - * \def MBEDTLS_PLATFORM_MEMORY - * - * Enable the memory allocation layer. - * - * By default mbed TLS uses the system-provided calloc() and free(). - * This allows different allocators (self-implemented or provided) to be - * provided to the platform abstraction layer. - * - * Enabling MBEDTLS_PLATFORM_MEMORY without the - * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide - * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and - * free() function pointer at runtime. - * - * Enabling MBEDTLS_PLATFORM_MEMORY and specifying - * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the - * alternate function at compile time. - * - * Requires: MBEDTLS_PLATFORM_C - * - * Enable this layer to allow use of alternative memory allocators. - */ -//#define MBEDTLS_PLATFORM_MEMORY - -/** - * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS - * - * Do not assign standard functions in the platform layer (e.g. calloc() to - * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) - * - * This makes sure there are no linking errors on platforms that do not support - * these functions. You will HAVE to provide alternatives, either at runtime - * via the platform_set_xxx() functions or at compile time by setting - * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a - * MBEDTLS_PLATFORM_XXX_MACRO. - * - * Requires: MBEDTLS_PLATFORM_C - * - * Uncomment to prevent default assignment of standard functions in the - * platform layer. - */ -//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS - -/** - * \def MBEDTLS_PLATFORM_XXX_ALT - * - * Uncomment a macro to let mbed TLS support the function in the platform - * abstraction layer. - * - * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will - * provide a function "mbedtls_platform_set_printf()" that allows you to set an - * alternative printf function pointer. - * - * All these define require MBEDTLS_PLATFORM_C to be defined! - * - * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows; - * it will be enabled automatically by check_config.h - * - * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as - * MBEDTLS_PLATFORM_XXX_MACRO! - * - * Uncomment a macro to enable alternate implementation of specific base - * platform function - */ -//#define MBEDTLS_PLATFORM_EXIT_ALT -//#define MBEDTLS_PLATFORM_FPRINTF_ALT -//#define MBEDTLS_PLATFORM_PRINTF_ALT -//#define MBEDTLS_PLATFORM_SNPRINTF_ALT - -/** - * \def MBEDTLS_DEPRECATED_WARNING - * - * Mark deprecated functions so that they generate a warning if used. - * Functions deprecated in one version will usually be removed in the next - * version. You can enable this to help you prepare the transition to a new - * major version by making sure your code is not using these functions. - * - * This only works with GCC and Clang. With other compilers, you may want to - * use MBEDTLS_DEPRECATED_REMOVED - * - * Uncomment to get warnings on using deprecated functions. - */ -//#define MBEDTLS_DEPRECATED_WARNING - -/** - * \def MBEDTLS_DEPRECATED_REMOVED - * - * Remove deprecated functions so that they generate an error if used. - * Functions deprecated in one version will usually be removed in the next - * version. You can enable this to help you prepare the transition to a new - * major version by making sure your code is not using these functions. - * - * Uncomment to get errors on using deprecated functions. - */ -//#define MBEDTLS_DEPRECATED_REMOVED - -/* \} name SECTION: System support */ - -/** - * \name SECTION: mbed TLS feature support - * - * This section sets support for features that are or are not needed - * within the modules that are enabled. - * \{ - */ - -/** - * \def MBEDTLS_TIMING_ALT - * - * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(), - * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() - * - * Only works if you have MBEDTLS_TIMING_C enabled. - * - * You will need to provide a header "timing_alt.h" and an implementation at - * compile time. - */ -//#define MBEDTLS_TIMING_ALT - -/** - * \def MBEDTLS__MODULE_NAME__ALT - * - * Uncomment a macro to let mbed TLS use your alternate core implementation of - * a symmetric crypto or hash module (e.g. platform specific assembly - * optimized implementations). Keep in mind that the function prototypes - * should remain the same. - * - * This replaces the whole module. If you only want to replace one of the - * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. - * - * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer - * provide the "struct mbedtls_aes_context" definition and omit the base function - * declarations and implementations. "aes_alt.h" will be included from - * "aes.h" to include the new function definitions. - * - * Uncomment a macro to enable alternate implementation of the corresponding - * module. - */ -//#define MBEDTLS_AES_ALT -//#define MBEDTLS_ARC4_ALT -//#define MBEDTLS_BLOWFISH_ALT -//#define MBEDTLS_CAMELLIA_ALT -//#define MBEDTLS_DES_ALT -//#define MBEDTLS_XTEA_ALT -//#define MBEDTLS_MD2_ALT -//#define MBEDTLS_MD4_ALT -//#define MBEDTLS_MD5_ALT -//#define MBEDTLS_RIPEMD160_ALT -//#define MBEDTLS_SHA1_ALT -//#define MBEDTLS_SHA256_ALT -//#define MBEDTLS_SHA512_ALT - -/** - * \def MBEDTLS__FUNCTION_NAME__ALT - * - * Uncomment a macro to let mbed TLS use you alternate core implementation of - * symmetric crypto or hash function. Keep in mind that function prototypes - * should remain the same. - * - * This replaces only one function. The header file from mbed TLS is still - * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. - * - * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will - * no longer provide the mbedtls_sha1_process() function, but it will still provide - * the other function (using your mbedtls_sha1_process() function) and the definition - * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible - * with this definition. - * - * Note: if you use the AES_xxx_ALT macros, then is is recommended to also set - * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES - * tables. - * - * Uncomment a macro to enable alternate implementation of the corresponding - * function. - */ -//#define MBEDTLS_MD2_PROCESS_ALT -//#define MBEDTLS_MD4_PROCESS_ALT -//#define MBEDTLS_MD5_PROCESS_ALT -//#define MBEDTLS_RIPEMD160_PROCESS_ALT -//#define MBEDTLS_SHA1_PROCESS_ALT -//#define MBEDTLS_SHA256_PROCESS_ALT -//#define MBEDTLS_SHA512_PROCESS_ALT -//#define MBEDTLS_DES_SETKEY_ALT -//#define MBEDTLS_DES_CRYPT_ECB_ALT -//#define MBEDTLS_DES3_CRYPT_ECB_ALT -//#define MBEDTLS_AES_SETKEY_ENC_ALT -//#define MBEDTLS_AES_SETKEY_DEC_ALT -//#define MBEDTLS_AES_ENCRYPT_ALT -//#define MBEDTLS_AES_DECRYPT_ALT - -/** - * \def MBEDTLS_ENTROPY_HARDWARE_ALT - * - * Uncomment this macro to let mbed TLS use your own implementation of a - * hardware entropy collector. - * - * Your function must be called \c mbedtls_hardware_poll(), have the same - * prototype as declared in entropy_poll.h, and accept NULL as first argument. - * - * Uncomment to use your own hardware entropy collector. - */ -//#define MBEDTLS_ENTROPY_HARDWARE_ALT - -/** - * \def MBEDTLS_AES_ROM_TABLES - * - * Store the AES tables in ROM. - * - * Uncomment this macro to store the AES tables in ROM. - */ -//#define MBEDTLS_AES_ROM_TABLES - -/** - * \def MBEDTLS_CAMELLIA_SMALL_MEMORY - * - * Use less ROM for the Camellia implementation (saves about 768 bytes). - * - * Uncomment this macro to use less memory for Camellia. - */ -//#define MBEDTLS_CAMELLIA_SMALL_MEMORY - -/** - * \def MBEDTLS_CIPHER_MODE_CBC - * - * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. - */ -//#define MBEDTLS_CIPHER_MODE_CBC - -/** - * \def MBEDTLS_CIPHER_MODE_CFB - * - * Enable Cipher Feedback mode (CFB) for symmetric ciphers. - */ -//#define MBEDTLS_CIPHER_MODE_CFB - -/** - * \def MBEDTLS_CIPHER_MODE_CTR - * - * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. - */ -#define MBEDTLS_CIPHER_MODE_CTR - -/** - * \def MBEDTLS_CIPHER_NULL_CIPHER - * - * Enable NULL cipher. - * Warning: Only do so when you know what you are doing. This allows for - * encryption or channels without any security! - * - * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable - * the following ciphersuites: - * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 - * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 - * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA - * MBEDTLS_TLS_RSA_WITH_NULL_SHA256 - * MBEDTLS_TLS_RSA_WITH_NULL_SHA - * MBEDTLS_TLS_RSA_WITH_NULL_MD5 - * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA - * MBEDTLS_TLS_PSK_WITH_NULL_SHA384 - * MBEDTLS_TLS_PSK_WITH_NULL_SHA256 - * MBEDTLS_TLS_PSK_WITH_NULL_SHA - * - * Uncomment this macro to enable the NULL cipher and ciphersuites - */ -//#define MBEDTLS_CIPHER_NULL_CIPHER - -/** - * \def MBEDTLS_CIPHER_PADDING_XXX - * - * Uncomment or comment macros to add support for specific padding modes - * in the cipher layer with cipher modes that support padding (e.g. CBC) - * - * If you disable all padding modes, only full blocks can be used with CBC. - * - * Enable padding modes in the cipher layer. - */ -//#define MBEDTLS_CIPHER_PADDING_PKCS7 -//#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS -//#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN -//#define MBEDTLS_CIPHER_PADDING_ZEROS - -/** - * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES - * - * Enable weak ciphersuites in SSL / TLS. - * Warning: Only do so when you know what you are doing. This allows for - * channels with virtually no security at all! - * - * This enables the following ciphersuites: - * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA - * - * Uncomment this macro to enable weak ciphersuites - */ -//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES - -/** - * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES - * - * Remove RC4 ciphersuites by default in SSL / TLS. - * This flag removes the ciphersuites based on RC4 from the default list as - * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to - * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them - * explicitly. - * - * Uncomment this macro to remove RC4 ciphersuites by default. - */ -#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES - -/** - * \def MBEDTLS_ECP_XXXX_ENABLED - * - * Enables specific curves within the Elliptic Curve module. - * By default all supported curves are enabled. - * - * Comment macros to disable the curve and functions for it - */ -//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -//#define MBEDTLS_ECP_DP_SECP384R1_ENABLED -//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED -//#define MBEDTLS_ECP_DP_BP256R1_ENABLED -//#define MBEDTLS_ECP_DP_BP384R1_ENABLED -//#define MBEDTLS_ECP_DP_BP512R1_ENABLED -//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED - -/** - * \def MBEDTLS_ECP_NIST_OPTIM - * - * Enable specific 'modulo p' routines for each NIST prime. - * Depending on the prime and architecture, makes operations 4 to 8 times - * faster on the corresponding curve. - * - * Comment this macro to disable NIST curves optimisation. - */ -#define MBEDTLS_ECP_NIST_OPTIM - -/** - * \def MBEDTLS_ECDSA_DETERMINISTIC - * - * Enable deterministic ECDSA (RFC 6979). - * Standard ECDSA is "fragile" in the sense that lack of entropy when signing - * may result in a compromise of the long-term signing key. This is avoided by - * the deterministic variant. - * - * Requires: MBEDTLS_HMAC_DRBG_C - * - * Comment this macro to disable deterministic ECDSA. - */ -//#define MBEDTLS_ECDSA_DETERMINISTIC - -/** - * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED - * - * Enable the PSK based ciphersuite modes in SSL / TLS. - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA - */ -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - * - * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_DHM_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA - */ -//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - * - * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA - */ -//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - * - * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, - * MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA - */ -//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - * - * Enable the RSA-only based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, - * MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 - */ -//#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - * - * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, - * MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - */ -//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - * - * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, - * MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA - */ -//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - * - * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - */ -//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - * - * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - */ -//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - * - * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 - */ -//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - * - * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. - * - * \warning This is currently experimental. EC J-PAKE support is based on the - * Thread v1.0.0 specification; incompatible changes to the specification - * might still happen. For this reason, this is disabled by default. - * - * Requires: MBEDTLS_ECJPAKE_C - * MBEDTLS_SHA256_C - * MBEDTLS_ECP_DP_SECP256R1_ENABLED - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 - */ -#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - -/** - * \def MBEDTLS_PK_PARSE_EC_EXTENDED - * - * Enhance support for reading EC keys using variants of SEC1 not allowed by - * RFC 5915 and RFC 5480. - * - * Currently this means parsing the SpecifiedECDomain choice of EC - * parameters (only known groups are supported, not arbitrary domains, to - * avoid validation issues). - * - * Disable if you only need to support RFC 5915 + 5480 key formats. - */ -//#define MBEDTLS_PK_PARSE_EC_EXTENDED - -/** - * \def MBEDTLS_ERROR_STRERROR_DUMMY - * - * Enable a dummy error function to make use of mbedtls_strerror() in - * third party libraries easier when MBEDTLS_ERROR_C is disabled - * (no effect when MBEDTLS_ERROR_C is enabled). - * - * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're - * not using mbedtls_strerror() or error_strerror() in your application. - * - * Disable if you run into name conflicts and want to really remove the - * mbedtls_strerror() - */ -#define MBEDTLS_ERROR_STRERROR_DUMMY - -/** - * \def MBEDTLS_GENPRIME - * - * Enable the prime-number generation code. - * - * Requires: MBEDTLS_BIGNUM_C - */ -#define MBEDTLS_GENPRIME - -/** - * \def MBEDTLS_FS_IO - * - * Enable functions that use the filesystem. - */ -#define MBEDTLS_FS_IO - -/** - * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - * - * Do not add default entropy sources. These are the platform specific, - * mbedtls_timing_hardclock and HAVEGE based poll functions. - * - * This is useful to have more control over the added entropy sources in an - * application. - * - * Uncomment this macro to prevent loading of default entropy functions. - */ -//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - -/** - * \def MBEDTLS_NO_PLATFORM_ENTROPY - * - * Do not use built-in platform entropy functions. - * This is useful if your platform does not support - * standards like the /dev/urandom or Windows CryptoAPI. - * - * Uncomment this macro to disable the built-in platform entropy functions. - */ -//#define MBEDTLS_NO_PLATFORM_ENTROPY - -/** - * \def MBEDTLS_ENTROPY_FORCE_SHA256 - * - * Force the entropy accumulator to use a SHA-256 accumulator instead of the - * default SHA-512 based one (if both are available). - * - * Requires: MBEDTLS_SHA256_C - * - * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option - * if you have performance concerns. - * - * This option is only useful if both MBEDTLS_SHA256_C and - * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. - */ -//#define MBEDTLS_ENTROPY_FORCE_SHA256 - -/** - * \def MBEDTLS_MEMORY_DEBUG - * - * Enable debugging of buffer allocator memory issues. Automatically prints - * (to stderr) all (fatal) messages on memory allocation issues. Enables - * function for 'debug output' of allocated memory. - * - * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C - * - * Uncomment this macro to let the buffer allocator print out error messages. - */ -//#define MBEDTLS_MEMORY_DEBUG - -/** - * \def MBEDTLS_MEMORY_BACKTRACE - * - * Include backtrace information with each allocated block. - * - * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C - * GLIBC-compatible backtrace() an backtrace_symbols() support - * - * Uncomment this macro to include backtrace information - */ -//#define MBEDTLS_MEMORY_BACKTRACE - -/** - * \def MBEDTLS_PK_RSA_ALT_SUPPORT - * - * Support external private RSA keys (eg from a HSM) in the PK layer. - * - * Comment this macro to disable support for external private RSA keys. - */ -//#define MBEDTLS_PK_RSA_ALT_SUPPORT - -/** - * \def MBEDTLS_PKCS1_V15 - * - * Enable support for PKCS#1 v1.5 encoding. - * - * Requires: MBEDTLS_RSA_C - * - * This enables support for PKCS#1 v1.5 operations. - */ -//#define MBEDTLS_PKCS1_V15 - -/** - * \def MBEDTLS_PKCS1_V21 - * - * Enable support for PKCS#1 v2.1 encoding. - * - * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C - * - * This enables support for RSAES-OAEP and RSASSA-PSS operations. - */ -//#define MBEDTLS_PKCS1_V21 - -/** - * \def MBEDTLS_RSA_NO_CRT - * - * Do not use the Chinese Remainder Theorem for the RSA private operation. - * - * Uncomment this macro to disable the use of CRT in RSA. - * - */ -//#define MBEDTLS_RSA_NO_CRT - -/** - * \def MBEDTLS_SELF_TEST - * - * Enable the checkup functions (*_self_test). - */ -//#define MBEDTLS_SELF_TEST - -/** - * \def MBEDTLS_SHA256_SMALLER - * - * Enable an implementation of SHA-256 that has lower ROM footprint but also - * lower performance. - * - * The default implementation is meant to be a reasonnable compromise between - * performance and size. This version optimizes more aggressively for size at - * the expense of performance. Eg on Cortex-M4 it reduces the size of - * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about - * 30%. - * - * Uncomment to enable the smaller implementation of SHA256. - */ -//#define MBEDTLS_SHA256_SMALLER - -/** - * \def MBEDTLS_SSL_AEAD_RANDOM_IV - * - * Generate a random IV rather than using the record sequence number as a - * nonce for ciphersuites using and AEAD algorithm (GCM or CCM). - * - * Using the sequence number is generally recommended. - * - * Uncomment this macro to always use random IVs with AEAD ciphersuites. - */ -//#define MBEDTLS_SSL_AEAD_RANDOM_IV - -/** - * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES - * - * Enable sending of alert messages in case of encountered errors as per RFC. - * If you choose not to send the alert messages, mbed TLS can still communicate - * with other servers, only debugging of failures is harder. - * - * The advantage of not sending alert messages, is that no information is given - * about reasons for failures thus preventing adversaries of gaining intel. - * - * Enable sending of all alert messages - */ -#define MBEDTLS_SSL_ALL_ALERT_MESSAGES - -/** - * \def MBEDTLS_SSL_DEBUG_ALL - * - * Enable the debug messages in SSL module for all issues. - * Debug messages have been disabled in some places to prevent timing - * attacks due to (unbalanced) debugging function calls. - * - * If you need all error reporting you should enable this during debugging, - * but remove this for production servers that should log as well. - * - * Uncomment this macro to report all debug messages on errors introducing - * a timing side-channel. - * - */ -//#define MBEDTLS_SSL_DEBUG_ALL - -/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC - * - * Enable support for Encrypt-then-MAC, RFC 7366. - * - * This allows peers that both support it to use a more robust protection for - * ciphersuites using CBC, providing deep resistance against timing attacks - * on the padding or underlying cipher. - * - * This only affects CBC ciphersuites, and is useless if none is defined. - * - * Requires: MBEDTLS_SSL_PROTO_TLS1 or - * MBEDTLS_SSL_PROTO_TLS1_1 or - * MBEDTLS_SSL_PROTO_TLS1_2 - * - * Comment this macro to disable support for Encrypt-then-MAC - */ -//#define MBEDTLS_SSL_ENCRYPT_THEN_MAC - -/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET - * - * Enable support for Extended Master Secret, aka Session Hash - * (draft-ietf-tls-session-hash-02). - * - * This was introduced as "the proper fix" to the Triple Handshake familiy of - * attacks, but it is recommended to always use it (even if you disable - * renegotiation), since it actually fixes a more fundamental issue in the - * original SSL/TLS design, and has implications beyond Triple Handshake. - * - * Requires: MBEDTLS_SSL_PROTO_TLS1 or - * MBEDTLS_SSL_PROTO_TLS1_1 or - * MBEDTLS_SSL_PROTO_TLS1_2 - * - * Comment this macro to disable support for Extended Master Secret. - */ -//#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET - -/** - * \def MBEDTLS_SSL_FALLBACK_SCSV - * - * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). - * - * For servers, it is recommended to always enable this, unless you support - * only one version of TLS, or know for sure that none of your clients - * implements a fallback strategy. - * - * For clients, you only need this if you're using a fallback strategy, which - * is not recommended in the first place, unless you absolutely need it to - * interoperate with buggy (version-intolerant) servers. - * - * Comment this macro to disable support for FALLBACK_SCSV - */ -//#define MBEDTLS_SSL_FALLBACK_SCSV - -/** - * \def MBEDTLS_SSL_HW_RECORD_ACCEL - * - * Enable hooking functions in SSL module for hardware acceleration of - * individual records. - * - * Uncomment this macro to enable hooking functions. - */ -//#define MBEDTLS_SSL_HW_RECORD_ACCEL - -/** - * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING - * - * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. - * - * This is a countermeasure to the BEAST attack, which also minimizes the risk - * of interoperability issues compared to sending 0-length records. - * - * Comment this macro to disable 1/n-1 record splitting. - */ -//#define MBEDTLS_SSL_CBC_RECORD_SPLITTING - -/** - * \def MBEDTLS_SSL_RENEGOTIATION - * - * Disable support for TLS renegotiation. - * - * The two main uses of renegotiation are (1) refresh keys on long-lived - * connections and (2) client authentication after the initial handshake. - * If you don't need renegotiation, it's probably better to disable it, since - * it has been associated with security issues in the past and is easy to - * misuse/misunderstand. - * - * Comment this to disable support for renegotiation. - */ -//#define MBEDTLS_SSL_RENEGOTIATION - -/** - * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO - * - * Enable support for receiving and parsing SSLv2 Client Hello messages for the - * SSL Server module (MBEDTLS_SSL_SRV_C). - * - * Uncomment this macro to enable support for SSLv2 Client Hello messages. - */ -//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO - -/** - * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE - * - * Pick the ciphersuite according to the client's preferences rather than ours - * in the SSL Server module (MBEDTLS_SSL_SRV_C). - * - * Uncomment this macro to respect client's ciphersuite order - */ -//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE - -/** - * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - * - * Enable support for RFC 6066 max_fragment_length extension in SSL. - * - * Comment this macro to disable support for the max_fragment_length extension - */ -#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - -/** - * \def MBEDTLS_SSL_PROTO_SSL3 - * - * Enable support for SSL 3.0. - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for SSL 3.0 - */ -//#define MBEDTLS_SSL_PROTO_SSL3 - -/** - * \def MBEDTLS_SSL_PROTO_TLS1 - * - * Enable support for TLS 1.0. - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.0 - */ -//#define MBEDTLS_SSL_PROTO_TLS1 - -/** - * \def MBEDTLS_SSL_PROTO_TLS1_1 - * - * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 - */ -//#define MBEDTLS_SSL_PROTO_TLS1_1 - -/** - * \def MBEDTLS_SSL_PROTO_TLS1_2 - * - * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). - * - * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C - * (Depends on ciphersuites) - * - * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 - */ -#define MBEDTLS_SSL_PROTO_TLS1_2 - -/** - * \def MBEDTLS_SSL_PROTO_DTLS - * - * Enable support for DTLS (all available versions). - * - * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, - * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. - * - * Requires: MBEDTLS_SSL_PROTO_TLS1_1 - * or MBEDTLS_SSL_PROTO_TLS1_2 - * - * Comment this macro to disable support for DTLS - */ -#define MBEDTLS_SSL_PROTO_DTLS - -/** - * \def MBEDTLS_SSL_ALPN - * - * Enable support for RFC 7301 Application Layer Protocol Negotiation. - * - * Comment this macro to disable support for ALPN. - */ -//#define MBEDTLS_SSL_ALPN - -/** - * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY - * - * Enable support for the anti-replay mechanism in DTLS. - * - * Requires: MBEDTLS_SSL_TLS_C - * MBEDTLS_SSL_PROTO_DTLS - * - * \warning Disabling this is often a security risk! - * See mbedtls_ssl_conf_dtls_anti_replay() for details. - * - * Comment this to disable anti-replay in DTLS. - */ -#define MBEDTLS_SSL_DTLS_ANTI_REPLAY - -/** - * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY - * - * Enable support for HelloVerifyRequest on DTLS servers. - * - * This feature is highly recommended to prevent DTLS servers being used as - * amplifiers in DoS attacks against other hosts. It should always be enabled - * unless you know for sure amplification cannot be a problem in the - * environment in which your server operates. - * - * \warning Disabling this can ba a security risk! (see above) - * - * Requires: MBEDTLS_SSL_PROTO_DTLS - * - * Comment this to disable support for HelloVerifyRequest. - */ -#define MBEDTLS_SSL_DTLS_HELLO_VERIFY - -/** - * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT - * - * Enable support for a limit of records with bad MAC. - * - * See mbedtls_ssl_conf_dtls_badmac_limit(). - * - * Requires: MBEDTLS_SSL_PROTO_DTLS - */ -#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT - -/** - * \def MBEDTLS_SSL_SESSION_TICKETS - * - * Enable support for RFC 5077 session tickets in SSL. - * Client-side, provides full support for session tickets (maintainance of a - * session store remains the responsibility of the application, though). - * Server-side, you also need to provide callbacks for writing and parsing - * tickets, including authenticated encryption and key management. Example - * callbacks are provided by MBEDTLS_SSL_TICKET_C. - * - * Comment this macro to disable support for SSL session tickets - */ -//#define MBEDTLS_SSL_SESSION_TICKETS - -/** - * \def MBEDTLS_SSL_EXPORT_KEYS - * - * Enable support for exporting key block and master key. - * This is required for certain users of TLS, e.g. EAP-TLS. - * - * Comment this macro to disable support for key export - */ -#define MBEDTLS_SSL_EXPORT_KEYS - -/** - * \def MBEDTLS_SSL_SERVER_NAME_INDICATION - * - * Enable support for RFC 6066 server name indication (SNI) in SSL. - * - * Requires: MBEDTLS_X509_CRT_PARSE_C - * - * Comment this macro to disable support for server name indication in SSL - */ -//#define MBEDTLS_SSL_SERVER_NAME_INDICATION - -/** - * \def MBEDTLS_SSL_TRUNCATED_HMAC - * - * Enable support for RFC 6066 truncated HMAC in SSL. - * - * Comment this macro to disable support for truncated HMAC in SSL - */ -//#define MBEDTLS_SSL_TRUNCATED_HMAC - -/** - * \def MBEDTLS_THREADING_ALT - * - * Provide your own alternate threading implementation. - * - * Requires: MBEDTLS_THREADING_C - * - * Uncomment this to allow your own alternate threading implementation. - */ -//#define MBEDTLS_THREADING_ALT - -/** - * \def MBEDTLS_THREADING_PTHREAD - * - * Enable the pthread wrapper layer for the threading layer. - * - * Requires: MBEDTLS_THREADING_C - * - * Uncomment this to enable pthread mutexes. - */ -//#define MBEDTLS_THREADING_PTHREAD - -/** - * \def MBEDTLS_VERSION_FEATURES - * - * Allow run-time checking of compile-time enabled features. Thus allowing users - * to check at run-time if the library is for instance compiled with threading - * support via mbedtls_version_check_feature(). - * - * Requires: MBEDTLS_VERSION_C - * - * Comment this to disable run-time checking and save ROM space - */ -//#define MBEDTLS_VERSION_FEATURES - -/** - * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 - * - * If set, the X509 parser will not break-off when parsing an X509 certificate - * and encountering an extension in a v1 or v2 certificate. - * - * Uncomment to prevent an error. - */ -//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 - -/** - * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION - * - * If set, the X509 parser will not break-off when parsing an X509 certificate - * and encountering an unknown critical extension. - * - * Uncomment to prevent an error. - */ -//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION - -/** - * \def MBEDTLS_X509_CHECK_KEY_USAGE - * - * Enable verification of the keyUsage extension (CA and leaf certificates). - * - * Disabling this avoids problems with mis-issued and/or misused - * (intermediate) CA and leaf certificates. - * - * \warning Depending on your PKI use, disabling this can be a security risk! - * - * Comment to skip keyUsage checking for both CA and leaf certificates. - */ -//#define MBEDTLS_X509_CHECK_KEY_USAGE - -/** - * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE - * - * Enable verification of the extendedKeyUsage extension (leaf certificates). - * - * Disabling this avoids problems with mis-issued and/or misused certificates. - * - * \warning Depending on your PKI use, disabling this can be a security risk! - * - * Comment to skip extendedKeyUsage checking for certificates. - */ -//#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE - -/** - * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT - * - * Enable parsing and verification of X.509 certificates, CRLs and CSRS - * signed with RSASSA-PSS (aka PKCS#1 v2.1). - * - * Comment this macro to disallow using RSASSA-PSS in certificates. - */ -//#define MBEDTLS_X509_RSASSA_PSS_SUPPORT - -/** - * \def MBEDTLS_ZLIB_SUPPORT - * - * If set, the SSL/TLS module uses ZLIB to support compression and - * decompression of packet data. - * - * \warning TLS-level compression MAY REDUCE SECURITY! See for example the - * CRIME attack. Before enabling this option, you should examine with care if - * CRIME or similar exploits may be a applicable to your use case. - * - * \note Currently compression can't be used with DTLS. - * - * Used in: library/ssl_tls.c - * library/ssl_cli.c - * library/ssl_srv.c - * - * This feature requires zlib library and headers to be present. - * - * Uncomment to enable use of ZLIB - */ -//#define MBEDTLS_ZLIB_SUPPORT -/* \} name SECTION: mbed TLS feature support */ - -/** - * \name SECTION: mbed TLS modules - * - * This section enables or disables entire modules in mbed TLS - * \{ - */ - -/** - * \def MBEDTLS_AESNI_C - * - * Enable AES-NI support on x86-64. - * - * Module: library/aesni.c - * Caller: library/aes.c - * - * Requires: MBEDTLS_HAVE_ASM - * - * This modules adds support for the AES-NI instructions on x86-64 - */ -//#define MBEDTLS_AESNI_C - -/** - * \def MBEDTLS_AES_C - * - * Enable the AES block cipher. - * - * Module: library/aes.c - * Caller: library/ssl_tls.c - * library/pem.c - * library/ctr_drbg.c - * - * This module enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA - * - * PEM_PARSE uses AES for decrypting encrypted keys. - */ -#define MBEDTLS_AES_C - -/** - * \def MBEDTLS_ARC4_C - * - * Enable the ARCFOUR stream cipher. - * - * Module: library/arc4.c - * Caller: library/ssl_tls.c - * - * This module enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA - * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA - * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA - */ -//#define MBEDTLS_ARC4_C - -/** - * \def MBEDTLS_ASN1_PARSE_C - * - * Enable the generic ASN1 parser. - * - * Module: library/asn1.c - * Caller: library/x509.c - * library/dhm.c - * library/pkcs12.c - * library/pkcs5.c - * library/pkparse.c - */ -#define MBEDTLS_ASN1_PARSE_C - -/** - * \def MBEDTLS_ASN1_WRITE_C - * - * Enable the generic ASN1 writer. - * - * Module: library/asn1write.c - * Caller: library/ecdsa.c - * library/pkwrite.c - * library/x509_create.c - * library/x509write_crt.c - * library/mbedtls_x509write_csr.c - */ -#define MBEDTLS_ASN1_WRITE_C - -/** - * \def MBEDTLS_BASE64_C - * - * Enable the Base64 module. - * - * Module: library/base64.c - * Caller: library/pem.c - * - * This module is required for PEM support (required by X.509). - */ -//#define MBEDTLS_BASE64_C - -/** - * \def MBEDTLS_BIGNUM_C - * - * Enable the multi-precision integer library. - * - * Module: library/bignum.c - * Caller: library/dhm.c - * library/ecp.c - * library/ecdsa.c - * library/rsa.c - * library/ssl_tls.c - * - * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. - */ -#define MBEDTLS_BIGNUM_C - -/** - * \def MBEDTLS_BLOWFISH_C - * - * Enable the Blowfish block cipher. - * - * Module: library/blowfish.c - */ -//#define MBEDTLS_BLOWFISH_C - -/** - * \def MBEDTLS_CAMELLIA_C - * - * Enable the Camellia block cipher. - * - * Module: library/camellia.c - * Caller: library/ssl_tls.c - * - * This module enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - */ -//#define MBEDTLS_CAMELLIA_C - -/** - * \def MBEDTLS_CCM_C - * - * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. - * - * Module: library/ccm.c - * - * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C - * - * This module enables the AES-CCM ciphersuites, if other requisites are - * enabled as well. - */ -#define MBEDTLS_CCM_C - -/** - * \def MBEDTLS_CERTS_C - * - * Enable the test certificates. - * - * Module: library/certs.c - * Caller: - * - * This module is used for testing (ssl_client/server). - */ -//#define MBEDTLS_CERTS_C - -/** - * \def MBEDTLS_CIPHER_C - * - * Enable the generic cipher layer. - * - * Module: library/cipher.c - * Caller: library/ssl_tls.c - * - * Uncomment to enable generic cipher wrappers. - */ -#define MBEDTLS_CIPHER_C - -/** - * \def MBEDTLS_CTR_DRBG_C - * - * Enable the CTR_DRBG AES-256-based random generator. - * - * Module: library/ctr_drbg.c - * Caller: - * - * Requires: MBEDTLS_AES_C - * - * This module provides the CTR_DRBG AES-256 random number generator. - */ -//#define MBEDTLS_CTR_DRBG_C - -/** - * \def MBEDTLS_DEBUG_C - * - * Enable the debug functions. - * - * Module: library/debug.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c - * - * This module provides debugging functions. - */ -#define MBEDTLS_DEBUG_C - -/** - * \def MBEDTLS_DES_C - * - * Enable the DES block cipher. - * - * Module: library/des.c - * Caller: library/pem.c - * library/ssl_tls.c - * - * This module enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA - * - * PEM_PARSE uses DES/3DES for decrypting encrypted keys. - */ -//#define MBEDTLS_DES_C - -/** - * \def MBEDTLS_DHM_C - * - * Enable the Diffie-Hellman-Merkle module. - * - * Module: library/dhm.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * - * This module is used by the following key exchanges: - * DHE-RSA, DHE-PSK - */ -//#define MBEDTLS_DHM_C - -/** - * \def MBEDTLS_ECDH_C - * - * Enable the elliptic curve Diffie-Hellman library. - * - * Module: library/ecdh.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * - * This module is used by the following key exchanges: - * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK - * - * Requires: MBEDTLS_ECP_C - */ -//#define MBEDTLS_ECDH_C - -/** - * \def MBEDTLS_ECDSA_C - * - * Enable the elliptic curve DSA library. - * - * Module: library/ecdsa.c - * Caller: - * - * This module is used by the following key exchanges: - * ECDHE-ECDSA - * - * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C - */ -//#define MBEDTLS_ECDSA_C - -/** - * \def MBEDTLS_ECJPAKE_C - * - * Enable the elliptic curve J-PAKE library. - * - * \warning This is currently experimental. EC J-PAKE support is based on the - * Thread v1.0.0 specification; incompatible changes to the specification - * might still happen. For this reason, this is disabled by default. - * - * Module: library/ecjpake.c - * Caller: - * - * This module is used by the following key exchanges: - * ECJPAKE - * - * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C - */ -#define MBEDTLS_ECJPAKE_C - -/** - * \def MBEDTLS_ECP_C - * - * Enable the elliptic curve over GF(p) library. - * - * Module: library/ecp.c - * Caller: library/ecdh.c - * library/ecdsa.c - * library/ecjpake.c - * - * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED - */ -#define MBEDTLS_ECP_C - -/** - * \def MBEDTLS_ENTROPY_C - * - * Enable the platform-specific entropy code. - * - * Module: library/entropy.c - * Caller: - * - * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C - * - * This module provides a generic entropy pool - */ -#define MBEDTLS_ENTROPY_C - -/** - * \def MBEDTLS_ERROR_C - * - * Enable error code to error string conversion. - * - * Module: library/error.c - * Caller: - * - * This module enables mbedtls_strerror(). - */ -#define MBEDTLS_ERROR_C - -/** - * \def MBEDTLS_GCM_C - * - * Enable the Galois/Counter Mode (GCM) for AES. - * - * Module: library/gcm.c - * - * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C - * - * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other - * requisites are enabled as well. - */ -//#define MBEDTLS_GCM_C - -/** - * \def MBEDTLS_HAVEGE_C - * - * Enable the HAVEGE random generator. - * - * Warning: the HAVEGE random generator is not suitable for virtualized - * environments - * - * Warning: the HAVEGE random generator is dependent on timing and specific - * processor traits. It is therefore not advised to use HAVEGE as - * your applications primary random generator or primary entropy pool - * input. As a secondary input to your entropy pool, it IS able add - * the (limited) extra entropy it provides. - * - * Module: library/havege.c - * Caller: - * - * Requires: MBEDTLS_TIMING_C - * - * Uncomment to enable the HAVEGE random generator. - */ -//#define MBEDTLS_HAVEGE_C - -/** - * \def MBEDTLS_HMAC_DRBG_C - * - * Enable the HMAC_DRBG random generator. - * - * Module: library/hmac_drbg.c - * Caller: - * - * Requires: MBEDTLS_MD_C - * - * Uncomment to enable the HMAC_DRBG random number geerator. - */ -#define MBEDTLS_HMAC_DRBG_C - -/** - * \def MBEDTLS_MD_C - * - * Enable the generic message digest layer. - * - * Module: library/mbedtls_md.c - * Caller: - * - * Uncomment to enable generic message digest wrappers. - */ -#define MBEDTLS_MD_C - -/** - * \def MBEDTLS_MD2_C - * - * Enable the MD2 hash algorithm. - * - * Module: library/mbedtls_md2.c - * Caller: - * - * Uncomment to enable support for (rare) MD2-signed X.509 certs. - */ -//#define MBEDTLS_MD2_C - -/** - * \def MBEDTLS_MD4_C - * - * Enable the MD4 hash algorithm. - * - * Module: library/mbedtls_md4.c - * Caller: - * - * Uncomment to enable support for (rare) MD4-signed X.509 certs. - */ -//#define MBEDTLS_MD4_C - -/** - * \def MBEDTLS_MD5_C - * - * Enable the MD5 hash algorithm. - * - * Module: library/mbedtls_md5.c - * Caller: library/mbedtls_md.c - * library/pem.c - * library/ssl_tls.c - * - * This module is required for SSL/TLS and X.509. - * PEM_PARSE uses MD5 for decrypting encrypted keys. - */ -//#define MBEDTLS_MD5_C - -/** - * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C - * - * Enable the buffer allocator implementation that makes use of a (stack) - * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() - * calls) - * - * Module: library/memory_buffer_alloc.c - * - * Requires: MBEDTLS_PLATFORM_C - * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) - * - * Enable this module to enable the buffer memory allocator. - */ -//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C - -/** - * \def MBEDTLS_NET_C - * - * Enable the TCP/IP networking routines. - * - * Module: library/net.c - * - * This module provides TCP/IP networking routines. - */ -//#define MBEDTLS_NET_C - -/** - * \def MBEDTLS_OID_C - * - * Enable the OID database. - * - * Module: library/oid.c - * Caller: library/asn1write.c - * library/pkcs5.c - * library/pkparse.c - * library/pkwrite.c - * library/rsa.c - * library/x509.c - * library/x509_create.c - * library/mbedtls_x509_crl.c - * library/mbedtls_x509_crt.c - * library/mbedtls_x509_csr.c - * library/x509write_crt.c - * library/mbedtls_x509write_csr.c - * - * This modules translates between OIDs and internal values. - */ -#define MBEDTLS_OID_C - -/** - * \def MBEDTLS_PADLOCK_C - * - * Enable VIA Padlock support on x86. - * - * Module: library/padlock.c - * Caller: library/aes.c - * - * Requires: MBEDTLS_HAVE_ASM - * - * This modules adds support for the VIA PadLock on x86. - */ -//#define MBEDTLS_PADLOCK_C - -/** - * \def MBEDTLS_PEM_PARSE_C - * - * Enable PEM decoding / parsing. - * - * Module: library/pem.c - * Caller: library/dhm.c - * library/pkparse.c - * library/mbedtls_x509_crl.c - * library/mbedtls_x509_crt.c - * library/mbedtls_x509_csr.c - * - * Requires: MBEDTLS_BASE64_C - * - * This modules adds support for decoding / parsing PEM files. - */ -//#define MBEDTLS_PEM_PARSE_C - -/** - * \def MBEDTLS_PEM_WRITE_C - * - * Enable PEM encoding / writing. - * - * Module: library/pem.c - * Caller: library/pkwrite.c - * library/x509write_crt.c - * library/mbedtls_x509write_csr.c - * - * Requires: MBEDTLS_BASE64_C - * - * This modules adds support for encoding / writing PEM files. - */ -//#define MBEDTLS_PEM_WRITE_C - -/** - * \def MBEDTLS_PK_C - * - * Enable the generic public (asymetric) key layer. - * - * Module: library/pk.c - * Caller: library/ssl_tls.c - * library/ssl_cli.c - * library/ssl_srv.c - * - * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C - * - * Uncomment to enable generic public key wrappers. - */ -#define MBEDTLS_PK_C - -/** - * \def MBEDTLS_PK_PARSE_C - * - * Enable the generic public (asymetric) key parser. - * - * Module: library/pkparse.c - * Caller: library/mbedtls_x509_crt.c - * library/mbedtls_x509_csr.c - * - * Requires: MBEDTLS_PK_C - * - * Uncomment to enable generic public key parse functions. - */ -#define MBEDTLS_PK_PARSE_C - -/** - * \def MBEDTLS_PK_WRITE_C - * - * Enable the generic public (asymetric) key writer. - * - * Module: library/pkwrite.c - * Caller: library/x509write.c - * - * Requires: MBEDTLS_PK_C - * - * Uncomment to enable generic public key write functions. - */ -#define MBEDTLS_PK_WRITE_C - -/** - * \def MBEDTLS_PKCS5_C - * - * Enable PKCS#5 functions. - * - * Module: library/pkcs5.c - * - * Requires: MBEDTLS_MD_C - * - * This module adds support for the PKCS#5 functions. - */ -//#define MBEDTLS_PKCS5_C - -/** - * \def MBEDTLS_PKCS11_C - * - * Enable wrapper for PKCS#11 smartcard support. - * - * Module: library/pkcs11.c - * Caller: library/pk.c - * - * Requires: MBEDTLS_PK_C - * - * This module enables SSL/TLS PKCS #11 smartcard support. - * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) - */ -//#define MBEDTLS_PKCS11_C - -/** - * \def MBEDTLS_PKCS12_C - * - * Enable PKCS#12 PBE functions. - * Adds algorithms for parsing PKCS#8 encrypted private keys - * - * Module: library/pkcs12.c - * Caller: library/pkparse.c - * - * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C - * Can use: MBEDTLS_ARC4_C - * - * This module enables PKCS#12 functions. - */ -//#define MBEDTLS_PKCS12_C - -/** - * \def MBEDTLS_PLATFORM_C - * - * Enable the platform abstraction layer that allows you to re-assign - * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). - * - * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT - * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned - * above to be specified at runtime or compile time respectively. - * - * \note This abstraction layer must be enabled on Windows (including MSYS2) - * as other module rely on it for a fixed snprintf implementation. - * - * Module: library/platform.c - * Caller: Most other .c files - * - * This module enables abstraction of common (libc) functions. - */ -#define MBEDTLS_PLATFORM_C - -/** - * \def MBEDTLS_RIPEMD160_C - * - * Enable the RIPEMD-160 hash algorithm. - * - * Module: library/mbedtls_ripemd160.c - * Caller: library/mbedtls_md.c - * - */ -//#define MBEDTLS_RIPEMD160_C - -/** - * \def MBEDTLS_RSA_C - * - * Enable the RSA public-key cryptosystem. - * - * Module: library/rsa.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c - * library/x509.c - * - * This module is used by the following key exchanges: - * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK - * - * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C - */ -//#define MBEDTLS_RSA_C - -/** - * \def MBEDTLS_SHA1_C - * - * Enable the SHA1 cryptographic hash algorithm. - * - * Module: library/mbedtls_sha1.c - * Caller: library/mbedtls_md.c - * library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c - * library/x509write_crt.c - * - * This module is required for SSL/TLS and SHA1-signed certificates. - */ -//#define MBEDTLS_SHA1_C - -/** - * \def MBEDTLS_SHA256_C - * - * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. - * - * Module: library/mbedtls_sha256.c - * Caller: library/entropy.c - * library/mbedtls_md.c - * library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c - * - * This module adds support for SHA-224 and SHA-256. - * This module is required for the SSL/TLS 1.2 PRF function. - */ -#define MBEDTLS_SHA256_C - -/** - * \def MBEDTLS_SHA512_C - * - * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. - * - * Module: library/mbedtls_sha512.c - * Caller: library/entropy.c - * library/mbedtls_md.c - * library/ssl_cli.c - * library/ssl_srv.c - * - * This module adds support for SHA-384 and SHA-512. - */ -//#define MBEDTLS_SHA512_C - -/** - * \def MBEDTLS_SSL_CACHE_C - * - * Enable simple SSL cache implementation. - * - * Module: library/ssl_cache.c - * Caller: - * - * Requires: MBEDTLS_SSL_CACHE_C - */ -//#define MBEDTLS_SSL_CACHE_C - -/** - * \def MBEDTLS_SSL_COOKIE_C - * - * Enable basic implementation of DTLS cookies for hello verification. - * - * Module: library/ssl_cookie.c - * Caller: - */ -#define MBEDTLS_SSL_COOKIE_C - -/** - * \def MBEDTLS_SSL_TICKET_C - * - * Enable an implementation of TLS server-side callbacks for session tickets. - * - * Module: library/ssl_ticket.c - * Caller: - * - * Requires: MBEDTLS_CIPHER_C - */ -//#define MBEDTLS_SSL_TICKET_C - -/** - * \def MBEDTLS_SSL_CLI_C - * - * Enable the SSL/TLS client code. - * - * Module: library/ssl_cli.c - * Caller: - * - * Requires: MBEDTLS_SSL_TLS_C - * - * This module is required for SSL/TLS client support. - */ -#define MBEDTLS_SSL_CLI_C - -/** - * \def MBEDTLS_SSL_SRV_C - * - * Enable the SSL/TLS server code. - * - * Module: library/ssl_srv.c - * Caller: - * - * Requires: MBEDTLS_SSL_TLS_C - * - * This module is required for SSL/TLS server support. - */ -#define MBEDTLS_SSL_SRV_C - -/** - * \def MBEDTLS_SSL_TLS_C - * - * Enable the generic SSL/TLS code. - * - * Module: library/ssl_tls.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * - * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C - * and at least one of the MBEDTLS_SSL_PROTO_XXX defines - * - * This module is required for SSL/TLS. - */ -#define MBEDTLS_SSL_TLS_C - -/** - * \def MBEDTLS_THREADING_C - * - * Enable the threading abstraction layer. - * By default mbed TLS assumes it is used in a non-threaded environment or that - * contexts are not shared between threads. If you do intend to use contexts - * between threads, you will need to enable this layer to prevent race - * conditions. - * - * Module: library/threading.c - * - * This allows different threading implementations (self-implemented or - * provided). - * - * You will have to enable either MBEDTLS_THREADING_ALT or - * MBEDTLS_THREADING_PTHREAD. - * - * Enable this layer to allow use of mutexes within mbed TLS - */ -//#define MBEDTLS_THREADING_C - -/** - * \def MBEDTLS_TIMING_C - * - * Enable the portable timing interface. - * - * Module: library/timing.c - * Caller: library/havege.c - * - * This module is used by the HAVEGE random number generator. - */ -//#define MBEDTLS_TIMING_C - -/** - * \def MBEDTLS_VERSION_C - * - * Enable run-time version information. - * - * Module: library/version.c - * - * This module provides run-time version information. - */ -#define MBEDTLS_VERSION_C - -/** - * \def MBEDTLS_X509_USE_C - * - * Enable X.509 core for using certificates. - * - * Module: library/x509.c - * Caller: library/mbedtls_x509_crl.c - * library/mbedtls_x509_crt.c - * library/mbedtls_x509_csr.c - * - * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, - * MBEDTLS_PK_PARSE_C - * - * This module is required for the X.509 parsing modules. - */ -//#define MBEDTLS_X509_USE_C - -/** - * \def MBEDTLS_X509_CRT_PARSE_C - * - * Enable X.509 certificate parsing. - * - * Module: library/mbedtls_x509_crt.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c - * - * Requires: MBEDTLS_X509_USE_C - * - * This module is required for X.509 certificate parsing. - */ -//#define MBEDTLS_X509_CRT_PARSE_C - -/** - * \def MBEDTLS_X509_CRL_PARSE_C - * - * Enable X.509 CRL parsing. - * - * Module: library/mbedtls_x509_crl.c - * Caller: library/mbedtls_x509_crt.c - * - * Requires: MBEDTLS_X509_USE_C - * - * This module is required for X.509 CRL parsing. - */ -//#define MBEDTLS_X509_CRL_PARSE_C - -/** - * \def MBEDTLS_X509_CSR_PARSE_C - * - * Enable X.509 Certificate Signing Request (CSR) parsing. - * - * Module: library/mbedtls_x509_csr.c - * Caller: library/x509_crt_write.c - * - * Requires: MBEDTLS_X509_USE_C - * - * This module is used for reading X.509 certificate request. - */ -//#define MBEDTLS_X509_CSR_PARSE_C - -/** - * \def MBEDTLS_X509_CREATE_C - * - * Enable X.509 core for creating certificates. - * - * Module: library/x509_create.c - * - * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C - * - * This module is the basis for creating X.509 certificates and CSRs. - */ -//#define MBEDTLS_X509_CREATE_C - -/** - * \def MBEDTLS_X509_CRT_WRITE_C - * - * Enable creating X.509 certificates. - * - * Module: library/x509_crt_write.c - * - * Requires: MBEDTLS_X509_CREATE_C - * - * This module is required for X.509 certificate creation. - */ -//#define MBEDTLS_X509_CRT_WRITE_C - -/** - * \def MBEDTLS_X509_CSR_WRITE_C - * - * Enable creating X.509 Certificate Signing Requests (CSR). - * - * Module: library/x509_csr_write.c - * - * Requires: MBEDTLS_X509_CREATE_C - * - * This module is required for X.509 certificate request writing. - */ -//#define MBEDTLS_X509_CSR_WRITE_C - -/** - * \def MBEDTLS_XTEA_C - * - * Enable the XTEA block cipher. - * - * Module: library/xtea.c - * Caller: - */ -//#define MBEDTLS_XTEA_C - -/* \} name SECTION: mbed TLS modules */ - -/** - * \name SECTION: Module configuration options - * - * This section allows for the setting of module specific sizes and - * configuration options. The default values are already present in the - * relevant header files and should suffice for the regular use cases. - * - * Our advice is to enable options and change their values here - * only if you have a good reason and know the consequences. - * - * Please check the respective header file for documentation on these - * parameters (to prevent duplicate documentation). - * \{ - */ - -/* MPI / BIGNUM options */ -//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ -//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ - -/* CTR_DRBG options */ -//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ -//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ -//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ -//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ -//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ - -/* HMAC_DRBG options */ -//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ -//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ -//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ -//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ - -/* ECP options */ -//#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ -//#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ -//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ - -/* Entropy options */ -//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ -//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ - -/* Memory buffer allocator options */ -//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ - -/* Platform options */ -//#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ -//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ -//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ -//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ -//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ -/* Note: your snprintf must correclty zero-terminate the buffer! */ -//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ - -/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ -/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ -//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ -//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ -//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ -//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ -//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ -/* Note: your snprintf must correclty zero-terminate the buffer! */ -//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ - -/* SSL Cache options */ -//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ -//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ - -/* SSL options */ -//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ -//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ -//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ -//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ - -/** - * Complete list of ciphersuites to use, in order of preference. - * - * \warning No dependency checking is done on that field! This option can only - * be used to restrict the set of available ciphersuites. It is your - * responsibility to make sure the needed modules are active. - * - * Use this to save a few hundred bytes of ROM (default ordering of all - * available ciphersuites) and a few to a few hundred bytes of RAM. - * - * The value below is only an example, not the default. - */ -//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - -/* X509 options */ -//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ - -/* \} name SECTION: Module configuration options */ - -#if defined(TARGET_LIKE_MBED) -#include "mbedtls/target_config.h" -#endif - -/* - * Allow user to override any previous default. - * - * Use two macro names for that, as: - * - with yotta the prefix YOTTA_CFG_ is forced - * - without yotta is looks weird to have a YOTTA prefix. - */ -#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) -#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE -#elif defined(MBEDTLS_USER_CONFIG_FILE) -#include MBEDTLS_USER_CONFIG_FILE -#endif - -#include "check_config.h" - -#endif /* MBEDTLS_CONFIG_H */ diff --git a/configs/config-thread.h b/configs/config-thread.h new file mode 100644 index 000000000..9196d8f37 --- /dev/null +++ b/configs/config-thread.h @@ -0,0 +1,80 @@ +/* + * Minimal configuration for using TLS as part of Thread + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/* + * Minimal configuration for using TLS a part of Thread + * http://threadgroup.org/ + * + * Distinguishing features: + * - no RSA or classic DH, fully based on ECC + * - no X.509 + * - support for experimental EC J-PAKE key exchange + * + * See README.txt for usage instructions. + */ + +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +/* System support */ +#define MBEDTLS_HAVE_ASM + +/* mbed TLS feature support */ +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#define MBEDTLS_SSL_EXPORT_KEYS + +/* mbed TLS modules */ +#define MBEDTLS_AES_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_MD_C +#define MBEDTLS_OID_C +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_VERSION_C + +#if defined(TARGET_LIKE_MBED) +#include "mbedtls/target_config.h" +#endif + +#include "check_config.h" + +#endif /* MBEDTLS_CONFIG_H */ From 5674a9797aa4cceb580aa1943f17c32c8a7a05a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Oct 2015 15:14:03 +0200 Subject: [PATCH 74/87] Fix compilers warnings in reduced configs --- library/ssl_cli.c | 7 ++++--- library/ssl_srv.c | 7 ++++--- library/ssl_tls.c | 5 +++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 42174dbf4..5890227b1 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -318,9 +318,10 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); - if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, - p + 2, end - p - 2, &kkpp_len, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, + p + 2, end - p - 2, &kkpp_len, + ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); return; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index a0a4aa4b6..716cb20fa 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2092,9 +2092,10 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); - if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, - p + 2, end - p - 2, &kkpp_len, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, + p + 2, end - p - 2, &kkpp_len, + ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); return; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bc8215889..212cde93f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7004,7 +7004,8 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); } -#if defined(MBEDTLS_PK_C) +#if defined(MBEDTLS_PK_C) && \ + ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) /* * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX */ @@ -7037,7 +7038,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) return( MBEDTLS_PK_NONE ); } } -#endif /* MBEDTLS_PK_C */ +#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ /* * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX From b6fe70b9282501daee109ff3dfb5214f81788c87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Oct 2015 15:56:43 +0200 Subject: [PATCH 75/87] Tune up the Thread mini config --- configs/config-thread.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/configs/config-thread.h b/configs/config-thread.h index 9196d8f37..9ba8b84dd 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -38,6 +38,7 @@ #define MBEDTLS_HAVE_ASM /* mbed TLS feature support */ +#define MBEDTLS_AES_ROM_TABLES #define MBEDTLS_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_ECP_NIST_OPTIM #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED @@ -69,7 +70,13 @@ #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C -#define MBEDTLS_VERSION_C + +/* Save RAM by adjusting to our exact needs */ +#define MBEDTLS_ECP_MAX_BITS 256 +#define MBEDTLS_ENTROPY_MAX_SOURCES 2 + +/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ +#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 #if defined(TARGET_LIKE_MBED) #include "mbedtls/target_config.h" From eb47b870b16260da95f459c1db2839bbd316b24f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 14:07:03 +0200 Subject: [PATCH 76/87] Rework test-ref-configs.pl to also use ssl-opt.sh --- tests/scripts/test-ref-configs.pl | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index d1cc924bf..ebc032b11 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -11,14 +11,17 @@ use warnings; use strict; my %configs = ( - 'config-mini-tls1_1.h' - => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', - 'config-suite-b.h' - => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", - 'config-picocoin.h' - => 0, - 'config-ccm-psk-tls1_2.h' - => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'config-mini-tls1_1.h' => { + 'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', + }, + 'config-suite-b.h' => { + 'compat' => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", + }, + 'config-picocoin.h' => { + }, + 'config-ccm-psk-tls1_2.h' => { + 'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + }, ); # If no config-name is provided, use all known configs. @@ -46,7 +49,7 @@ sub abort { die $_[0]; } -while( my ($conf, $args) = each %configs ) { +while( my ($conf, $data) = each %configs ) { system( "cp $config_h.bak $config_h" ) and die; system( "make clean" ) and die; @@ -60,10 +63,11 @@ while( my ($conf, $args) = each %configs ) { system( "make" ) and abort "Failed to build: $conf\n"; system( "make test" ) and abort "Failed test suite: $conf\n"; - if( $args ) + my $compat = $data->{'compat'}; + if( $compat ) { - print "\nrunning compat.sh $args\n"; - system( "tests/compat.sh $args" ) + print "\nrunning compat.sh $compat\n"; + system( "tests/compat.sh $compat" ) and abort "Failed compat.sh: $conf\n"; } else From ca700b23711025dd65d396f81eeecd910c56c4ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 14:47:00 +0200 Subject: [PATCH 77/87] Add config-thread.h to test-ref-configs.pl --- configs/config-thread.h | 4 ++++ tests/scripts/test-ref-configs.pl | 15 +++++++++++++++ tests/ssl-opt.sh | 7 +++++++ 3 files changed, 26 insertions(+) diff --git a/configs/config-thread.h b/configs/config-thread.h index 9ba8b84dd..3feef1379 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -71,6 +71,10 @@ #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C +/* For tests using ssl-opt.sh */ +#define MBEDTLS_NET_C +#define MBEDTLS_TIMING_C + /* Save RAM by adjusting to our exact needs */ #define MBEDTLS_ECP_MAX_BITS 256 #define MBEDTLS_ENTROPY_MAX_SOURCES 2 diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index ebc032b11..b27d64c4b 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -22,6 +22,9 @@ my %configs = ( 'config-ccm-psk-tls1_2.h' => { 'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', }, + 'config-thread.h' => { + 'opt' => '-f ECJPAKE.*nolog', + }, ); # If no config-name is provided, use all known configs. @@ -74,6 +77,18 @@ while( my ($conf, $data) = each %configs ) { { print "\nskipping compat.sh\n"; } + + my $opt = $data->{'opt'}; + if( $opt ) + { + print "\nrunning ssl-opt.sh $opt\n"; + system( "tests/ssl-opt.sh $opt" ) + and abort "Failed ssl-opt.sh: $conf\n"; + } + else + { + print "\nskipping ssl-opt.sh\n"; + } } system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 198288d13..ff2ca366f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2576,6 +2576,13 @@ run_test "ECJPAKE: password mismatch, DTLS" \ -c "re-using cached ecjpake parameters" \ -s "SSL - Verification of the message MAC failed" +# for tests with configs/config-thread.h +run_test "ECJPAKE: working, DTLS, nolog" \ + "$P_SRV dtls=1 ecjpake_pw=bla" \ + "$P_CLI dtls=1 ecjpake_pw=bla \ + force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ + 0 + # Tests for ciphersuites per version run_test "Per-version suites: SSL3" \ From 3e5b5f192ebc329b2e0450127a483b672c650f63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 14:55:13 +0200 Subject: [PATCH 78/87] Tune up config-thread.h a bit more --- configs/config-thread.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/configs/config-thread.h b/configs/config-thread.h index 3feef1379..453b17f0a 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -75,9 +75,12 @@ #define MBEDTLS_NET_C #define MBEDTLS_TIMING_C +/* Save RAM at the expense of ROM */ +#define MBEDTLS_AES_ROM_TABLES + /* Save RAM by adjusting to our exact needs */ #define MBEDTLS_ECP_MAX_BITS 256 -#define MBEDTLS_ENTROPY_MAX_SOURCES 2 +#define MBEDTLS_MPI_MAX_SIZE 32 // 256 bits is 32 bytes /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 @@ -86,6 +89,6 @@ #include "mbedtls/target_config.h" #endif -#include "check_config.h" +#include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ From cf828934111de1790a43a097aaed10317c534ed2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 14:57:00 +0200 Subject: [PATCH 79/87] Disable EC J-PAKE by default (experimental) --- include/mbedtls/config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 9c96a0511..a7a27a281 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -711,7 +711,7 @@ * enabled as well): * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 */ -#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED /** * \def MBEDTLS_PK_PARSE_EC_EXTENDED @@ -1716,7 +1716,7 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C */ -#define MBEDTLS_ECJPAKE_C +//#define MBEDTLS_ECJPAKE_C /** * \def MBEDTLS_ECP_C From 1ef96c22313e06e2a143d98dc78122438506c977 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 15:04:57 +0200 Subject: [PATCH 80/87] Update ChangeLog for the EC J-PAKE branch --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index aa96b1848..b8a24fc20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.2.0 released 2015-10-xx + +Features + * Experimental support for EC J-PAKE as defined in Thread 1.0.0. + Disabled by default as the specification might still change. + * Added a key extraction callback to accees the master secret and key + block. (Potential uses include EAP-TLS and Thread.) + = mbed TLS 2.1.2 released 2015-10-06 Security From 12ca6f5b9cf479abb0d6ae8d41f070950020acab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 15:24:51 +0200 Subject: [PATCH 81/87] Update ssl-opt.sh for EC J-PAKE disabled by default --- tests/ssl-opt.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 04f4a887a..c0b6f94d6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2501,6 +2501,7 @@ run_test "PSK callback: wrong key" \ # Tests for EC J-PAKE +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: client not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -2514,6 +2515,7 @@ run_test "ECJPAKE: client not configured" \ -C "found ecjpake_kkpp extension" \ -S "None of the common ciphersuites is usable" +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: server not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ @@ -2528,6 +2530,7 @@ run_test "ECJPAKE: server not configured" \ -C "found ecjpake_kkpp extension" \ -s "None of the common ciphersuites is usable" +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ @@ -2544,6 +2547,7 @@ run_test "ECJPAKE: working, TLS" \ -S "None of the common ciphersuites is usable" \ -S "SSL - Verification of the message MAC failed" +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: password mismatch, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bad \ @@ -2552,6 +2556,7 @@ run_test "ECJPAKE: password mismatch, TLS" \ -C "re-using cached ecjpake parameters" \ -s "SSL - Verification of the message MAC failed" +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: working, DTLS" \ "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ @@ -2560,6 +2565,7 @@ run_test "ECJPAKE: working, DTLS" \ -c "re-using cached ecjpake parameters" \ -S "SSL - Verification of the message MAC failed" +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: working, DTLS, no cookie" \ "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \ "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ @@ -2568,6 +2574,7 @@ run_test "ECJPAKE: working, DTLS, no cookie" \ -C "re-using cached ecjpake parameters" \ -S "SSL - Verification of the message MAC failed" +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: password mismatch, DTLS" \ "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \ @@ -2577,6 +2584,7 @@ run_test "ECJPAKE: password mismatch, DTLS" \ -s "SSL - Verification of the message MAC failed" # for tests with configs/config-thread.h +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE run_test "ECJPAKE: working, DTLS, nolog" \ "$P_SRV dtls=1 ecjpake_pw=bla" \ "$P_CLI dtls=1 ecjpake_pw=bla \ From 4b20c0ee53854d9a8943130ede61bbdf4fdee806 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 16:16:38 +0200 Subject: [PATCH 82/87] Fix potential stack buffer overflow in ecjpake Two causes: - the buffer is too short (missing 4 bytes for encoding id_len) - the test was wrong Would only happen when MBEDTLS_ECP_MAX_BITS == the bitsize of the curve actually used (does not happen in the default config). Could not be triggered remotely. --- library/ecjpake.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index fd54a7d2d..1fa1c2d80 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -168,9 +168,9 @@ static int ecjpake_write_len_point( unsigned char **p, /* * Size of the temporary buffer for ecjpake_hash: - * 3 EC points plus their length, plus ID (6 bytes) + * 3 EC points plus their length, plus ID and its length (4 + 6 bytes) */ -#define ECJPAKE_HASH_BUF_LEN ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 6 ) +#define ECJPAKE_HASH_BUF_LEN ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 4 + 6 ) /* * Compute hash for ZKP (7.4.2.2.2.1) @@ -196,7 +196,7 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, V ) ); MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, X ) ); - if( end < p || (size_t)( end - p ) < id_len ) + if( end - p < 4 ) return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); *p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF ); @@ -204,6 +204,9 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, *p++ = (unsigned char)( ( id_len >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( id_len ) & 0xFF ); + if( end < p || (size_t)( end - p ) < id_len ) + return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); + memcpy( p, id, id_len ); p += id_len; From 8a7a189220e54f99375e92626de83b37ed436f39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 20 Oct 2015 16:56:12 +0200 Subject: [PATCH 83/87] Fix curves.pl for ECJPAKE disabled by default --- tests/scripts/curves.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl index 06128f78a..654bc5c3e 100755 --- a/tests/scripts/curves.pl +++ b/tests/scripts/curves.pl @@ -23,8 +23,8 @@ sub abort { for my $curve (@curves) { system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n"; - # depends on a specific curve - system( "scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED" ) and die; + # depends on a specific curve. Also, ignore error if it wasn't enabled + system( "scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED" ); system( "make clean" ) and die; print "\n******************************************\n"; From de9f953b9f3b32f94bb8ea1769bfd2e86f9b83ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 23 Oct 2015 15:50:37 +0200 Subject: [PATCH 84/87] Optimize more common cases in ecp_muladd() --- library/ecp.c | 43 +++++++++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index 4abc87c61..19bb4882e 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1683,8 +1683,39 @@ cleanup: } #endif /* ECP_SHORTWEIERSTRASS */ +/* + * R = m * P with shortcuts for m == 1 and m == -1 + * NOT constant-time - ONLY for short Weierstrass! + */ +static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp, + mbedtls_ecp_point *R, + const mbedtls_mpi *m, + const mbedtls_ecp_point *P ) +{ + int ret; + + if( mbedtls_mpi_cmp_int( m, 1 ) == 0 ) + { + MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) ); + } + else if( mbedtls_mpi_cmp_int( m, -1 ) == 0 ) + { + MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) ); + if( mbedtls_mpi_cmp_int( &R->Y, 0 ) != 0 ) + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &R->Y, &grp->P, &R->Y ) ); + } + else + { + MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, m, P, NULL, NULL ) ); + } + +cleanup: + return( ret ); +} + /* * Linear combination + * NOT constant-time */ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, const mbedtls_mpi *m, const mbedtls_ecp_point *P, @@ -1698,16 +1729,8 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, mbedtls_ecp_point_init( &mP ); - /* Optimize some simple special cases */ - if( mbedtls_mpi_cmp_int( m, 1 ) == 0 ) - MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &mP, P ) ); - else - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &mP, m, P, NULL, NULL ) ); - - if( mbedtls_mpi_cmp_int( n, 1 ) == 0 ) - MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, Q ) ); - else - MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, n, Q, NULL, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, &mP, m, P ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, R, n, Q ) ); MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, &mP, R ) ); MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) ); From ac8673cb3f8f351f8588fdb3d2747b668e1f12b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 16 Oct 2015 13:03:04 +0200 Subject: [PATCH 85/87] Add quick script to estimate ROM footprint --- scripts/footprint.sh | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100755 scripts/footprint.sh diff --git a/scripts/footprint.sh b/scripts/footprint.sh new file mode 100755 index 000000000..a11844ff2 --- /dev/null +++ b/scripts/footprint.sh @@ -0,0 +1,52 @@ +#!/bin/sh + +set -eu + +CONFIG_H='include/mbedtls/config.h' + +if [ -r $CONFIG_H ]; then :; else + echo "$CONFIG_H not found" >&2 + exit 1 +fi + +if grep -i cmake Makefile >/dev/null; then + echo "Not compatible with CMake" >&2 + exit 1 +fi + +doit() +{ + NAME="$1" + FILE="$2" + + echo "$NAME:" + + cp $CONFIG_H ${CONFIG_H}.bak + cp "$FILE" include/mbedtls/config.h + + { + scripts/config.pl unset MBEDTLS_NET_C || true + scripts/config.pl unset MBEDTLS_TIMING_C || true + scripts/config.pl unset MBEDTLS_FS_IO || true + } >/dev/null 2>&1 + + CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld \ + CFLAGS='-Wa,--noexecstack -Os -march=armv7-m -mthumb' \ + make clean lib >/dev/null + + OUT="size-${NAME}.txt" + arm-none-eabi-size -t library/libmbed*.a > "$OUT" + head -n1 "$OUT" + tail -n1 "$OUT" + + cp ${CONFIG_H}.bak $CONFIG_H +} + +# creates the yotta config +yotta/create-module.sh >/dev/null + +doit default include/mbedtls/config.h.bak +doit yotta yotta/module/mbedtls/config.h +doit thread configs/config-thread.h +doit ecc configs/config-suite-b.h +doit psk configs/config-ccm-psk-tls1_2.h From 231a0659096659777fa33783d026a362ac7e2831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Oct 2015 17:50:04 +0100 Subject: [PATCH 86/87] yotta Readme: edited by Irit --- yotta/data/README.md | 50 +++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/yotta/data/README.md b/yotta/data/README.md index 521a1f8e1..7ec7cef4c 100644 --- a/yotta/data/README.md +++ b/yotta/data/README.md @@ -1,49 +1,51 @@ # mbed TLS -mbed TLS (formerly known as PolarSSL) makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their embedded products, with a minimal code footprint. It offers an SSL library with an intuitive API and readable source code. +mbed TLS makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their embedded products, with a minimal code footprint. It offers an SSL library with an intuitive API and readable source code. -The Beta release of mbed TLS integrates the mbed TLS library into mbed OS, mbed SDK and yotta. This is a preview release intended for evaluation only and is **not recommended for deployment**. It currently implements no secure source of random numbers, weakening its security. +**Note:** The current release is beta, and implements no secure source of random numbers, weakening its security. Currently the only supported yotta targets are: -- `frdm-k64f-gcc` and `frdm-k64f-armcc` -- `x86-linux-native` and `x86-osx-native` +- `frdm-k64f-gcc` +- `frdm-k64f-armcc` +- `x86-linux-native` +- `x86-osx-native` ## Sample programs This release includes the following examples: -1. [**Self test:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-selftest) found in `test/example-selftest`. Tests different basic functions in the mbed TLS library. +1. [**Self test:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-selftest) Tests different basic functions in the mbed TLS library. -2. [**Benchmark:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-benchmark) found in `test/example-benchmark`. Measures the time taken to perform basic cryptographic functions used in the library. +2. [**Benchmark:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-benchmark) Measures the time taken to perform basic cryptographic functions used in the library. -3. [**Hashing:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-hashing) found in `test/example-hashing`. Demonstrates the various APIs for computes hashes of data (also known as message digests) with SHA-256. +3. [**Hashing:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-hashing) Demonstrates the various APIs for computing hashes of data (also known as message digests) with SHA-256. -4. [**Authenticated encrypted:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-authcrypt) found in `test/example-authcrypt`. Demonstrates usage of the Cipher API for encrypting and authenticating data with AES-CCM. +4. [**Authenticated encryption:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-authcrypt) Demonstrates usage of the Cipher API for encrypting and authenticating data with AES-CCM. -These examples are integrated as yotta tests, so that they are built automatically when you build mbed TLS. Each of them comes with complete usage instructions as a Readme file in its directory. +These examples are integrated as yotta tests, so that they are built automatically when you build mbed TLS. Each of them comes with complete usage instructions as a Readme file in the repository. ## Performing TLS and DTLS connections -A high-level API for performing TLS and DTLS connections with mbed TLS in mbed OS is provided in a separate yotta module: [mbed-tls-sockets](https://github.com/ARMmbed/mbed-tls-sockets). It is the recommended API for TLS and DTLS connections. It is very similar to the API provided by the [sockets](https://github.com/ARMmbed/sockets) module for unencrypted TCP and UDP connections. +A high-level API for performing TLS and DTLS connections with mbed TLS in mbed OS is provided in a separate yotta module: [mbed-tls-sockets](https://github.com/ARMmbed/mbed-tls-sockets). We recommend this API for TLS and DTLS connections. It is very similar to the API provided by the [sockets](https://github.com/ARMmbed/sockets) module for unencrypted TCP and UDP connections. The `mbed-tls-sockets` module includes a complete [example TLS client](https://github.com/ARMmbed/mbed-tls-sockets/blob/master/test/tls-client/main.cpp) with [usage instructions](https://github.com/ARMmbed/mbed-tls-sockets/blob/master/test/tls-client/README.md). ## Configuring mbed TLS features -mbed TLS makes it easy to disable any feature during compilation that isn't required for a particular project. The default configuration enables all modern and widely-used features, which should meet the needs of new projects, and disables all features that are older or less common, to minimize the code footprint. +mbed TLS makes it easy to disable any feature during compilation, if that feature isn't required for a particular project. The default configuration enables all modern and widely-used features, which should meet the needs of new projects, and disables all features that are older or less common, to minimize the code footprint. -The list of available compilation flags is presented in the fully documented [config.h file](https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/config.h), present in the `mbedtls` directory of the yotta module. +The list of available compilation flags is available in the fully documented [config.h file](https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/config.h). If you need to adjust those flags, you can provide your own configuration-adjustment file with suitable `#define` and `#undef` statements. These will be included between the default definitions and the sanity checks. Your configuration file should be in your application's include directory, and can be named freely; you just need to let mbed TLS know the file's name. To do that, use yotta's [configuration system](http://docs.yottabuild.org/reference/config.html). The file's name should be in your `config.json` file, under mbedtls, as the key `user-config-file`. -For example, in an application called `myapp`, if you want to enable the EC J-PAKE key exchange and disable the CBC cipher mode, you can create a file named for example `mbedtls-config-changes.h` in the `myapp` directory containing the following lines: +For example, in an application called `myapp`, if you want to enable the EC J-PAKE key exchange and disable the CBC cipher mode, you can create a file named `mbedtls-config-changes.h` in the `myapp` directory containing the following lines: #define MBEDTLS_ECJPAKE_C #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED #undef MBEDTLS_CIPHER_MODE_CBC -and then create a file named `config.json` at the root of your application with the following contents: +And then create a file named `config.json` at the root of your application with the following contents: { "mbedtls": { @@ -55,7 +57,7 @@ Please note: you need to provide the exact name that will be used in the `#inclu ## Getting mbed TLS from GitHub -Like most components of mbed OS, mbed TLS is developed in the open and its source can be found on GitHub: [ARMmbed/mbedtls](https://github.com/ARMmbed/mbedtls). Unlike most other mbed OS components however, you cannot just clone the repository and run `yotta build` from its root. This is because mbed TLS also exists as an independent component, so its repository includes things that are not relevant for mbed OS, as well as other build systems. +Like most components of mbed OS, mbed TLS is developed in the open and its source can be found on GitHub: [ARMmbed/mbedtls](https://github.com/ARMmbed/mbedtls). Unlike most other mbed OS components, however, you cannot just clone the repository and run `yotta build` from its root. This is because mbed TLS also exists as an independent component, so its repository includes things that are not relevant for mbed OS, as well as other build systems. The way to use mbed TLS from a clone of the GitHub repository is to run the following commands from the root of a checkout: @@ -66,11 +68,20 @@ You can then run any yotta command you would normally run, such as `yotta build` ## Differences between the standalone and mbed OS editions -While the two editions share the same code base, there are still a number of differences, mainly in configuration and in integration. You should keep in mind those differences when reading some articles of our [knowledge base](https://tls.mbed.org/kb), as currently the articles are about the standalone edition. +While the two editions share the same code base, there are still a number of differences, mainly in configuration and integration. You should keep in mind those differences when reading some articles in our [knowledge base](https://tls.mbed.org/kb), as currently all the articles are about the standalone edition. * The mbed OS edition has a smaller set of features enabled by default in `config.h`, in order to reduce footprint. While the default configuration of the standalone edition puts more emphasize on maintaining interoperability with old peers, the mbed OS edition only enables the most modern ciphers and the latest version of (D)TLS. -* The following components of mbed TLS are not enabled in the mbed OS edition as mbed OS already includes equivalent facilities: `net.c` and `timing.c`. -* The mbed OS edition comes with a fully integrated API for (D)TLS connections in a companion module: [mbed-tls-sockets](https://github.com/ARMmbed/mbed-tls-sockets), see "Performing TLS and DTLS connections" above. + +* The following components of mbed TLS are disabled in the mbed OS edition: `net.c` and `timing.c`. This is because mbed OS includes their equivalents. + +* The mbed OS edition comes with a fully integrated API for (D)TLS connections in a companion module: [mbed-tls-sockets](https://github.com/ARMmbed/mbed-tls-sockets). See "Performing TLS and DTLS connections" above. + +## Other resources + +The [mbed TLS website](https://tls.mbed.org) contains many other useful +resources for the developer, such as [developer +documentation](https://tls.mbed.org/dev-corner), [knowledgebase +articles](https://tls.mbed.org/kb), and a [support forum](https://tls.mbed.org/discussions). ## Contributing @@ -88,4 +99,5 @@ To contribute, please: * Write a test that shows that the bug was fixed or that the feature works as expected. -* Send a pull request and bug us until it gets merged and published. We will include your name in the ChangeLog :) +* Send a pull request and bug us until it gets merged and published. We will include your name in the ChangeLog. + From e0b2feae34cef134a405debccdb8b06e6efc9aff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 27 Oct 2015 10:24:54 +0100 Subject: [PATCH 87/87] Mention performance fix in ChangeLog --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index b8a24fc20..b34eaede8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ Features * Added a key extraction callback to accees the master secret and key block. (Potential uses include EAP-TLS and Thread.) +Changes + * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1 + or -1. + = mbed TLS 2.1.2 released 2015-10-06 Security