From 36ae758798e0b96365fdd1fbad159cf3dab9817b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 15:52:35 +0100 Subject: [PATCH 01/24] Include Mbed TLS config in tinycrypt compilation units --- tinycrypt/ecc.c | 6 ++++++ tinycrypt/ecc_dh.c | 7 +++++++ tinycrypt/ecc_dsa.c | 6 ++++++ 3 files changed, 19 insertions(+) diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index 2e694cc10..ab1956a50 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -52,6 +52,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if defined(MBEDTLS_USE_TINYCRYPT) #include #include diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c index 28dfdf9eb..8aae1a214 100644 --- a/tinycrypt/ecc_dh.c +++ b/tinycrypt/ecc_dh.c @@ -54,6 +54,13 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if defined(MBEDTLS_USE_TINYCRYPT) #include #include diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c index 048fa6125..374309191 100644 --- a/tinycrypt/ecc_dsa.c +++ b/tinycrypt/ecc_dsa.c @@ -53,6 +53,12 @@ * POSSIBILITY OF SUCH DAMAGE. */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + #if defined(MBEDTLS_USE_TINYCRYPT) #include #include From e12aafbdc72f46ffbb69828c7775e71ad74a9e95 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Thu, 4 Apr 2019 18:32:56 +0300 Subject: [PATCH 02/24] tinyCrypt: Initial commit towards ECDHE support This commit is a first step towards using uECC for ECDH during TLS handshakes. --- include/mbedtls/ssl_internal.h | 18 ++++++- library/ssl_cli.c | 58 +++++++++++++++++---- library/ssl_srv.c | 93 ++++++++++++++++++++++++++++++---- library/ssl_tls.c | 7 +++ 4 files changed, 155 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index df0280021..0e9575626 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -53,6 +53,11 @@ #include "ecjpake.h" #endif +#if defined(MBEDTLS_USE_TINYCRYPT) +#include "tinycrypt/ecc.h" +#include "tinycrypt/ecc_dh.h" +#endif + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline @@ -381,10 +386,17 @@ struct mbedtls_ssl_handshake_params size_t ecjpake_cache_len; /*!< Length of cached data */ #endif #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_USE_TINYCRYPT) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) uint16_t curve_tls_id; /*!< TLS ID of EC for ECDHE. */ #endif +#if defined(MBEDTLS_USE_TINYCRYPT) + uint8_t ecdh_privkey[NUM_ECC_BYTES]; + uint8_t ecdh_ownpubkey[2*NUM_ECC_BYTES]; + uint8_t ecdh_peerkey[2*NUM_ECC_BYTES]; +#endif /* MBEDTLS_USE_TINYCRYPT */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ @@ -890,6 +902,10 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ); int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ); void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_USE_TINYCRYPT) +int mbetls_uecc_rng_wrapper( uint8_t *dest, unsigned int size ); +#endif + /** * \brief Update record layer * diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c72919496..582c9fdd4 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -250,7 +250,9 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_USE_TINYCRYPT) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static size_t ssl_get_ec_curve_list_length( mbedtls_ssl_context *ssl ) { @@ -332,7 +334,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_USE_TINYCRYPT || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) @@ -1073,7 +1075,9 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_USE_TINYCRYPT) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( uses_ec ) { @@ -1374,8 +1378,10 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \ + defined(MBEDTLS_USE_TINYCRYPT) static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -1417,7 +1423,7 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_USE_TINYCRYPT || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) @@ -3521,10 +3527,42 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#if defined(MBEDTLS_USE_TINYCRYPT) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) + { + const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); + + uECC_set_rng( &mbetls_uecc_rng_wrapper ); + + if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, + ssl->handshake->ecdh_privkey, + uecc_curve ) ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, + ssl->handshake->ecdh_privkey, + ssl->handshake->premaster, + uecc_curve ) ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + /* TODO: Write the client share. */ + ((void) p); + ((void) end); + ((void) ret); + ((void) n); + + mbedtls_platform_zeroize( ssl->handshake->ecdh_privkey, NUM_ECC_BYTES ); + } + else +#elif defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 8ffbf7c0b..8f75f6af7 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -276,7 +276,9 @@ static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_USE_TINYCRYPT) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len, @@ -364,7 +366,7 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_USE_TINYCRYPT MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) @@ -972,7 +974,8 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl, } #endif -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_USE_TINYCRYPT) if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && ssl->handshake->curve_tls_id == 0 ) { @@ -1922,8 +1925,10 @@ read_record_header: #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \ + defined(MBEDTLS_USE_TINYCRYPT) case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); @@ -1944,7 +1949,8 @@ read_record_header: return( ret ); break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || - MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || + MBEDTLS_USE_TINYCRYPT */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: @@ -2539,7 +2545,8 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \ + defined(MBEDTLS_USE_TINYCRYPT) static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -2936,7 +2943,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \ + defined(MBEDTLS_USE_TINYCRYPT) if ( mbedtls_ssl_ciphersuite_uses_ec( mbedtls_ssl_ciphersuite_from_id( mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) ) @@ -3243,6 +3251,9 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, unsigned char *dig_signed = NULL; #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ +#if defined(MBEDTLS_USE_TINYCRYPT) + const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); +#endif (void) ciphersuite_info; /* unused in some configurations */ #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) @@ -3290,8 +3301,10 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, **/ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_DHE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { ssl->out_msg[ssl->out_msglen++] = 0x00; ssl->out_msg[ssl->out_msglen++] = 0x00; @@ -3369,6 +3382,43 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, * ECPoint public; * } ServerECDHParams; */ + +#if defined(MBEDTLS_USE_TINYCRYPT) + uECC_set_rng( &mbetls_uecc_rng_wrapper ); + + if( ssl->handshake->curve_tls_id != 23 ) + return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + + if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, + ssl->handshake->ecdh_privkey, + uecc_curve ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Key creation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* + * First byte is curve_type, always named_curve + */ + ssl->out_msg[ssl->out_msglen++] = MBEDTLS_ECP_TLS_NAMED_CURVE; + + /* + * Next two bytes are the namedcurve value + */ + ssl->out_msg[ssl->out_msglen++] = ssl->handshake->curve_tls_id >> 8; + ssl->out_msg[ssl->out_msglen++] = ssl->handshake->curve_tls_id & 0xFF; + + /* Write the public key length */ + ssl->out_msg[ssl->out_msglen++] = 2*NUM_ECC_BYTES; + + memcpy( &ssl->out_msg[ssl->out_msglen], + ssl->handshake->ecdh_ownpubkey, + 2*NUM_ECC_BYTES ); + + ssl->out_msglen += 2*NUM_ECC_BYTES; + +#else /* MBEDTLS_USE_TINYCRYPT */ + const mbedtls_ecp_curve_info *curve = mbedtls_ecp_curve_info_from_tls_id( ssl->handshake->curve_tls_id ); int ret; @@ -3407,6 +3457,9 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, MBEDTLS_DEBUG_ECDH_Q ); + +#endif /* MBEDTLS_USE_TINYCRYPT */ + } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ @@ -4140,6 +4193,26 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ +#if defined(MBEDTLS_USE_TINYCRYPT) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) + { + const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); + + /* TODO: Parse the client's key share. */ + + if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, + ssl->handshake->ecdh_privkey, + ssl->handshake->premaster, + uecc_curve ) ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } + else +#endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2a50db616..a1c26d075 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -12165,6 +12165,13 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ) } } +#if defined(MBEDTLS_USE_TINYCRYPT) +int mbetls_uecc_rng_wrapper( uint8_t *dest, unsigned int size ) +{ + return( mbedtls_ssl_conf_rng_func( NULL, dest, size ) ); +} +#endif /* MBEDTLS_USE_TINYCRYPT */ + #if defined(MBEDTLS_ECP_C) /* * Check if a curve proposed by the peer is in our list. From c6c0fe6c5fc5fadcd74b95901c510e16a9fdb65d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 15:29:21 +0100 Subject: [PATCH 03/24] Add MBEDTLS_USE_TINYCRYPT to baremetal configuration --- configs/baremetal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configs/baremetal.h b/configs/baremetal.h index e4e3a2ac8..5c185d220 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -116,6 +116,8 @@ #define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \ MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED +#define MBEDTLS_USE_TINYCRYPT + /* X.509 CRT parsing */ #define MBEDTLS_X509_USE_C #define MBEDTLS_X509_CRT_PARSE_C From ef982d57bfe90968911a5ed08cda4bdcbc9d6b03 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 15:56:18 +0100 Subject: [PATCH 04/24] tinyCrypt: Bind RNG wrapper to tinyCrypt in mbedtls_ssl_setup() --- include/mbedtls/ssl_internal.h | 4 ---- library/ssl_cli.c | 2 -- library/ssl_srv.c | 2 -- library/ssl_tls.c | 18 +++++++++++------- 4 files changed, 11 insertions(+), 15 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 0e9575626..8b4417024 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -902,10 +902,6 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ); int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ); void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_USE_TINYCRYPT) -int mbetls_uecc_rng_wrapper( uint8_t *dest, unsigned int size ); -#endif - /** * \brief Update record layer * diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 582c9fdd4..c3c99c114 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3533,8 +3533,6 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, { const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); - uECC_set_rng( &mbetls_uecc_rng_wrapper ); - if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, ssl->handshake->ecdh_privkey, uecc_curve ) ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 8f75f6af7..2562a5712 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3384,8 +3384,6 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, */ #if defined(MBEDTLS_USE_TINYCRYPT) - uECC_set_rng( &mbetls_uecc_rng_wrapper ); - if( ssl->handshake->curve_tls_id != 23 ) return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a1c26d075..752c1724f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -55,6 +55,13 @@ #include "mbedtls/oid.h" #endif +#if defined(MBEDTLS_USE_TINYCRYPT) +static int uecc_rng_wrapper( uint8_t *dest, unsigned int size ) +{ + return( mbedtls_ssl_conf_rng_func( NULL, dest, size ) ); +} +#endif /* MBEDTLS_USE_TINYCRYPT */ + static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ); static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); @@ -8234,6 +8241,10 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->conf = conf; +#if defined(MBEDTLS_USE_TINYCRYPT) + uECC_set_rng( &uecc_rng_wrapper ); +#endif + /* * Prepare base structures */ @@ -12165,13 +12176,6 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ) } } -#if defined(MBEDTLS_USE_TINYCRYPT) -int mbetls_uecc_rng_wrapper( uint8_t *dest, unsigned int size ) -{ - return( mbedtls_ssl_conf_rng_func( NULL, dest, size ) ); -} -#endif /* MBEDTLS_USE_TINYCRYPT */ - #if defined(MBEDTLS_ECP_C) /* * Check if a curve proposed by the peer is in our list. From d089fad9253c7ba317e344260073ccc5fdfedc35 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 09:05:05 +0100 Subject: [PATCH 05/24] tinyCrypt: Adapt RNG wrapper to return 0 on failure --- library/ssl_tls.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 752c1724f..17f1b414f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -58,7 +58,12 @@ #if defined(MBEDTLS_USE_TINYCRYPT) static int uecc_rng_wrapper( uint8_t *dest, unsigned int size ) { - return( mbedtls_ssl_conf_rng_func( NULL, dest, size ) ); + int ret; + ret = mbedtls_ssl_conf_rng_func( NULL, dest, size ); + if( ret == 0 ) + return( (int) size ); + + return( 0 ); } #endif /* MBEDTLS_USE_TINYCRYPT */ From d849c7ca191b281e7146e4b4aa4e3f81499de89c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 15:59:58 +0100 Subject: [PATCH 06/24] tinyCrypt: Hardcode ECDH parameter header Saves a few bytes of code when tinyCrypt is used. --- library/ssl_srv.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 2562a5712..b661d647f 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3384,8 +3384,22 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, */ #if defined(MBEDTLS_USE_TINYCRYPT) - if( ssl->handshake->curve_tls_id != 23 ) + static const uint16_t secp256r1_tls_id = 23; + static const unsigned char ecdh_param_hdr[] = { + MBEDTLS_ECP_TLS_NAMED_CURVE, + ( secp256r1_tls_id >> 8 ) & 0xFF, + ( secp256r1_tls_id >> 0 ) & 0xFF, + 2 * NUM_ECC_BYTES + 1, + 0x04 /* Uncompressed */ + }; + + if( ssl->handshake->curve_tls_id != secp256r1_tls_id ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported curve %u (expected %u)", + (unsigned) ssl->handshake->curve_tls_id, + secp256r1_tls_id ) ); return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + } if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, ssl->handshake->ecdh_privkey, @@ -3395,24 +3409,17 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - /* - * First byte is curve_type, always named_curve - */ - ssl->out_msg[ssl->out_msglen++] = MBEDTLS_ECP_TLS_NAMED_CURVE; +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) + dig_signed = ssl->out_msg + ssl->out_msglen; +#endif - /* - * Next two bytes are the namedcurve value - */ - ssl->out_msg[ssl->out_msglen++] = ssl->handshake->curve_tls_id >> 8; - ssl->out_msg[ssl->out_msglen++] = ssl->handshake->curve_tls_id & 0xFF; - - /* Write the public key length */ - ssl->out_msg[ssl->out_msglen++] = 2*NUM_ECC_BYTES; + memcpy( ssl->out_msg + ssl->out_msglen, + ecdh_param_hdr, sizeof( ecdh_param_hdr ) ); + ssl->out_msglen += sizeof( ecdh_param_hdr ); memcpy( &ssl->out_msg[ssl->out_msglen], ssl->handshake->ecdh_ownpubkey, 2*NUM_ECC_BYTES ); - ssl->out_msglen += 2*NUM_ECC_BYTES; #else /* MBEDTLS_USE_TINYCRYPT */ From 75f12d1eb9784264a1e2fa34208c5d5e21ee778c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 16:16:15 +0100 Subject: [PATCH 07/24] tinyCrypt: Add ServerKeyExchange parsing code --- include/mbedtls/ssl_internal.h | 5 +++++ library/ssl_cli.c | 33 +++++++++++++++++++++++++++++++++ library/ssl_srv.c | 4 +++- library/ssl_tls.c | 29 +++++++++++++++++++++++++++++ 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 8b4417024..19d1fd364 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1830,4 +1830,9 @@ MBEDTLS_ALWAYS_INLINE static inline void mbedtls_ssl_pend_fatal_alert( #define MBEDTLS_SSL_CHK(f) do { if( ( ret = f ) < 0 ) goto cleanup; } while( 0 ) +#if defined(MBEDTLS_USE_TINYCRYPT) +int mbedtls_ssl_ecdh_read_peerkey( mbedtls_ssl_context *ssl, + unsigned char **p, unsigned char *end ); +#endif /* MBEDTLS_USE_TINYCRYPT */ + #endif /* ssl_internal.h */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c3c99c114..4734eabd5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2798,6 +2798,39 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl, else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ +#if defined(MBEDTLS_USE_TINYCRYPT) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) + { + static const uint16_t secp256r1_tls_id = 23; + static const unsigned char ecdh_group[] = { + MBEDTLS_ECP_TLS_NAMED_CURVE, + ( secp256r1_tls_id >> 8 ) & 0xFF, + ( secp256r1_tls_id >> 0 ) & 0xFF, + }; + + /* Check for fixed ECDH parameter preamble. */ + if( (size_t)( end - p ) < sizeof( ecdh_group ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad server key exchange (too short)" ) ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + if( memcmp( p, ecdh_group, sizeof( ecdh_group ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad server key exchange (unexpected header)" ) ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + p += sizeof( ecdh_group ); + + /* Read server's key share. */ + if( mbedtls_ssl_ecdh_read_peerkey( ssl, &p, end ) != 0 ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + else +#endif /* MBEDTLS_USE_TINYCRYPT */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index b661d647f..fb8fab655 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4206,7 +4206,9 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, { const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); - /* TODO: Parse the client's key share. */ + ret = mbedtls_ssl_ecdh_read_peerkey( ssl, &p, end ); + if( ret != 0 ) + return( ret ); if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, ssl->handshake->ecdh_privkey, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 17f1b414f..3e9d717e3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -65,6 +65,35 @@ static int uecc_rng_wrapper( uint8_t *dest, unsigned int size ) return( 0 ); } + +int mbedtls_ssl_ecdh_read_peerkey( mbedtls_ssl_context *ssl, + unsigned char **p, unsigned char *end ) +{ + size_t const secp256r1_uncompressed_point_length = + 1 /* length */ + 1 /* length */ + 2 * NUM_ECC_BYTES /* data */; + + if( (size_t)( end - *p ) < secp256r1_uncompressed_point_length ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Bad ECDH peer pubkey (too short)" ) ); + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + } + + if( (*p)[0] != 2 * NUM_ECC_BYTES + 1 || + (*p)[1] != 0x04 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Unexpected ECDH peer pubkey header - expected { %#02x, %#02x }, got { %#02x, %#02x }", + 2 * NUM_ECC_BYTES + 1, + 0x04, + (unsigned) (*p)[0], + (unsigned) (*p)[1] ) ); + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + } + + memcpy( ssl->handshake->ecdh_peerkey, *p + 2, 2 * NUM_ECC_BYTES ); + + *p += secp256r1_uncompressed_point_length; + return( 0 ); +} #endif /* MBEDTLS_USE_TINYCRYPT */ static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ); From a3c2c1712c0d7befca0091b50cd9bcba52e22bd8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 16:51:57 +0100 Subject: [PATCH 08/24] tinyCrypt: Share ECDH secret calculation code-path --- library/ssl_cli.c | 8 -------- library/ssl_srv.c | 13 +------------ library/ssl_tls.c | 20 ++++++++++++++++++++ 3 files changed, 21 insertions(+), 20 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 4734eabd5..44a7bccf2 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3573,14 +3573,6 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, - ssl->handshake->ecdh_privkey, - ssl->handshake->premaster, - uecc_curve ) ) - { - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } - /* TODO: Write the client share. */ ((void) p); ((void) end); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index fb8fab655..37e83399a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4204,19 +4204,8 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { - const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); - - ret = mbedtls_ssl_ecdh_read_peerkey( ssl, &p, end ); - if( ret != 0 ) - return( ret ); - - if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, - ssl->handshake->ecdh_privkey, - ssl->handshake->premaster, - uecc_curve ) ) - { + if( mbedtls_ssl_ecdh_read_peerkey( ssl, &p, end ) != 0 ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } } else #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3e9d717e3..da7285f9f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1701,6 +1701,26 @@ int mbedtls_ssl_build_pms( mbedtls_ssl_context *ssl ) mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); +#if defined(MBEDTLS_USE_TINYCRYPT) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) + { + const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); + + if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, + ssl->handshake->ecdh_privkey, + ssl->handshake->premaster, + uecc_curve ) ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + ssl->handshake->pmslen = NUM_ECC_BYTES; + } + else +#endif #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) From 621113fd3aa56582df49196ce4bf702b0ff7a05a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 23 Jul 2019 17:01:13 +0100 Subject: [PATCH 09/24] tinyCrypt: Write client's key share --- library/ssl_cli.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 44a7bccf2..0488f7bf6 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3562,9 +3562,13 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ #if defined(MBEDTLS_USE_TINYCRYPT) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) - == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); + ((void) n); + ((void) ret); if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, ssl->handshake->ecdh_privkey, @@ -3573,13 +3577,13 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - /* TODO: Write the client share. */ - ((void) p); - ((void) end); - ((void) ret); - ((void) n); + if( (size_t)( end - p ) < 2 * NUM_ECC_BYTES + 2 ) + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - mbedtls_platform_zeroize( ssl->handshake->ecdh_privkey, NUM_ECC_BYTES ); + *p++ = 2 * NUM_ECC_BYTES + 1; + *p++ = 0x04; /* uncompressed point presentation */ + memcpy( p, ssl->handshake->ecdh_ownpubkey, 2 * NUM_ECC_BYTES ); + p += 2 * NUM_ECC_BYTES; } else #elif defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ From 00a9b6df773f482e4ea3d79fa8a3fc5d8342ce2a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 09:43:44 +0100 Subject: [PATCH 10/24] tinyCrypt: Enforce global RNG tinyCrypt uses a global RNG without context parameter while Mbed TLS in its default configuration uses RNG+CTX bound to the SSL configuration. This commit restricts the use of tinyCrypt to configurations that use a global RNG function with NULL context by setting MBEDTLS_SSL_CONF_RNG in the configuration. This allows to define a wrapper RNG to be used by tinyCrypt which maps to this global hardcoded RNG. --- include/mbedtls/check_config.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 29e61db84..647e7c1b2 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -103,6 +103,11 @@ #error "MBEDTLS_USE_TINYCRYPT defined, but it cannot be defined with MBEDTLS_NO_64BIT_MULTIPLICATION" #endif +#if defined(MBEDTLS_USE_TINYCRYPT) && \ + !defined(MBEDTLS_SSL_CONF_RNG) +#error "MBEDTLS_USE_TINYCRYPT defined, but not all prerequesites" +#endif + #if defined(MBEDTLS_NIST_KW_C) && \ ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) ) #error "MBEDTLS_NIST_KW_C defined, but not all prerequisites" From 49dc8edd26ac22ebf4382eb5e4e70412770a76eb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 10:08:11 +0100 Subject: [PATCH 11/24] Don't require MBEDTLS_ECDH_C for ECDHA-{ECDSA|RSA}-based suites The ECDHE key derivation in such suites is now also supported through tinyCrypt, enabled via MBEDTLS_USE_TINYCRYPT. --- include/mbedtls/check_config.h | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 647e7c1b2..94ce3d1bc 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -265,14 +265,17 @@ #error "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ - ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) || \ - !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) ) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ + ( !( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_USE_TINYCRYPT) ) || \ + !defined(MBEDTLS_RSA_C) || \ + !defined(MBEDTLS_X509_CRT_PARSE_C) || \ + !defined(MBEDTLS_PKCS1_V15) ) #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ - ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) || \ +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ + ( !( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_USE_TINYCRYPT) ) || \ + !defined(MBEDTLS_ECDSA_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) ) #error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites" #endif From 975b9ee3c808a4c0bb8d45873e83b24536691c58 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 10:09:27 +0100 Subject: [PATCH 12/24] Fix guards around use of legacy ECDH context mbedtls_ssl_handshake_params::ecdh_ctx should only be guarded by MBEDTLS_ECDH_C, not by MBEDTLS_ECDSA_C. --- library/ssl_cli.c | 2 +- library/ssl_srv.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0488f7bf6..478b208f4 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1404,7 +1404,7 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED ) { -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) ssl->handshake->ecdh_ctx.point_format = p[0]; #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 37e83399a..773e9e284 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -350,7 +350,7 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || p[0] == MBEDTLS_ECP_PF_COMPRESSED ) { -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDH_C) ssl->handshake->ecdh_ctx.point_format = p[0]; #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) From 29d165565c4eb52351a5a8653049a611bdfb107c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:11:45 +0100 Subject: [PATCH 13/24] Add MBEDTLS_ECDH_C guards to ECDH code-paths using legacy ECDH Previously, MBEDTLS_KEY_EXCHANGE_ECDH[E]_XXX_ENABLED would imply that MBEDTLS_ECDH_C is set, but with the introduction of tinyCrypt as an alternative ECDH implementation, this is no longer the case. --- library/ssl_cli.c | 69 ++++++++++++++++++++++++++--------------------- library/ssl_srv.c | 9 ++++--- library/ssl_tls.c | 9 ++++--- 3 files changed, 49 insertions(+), 38 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 478b208f4..ef68244ce 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2216,11 +2216,12 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char * #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#if defined(MBEDTLS_ECDH_C) && \ + ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ) static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) { const mbedtls_ecp_curve_info *curve_info; @@ -2253,15 +2254,17 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ +#endif /* MBEDTLS_ECDH_C && + ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#if defined(MBEDTLS_ECDH_C) && \ + ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)) static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, unsigned char **p, unsigned char *end ) @@ -2291,9 +2294,10 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ +#endif /* MBEDTLS_ECDH_C && + ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ) */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, @@ -2831,9 +2835,10 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl, } else #endif /* MBEDTLS_USE_TINYCRYPT */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_ECDH_C) && \ + ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) ) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) @@ -2850,9 +2855,10 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl, } } else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_ECDH_C && + ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) @@ -3586,10 +3592,12 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, p += 2 * NUM_ECC_BYTES; } else -#elif defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#endif /* MBEDTLS_USE_TINYCRYPT */ +#if defined(MBEDTLS_ECDH_C) && \ + ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) @@ -3627,10 +3635,11 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, p += n; } else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ +#endif /* MBEDTLS_ECDH_C && ( + ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ) */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 773e9e284..16b7f627b 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4209,10 +4209,11 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, } else #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#if defined(MBEDTLS_ECDH_C) && \ + ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da7285f9f..0500d8561 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1740,10 +1740,11 @@ int mbedtls_ssl_build_pms( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#if defined(MBEDTLS_ECDH_C) && \ + ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) From 7a19633c99a55d67f5eafb196d480cc380fb9e90 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:12:41 +0100 Subject: [PATCH 14/24] tinyCrypt: Avoid unused var warning by marking vars as unused --- library/ssl_srv.c | 1 + library/ssl_tls.c | 1 + 2 files changed, 2 insertions(+) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 16b7f627b..d50896776 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4204,6 +4204,7 @@ static int ssl_in_client_key_exchange_parse( mbedtls_ssl_context *ssl, mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { + ((void) ret); if( mbedtls_ssl_ecdh_read_peerkey( ssl, &p, end ) != 0 ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0500d8561..3cceb660a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1708,6 +1708,7 @@ int mbedtls_ssl_build_pms( mbedtls_ssl_context *ssl ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { const struct uECC_Curve_t * uecc_curve = uECC_secp256r1(); + ((void) ret); if( !uECC_shared_secret( ssl->handshake->ecdh_peerkey, ssl->handshake->ecdh_privkey, From cdce332d8c4faaf8476e734794916a16a1f4f8f0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:14:05 +0100 Subject: [PATCH 15/24] Remove MBEDTLS_ECDH_C from baremetal configuration Baremetal uses the tinyCrypt implementation of ECDHE. --- configs/baremetal.h | 1 - 1 file changed, 1 deletion(-) diff --git a/configs/baremetal.h b/configs/baremetal.h index 5c185d220..0bdee4fc2 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -46,7 +46,6 @@ #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_WRITE_C -#define MBEDTLS_ECDH_C #define MBEDTLS_ECDSA_C #define MBEDTLS_ECP_C #define MBEDTLS_ECP_DP_SECP256R1_ENABLED From 9cf087d2e7af762b11b244e5f24fa5c0df80cab6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:19:03 +0100 Subject: [PATCH 16/24] Use tinyCrypt only for ECDHE-RSA/ECDSA in SrvKeyExch writing In a way inconsistent with the rest of the library restricting the use of tinyCrypt to pure-ECDHE, the previous ServerKeyExchange writing routine would use tinyCrypt also for ECDHE-PSK-based ciphersuites. This commit fixes this. --- library/ssl_srv.c | 151 +++++++++++++++++++++++++--------------------- 1 file changed, 81 insertions(+), 70 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d50896776..319859611 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3384,87 +3384,98 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, */ #if defined(MBEDTLS_USE_TINYCRYPT) - static const uint16_t secp256r1_tls_id = 23; - static const unsigned char ecdh_param_hdr[] = { - MBEDTLS_ECP_TLS_NAMED_CURVE, - ( secp256r1_tls_id >> 8 ) & 0xFF, - ( secp256r1_tls_id >> 0 ) & 0xFF, - 2 * NUM_ECC_BYTES + 1, - 0x04 /* Uncompressed */ - }; - - if( ssl->handshake->curve_tls_id != secp256r1_tls_id ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported curve %u (expected %u)", - (unsigned) ssl->handshake->curve_tls_id, - secp256r1_tls_id ) ); - return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + static const uint16_t secp256r1_tls_id = 23; + static const unsigned char ecdh_param_hdr[] = { + MBEDTLS_ECP_TLS_NAMED_CURVE, + ( secp256r1_tls_id >> 8 ) & 0xFF, + ( secp256r1_tls_id >> 0 ) & 0xFF, + 2 * NUM_ECC_BYTES + 1, + 0x04 /* Uncompressed */ + }; + + if( ssl->handshake->curve_tls_id != secp256r1_tls_id ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported curve %u (expected %u)", + (unsigned) ssl->handshake->curve_tls_id, + secp256r1_tls_id ) ); + return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + } + + if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, + ssl->handshake->ecdh_privkey, + uecc_curve ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Key creation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) + dig_signed = ssl->out_msg + ssl->out_msglen; +#endif + + memcpy( ssl->out_msg + ssl->out_msglen, + ecdh_param_hdr, sizeof( ecdh_param_hdr ) ); + ssl->out_msglen += sizeof( ecdh_param_hdr ); + + memcpy( &ssl->out_msg[ssl->out_msglen], + ssl->handshake->ecdh_ownpubkey, + 2*NUM_ECC_BYTES ); + ssl->out_msglen += 2*NUM_ECC_BYTES; } - - if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, - ssl->handshake->ecdh_privkey, - uecc_curve ) ) + else +#endif /* MBEDTLS_ECDH_C */ +#if !defined(MBEDTLS_ECDH_C) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Key creation failed" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } +#else + { + const mbedtls_ecp_curve_info *curve = + mbedtls_ecp_curve_info_from_tls_id( ssl->handshake->curve_tls_id ); + int ret; + size_t len = 0; + + if( curve == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); + return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", curve->name ) ); + + if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, + curve->grp_id ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); + return( ret ); + } + + if( ( ret = mbedtls_ecdh_make_params( + &ssl->handshake->ecdh_ctx, &len, + ssl->out_msg + ssl->out_msglen, + MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, + mbedtls_ssl_conf_get_frng( ssl->conf ), + mbedtls_ssl_conf_get_prng( ssl->conf ) ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); + return( ret ); + } #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) - dig_signed = ssl->out_msg + ssl->out_msglen; + dig_signed = ssl->out_msg + ssl->out_msglen; #endif - memcpy( ssl->out_msg + ssl->out_msglen, - ecdh_param_hdr, sizeof( ecdh_param_hdr ) ); - ssl->out_msglen += sizeof( ecdh_param_hdr ); + ssl->out_msglen += len; - memcpy( &ssl->out_msg[ssl->out_msglen], - ssl->handshake->ecdh_ownpubkey, - 2*NUM_ECC_BYTES ); - ssl->out_msglen += 2*NUM_ECC_BYTES; - -#else /* MBEDTLS_USE_TINYCRYPT */ - - const mbedtls_ecp_curve_info *curve = - mbedtls_ecp_curve_info_from_tls_id( ssl->handshake->curve_tls_id ); - int ret; - size_t len = 0; - - if( curve == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); - return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, + MBEDTLS_DEBUG_ECDH_Q ); } - MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", curve->name ) ); - - if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, - curve->grp_id ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); - return( ret ); - } - - if( ( ret = mbedtls_ecdh_make_params( - &ssl->handshake->ecdh_ctx, &len, - ssl->out_msg + ssl->out_msglen, - MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, - mbedtls_ssl_conf_get_frng( ssl->conf ), - mbedtls_ssl_conf_get_prng( ssl->conf ) ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); - return( ret ); - } - -#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) - dig_signed = ssl->out_msg + ssl->out_msglen; -#endif - - ssl->out_msglen += len; - - MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, - MBEDTLS_DEBUG_ECDH_Q ); - -#endif /* MBEDTLS_USE_TINYCRYPT */ - +#endif /* MBEDTLS_ECDH_C */ } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ From af9ff4ab9d430b39cfe770029e4fbd2df5a07ab3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:40:53 +0100 Subject: [PATCH 17/24] tinyCrypt: Enforce matching setting of MBEDTLS_SSL_CONF_SINGLE_EC We support only Secp256r1 through tinyCrypt, so enforce this by requiring that MBEDTLS_SSL_CONF_SINGLE_EC is set and fixes that curve. --- include/mbedtls/check_config.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 94ce3d1bc..f28345d2f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -103,6 +103,13 @@ #error "MBEDTLS_USE_TINYCRYPT defined, but it cannot be defined with MBEDTLS_NO_64BIT_MULTIPLICATION" #endif +#if defined(MBEDTLS_USE_TINYCRYPT) && \ + !( defined(MBEDTLS_SSL_CONF_SINGLE_EC) && \ + MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID == 23 && \ + MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID == MBEDTLS_ECP_DP_SECP256R1 ) +#error "MBEDTLS_USE_TINYCRYPT requires the use of MBEDTLS_SSL_CONF_SINGLE_EC to hardcode the choice of Secp256r1" +#endif + #if defined(MBEDTLS_USE_TINYCRYPT) && \ !defined(MBEDTLS_SSL_CONF_RNG) #error "MBEDTLS_USE_TINYCRYPT defined, but not all prerequesites" From 9175c21b724d46268c750f38dba2aff180d0a1c9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:47:22 +0100 Subject: [PATCH 18/24] tinyCrypt: Move key buffers to end of mbedtls_ssl_handshake_params This saves considerable amount of code on Thumb due to single-instruction load/stores for fields preceding these buffers. --- include/mbedtls/ssl_internal.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 19d1fd364..e8f7b7100 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -392,11 +392,6 @@ struct mbedtls_ssl_handshake_params defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) uint16_t curve_tls_id; /*!< TLS ID of EC for ECDHE. */ #endif -#if defined(MBEDTLS_USE_TINYCRYPT) - uint8_t ecdh_privkey[NUM_ECC_BYTES]; - uint8_t ecdh_ownpubkey[2*NUM_ECC_BYTES]; - uint8_t ecdh_peerkey[2*NUM_ECC_BYTES]; -#endif /* MBEDTLS_USE_TINYCRYPT */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ @@ -554,6 +549,12 @@ struct mbedtls_ssl_handshake_params * The library does not use it internally. */ void *user_async_ctx; #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ + +#if defined(MBEDTLS_USE_TINYCRYPT) + uint8_t ecdh_privkey[NUM_ECC_BYTES]; + uint8_t ecdh_ownpubkey[2*NUM_ECC_BYTES]; + uint8_t ecdh_peerkey[2*NUM_ECC_BYTES]; +#endif /* MBEDTLS_USE_TINYCRYPT */ }; /* From b1626fb619874a79f11c0e9f04ff426890e7623e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 11:54:54 +0100 Subject: [PATCH 19/24] tinyCrypt: Remove check for Secp256r1 in SrvKeyExch writing The use of tinyCrypt is restricted Secp256r1-only, and a check in ssl_ciphersuite_is_match() ensures that an EC ciphersuite is chosen only if the client advertised support for Secp256r1, too. --- library/ssl_srv.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 319859611..435588ef2 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3398,14 +3398,6 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, 0x04 /* Uncompressed */ }; - if( ssl->handshake->curve_tls_id != secp256r1_tls_id ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported curve %u (expected %u)", - (unsigned) ssl->handshake->curve_tls_id, - secp256r1_tls_id ) ); - return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); - } - if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, ssl->handshake->ecdh_privkey, uecc_curve ) ) From 8295ff0b04d1885756757c0a76e36a1f44f70f5c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 12:45:52 +0100 Subject: [PATCH 20/24] tinyCrypt: Don't store public ECDH-share in handshake struct Instead, write it to the message buffer directly. --- include/mbedtls/ssl_internal.h | 1 - library/ssl_cli.c | 14 ++++++-------- library/ssl_srv.c | 19 ++++++++----------- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index e8f7b7100..b6228d3a2 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -552,7 +552,6 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_USE_TINYCRYPT) uint8_t ecdh_privkey[NUM_ECC_BYTES]; - uint8_t ecdh_ownpubkey[2*NUM_ECC_BYTES]; uint8_t ecdh_peerkey[2*NUM_ECC_BYTES]; #endif /* MBEDTLS_USE_TINYCRYPT */ }; diff --git a/library/ssl_cli.c b/library/ssl_cli.c index ef68244ce..f7a05495e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3576,19 +3576,17 @@ static int ssl_out_client_key_exchange_write( mbedtls_ssl_context *ssl, ((void) n); ((void) ret); - if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, - ssl->handshake->ecdh_privkey, - uecc_curve ) ) - { - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } - if( (size_t)( end - p ) < 2 * NUM_ECC_BYTES + 2 ) return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); *p++ = 2 * NUM_ECC_BYTES + 1; *p++ = 0x04; /* uncompressed point presentation */ - memcpy( p, ssl->handshake->ecdh_ownpubkey, 2 * NUM_ECC_BYTES ); + + if( !uECC_make_key( p, ssl->handshake->ecdh_privkey, + uecc_curve ) ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } p += 2 * NUM_ECC_BYTES; } else diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 435588ef2..4afb27ccf 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3398,14 +3398,6 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, 0x04 /* Uncompressed */ }; - if( !uECC_make_key( ssl->handshake->ecdh_ownpubkey, - ssl->handshake->ecdh_privkey, - uecc_curve ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Key creation failed" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) dig_signed = ssl->out_msg + ssl->out_msglen; #endif @@ -3414,9 +3406,14 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, ecdh_param_hdr, sizeof( ecdh_param_hdr ) ); ssl->out_msglen += sizeof( ecdh_param_hdr ); - memcpy( &ssl->out_msg[ssl->out_msglen], - ssl->handshake->ecdh_ownpubkey, - 2*NUM_ECC_BYTES ); + if( !uECC_make_key( &ssl->out_msg[ ssl->out_msglen ], + ssl->handshake->ecdh_privkey, + uecc_curve ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Key creation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + ssl->out_msglen += 2*NUM_ECC_BYTES; } else From b72fc6a648bfd1af6b4c49a66bdb8dc1ffffab32 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 15:23:37 +0100 Subject: [PATCH 21/24] Don't use const var in initialization of another const var ARM Compiler doesn't like it. --- library/ssl_cli.c | 5 ++--- library/ssl_srv.c | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index f7a05495e..be83f53d6 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2808,11 +2808,10 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl, mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { - static const uint16_t secp256r1_tls_id = 23; static const unsigned char ecdh_group[] = { MBEDTLS_ECP_TLS_NAMED_CURVE, - ( secp256r1_tls_id >> 8 ) & 0xFF, - ( secp256r1_tls_id >> 0 ) & 0xFF, + 0 /* high bits of secp256r1 TLS ID */, + 23 /* low bits of secp256r1 TLS ID */, }; /* Check for fixed ECDH parameter preamble. */ diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 4afb27ccf..559c88153 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3389,11 +3389,10 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ) { - static const uint16_t secp256r1_tls_id = 23; static const unsigned char ecdh_param_hdr[] = { MBEDTLS_ECP_TLS_NAMED_CURVE, - ( secp256r1_tls_id >> 8 ) & 0xFF, - ( secp256r1_tls_id >> 0 ) & 0xFF, + 0 /* high bits of secp256r1 TLS ID */, + 23 /* low bits of secp256r1 TLS ID */, 2 * NUM_ECC_BYTES + 1, 0x04 /* Uncompressed */ }; From 19bf09ee928fe3dab2984af198be07635494722a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 25 Jul 2019 09:45:50 +0100 Subject: [PATCH 22/24] Remove standalone tinyCrypt tests from all.sh tinyCrypt is still tested in the baremetal tests since it is enabled in baremetal.h. Tests for minimal modifictions of the default / full config enabling tinyCrypt will be added elsewhere. --- tests/scripts/all.sh | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2415cdd60..fe46b28cc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1266,19 +1266,6 @@ component_test_no_64bit_multiplication () { make test } -component_build_tinycrypt_cmake () { - msg "build: tinycrypt native, cmake" - scripts/config.pl set MBEDTLS_USE_TINYCRYPT - CC=gcc cmake . - make -} - -component_build_tinycrypt_make () { - msg "build: tinycrypt native, make" - scripts/config.pl set MBEDTLS_USE_TINYCRYPT - make CC=gcc CFLAGS='-Werror -O1' -} - component_test_no_x509_info () { msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s scripts/config.pl full @@ -1355,15 +1342,6 @@ component_test_baremetal () { if_build_succeeded tests/ssl-opt.sh --filter "^Default, DTLS$" } -component_build_armcc_tinycrypt_baremetal () { - msg "build: ARM Compiler 5, make with tinycrypt and baremetal" - scripts/config.pl baremetal - scripts/config.pl set MBEDTLS_USE_TINYCRYPT - - make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib - make clean -} - component_test_allow_sha1 () { msg "build: allow SHA1 in certificates by default" scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES From b4983468e1e32b92a4003804ac33a1df168bb77e Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 31 Jul 2019 14:43:55 +0300 Subject: [PATCH 23/24] Add documentation for MBEDTLS_USE_TINYCRYPT Add documentation about requiring the usage of a single EC and an external RNG-function. --- include/mbedtls/config.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 96413f850..d437ba02d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2536,6 +2536,15 @@ * BSD, and can be found at https://github.com/intel/tinycrypt - this option * only enables the ECC modules from TinyCrypt. * + * Requires: MBEDTLS_SSL_CONF_RNG + * MBEDTLS_SSL_CONF_SINGLE_EC + * MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID == 23 + * MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID == MBEDTLS_ECP_DP_SECP256R1 + * + * \see MBEDTLS_SSL_CONF_RNG + * + * \see MBEDTLS_SSL_CONF_SINGLE_EC + * * Module: tinycrypt/ecc.c * tinycrypt/ecc_dh.c * tinycrypt/ecc_dsa.c From 3a33679ab1fb3d761a6ed121a90a9346bf564877 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 12 Aug 2019 15:25:14 +0100 Subject: [PATCH 24/24] Fix style issue in ssl_internal.h --- include/mbedtls/ssl_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index b6228d3a2..563801f70 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -388,7 +388,7 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_ECDH_C) || \ defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_USE_TINYCRYPT) || \ + defined(MBEDTLS_USE_TINYCRYPT) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) uint16_t curve_tls_id; /*!< TLS ID of EC for ECDHE. */ #endif