Merge pull request Mbed-TLS#6482 from ronald-cron-arm/tls13-misc

hannestschofenig · Nov 29, 2022 · 71d7ad0 · 71d7ad0
2 parents 302c6cf + 04e2133
commit 71d7ad0
Show file tree

Hide file tree

Showing 14 changed files with 267 additions and 831 deletions.
diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt
@@ -0,0 +1,9 @@
+Features
+   * Mbed TLS supports TLS 1.3 key establishment via pre-shared keys,
+     pre-shared keys provisioned externally or via the ticket mechanism
+     (session resumption).
+     The MBEDTLS_SSL_SESSION_TICKETS configuration option controls the support
+     for the ticket mechanism.
+     MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED configuration options
+     have been introduced to control the support for the three possible
+     TLS 1.3 key exchange modes.
diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md
@@ -28,9 +28,12 @@ Support description
 
   - Mbed TLS does not support DHE key establishment.
 
-  - Mbed TLS does not support pre-shared keys, including any form of
-    session resumption. This implies that it does not support sending early
-    data (0-RTT data).
+  - Mbed TLS supports pre-shared keys for key establishment, pre-shared keys
+    provisioned externally as well as provisioned via the ticket mechanism.
+
+  - Mbed TLS supports session resumption via the ticket mechanism.
+
+  - Mbed TLS does not support sending or receiving early data (0-RTT data).
 
 - Supported cipher suites: depends on the library configuration. Potentially
   all of them:
@@ -54,8 +57,8 @@ Support description
   | server_certificate_type      | no      |
   | padding                      | no      |
   | key_share                    | YES     |
-  | pre_shared_key               | no      |
-  | psk_key_exchange_modes       | no      |
+  | pre_shared_key               | YES     |
+  | psk_key_exchange_modes       | YES     |
   | early_data                   | no      |
   | cookie                       | no      |
   | supported_versions           | YES     |
@@ -118,7 +121,7 @@ Support description
   | MBEDTLS_SSL_RENEGOTIATION                | n/a     |
   | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH          | no      |
   |                                          |         |
-  | MBEDTLS_SSL_SESSION_TICKETS              | no      |
+  | MBEDTLS_SSL_SESSION_TICKETS              | yes     |
   | MBEDTLS_SSL_SERVER_NAME_INDICATION       | yes     |
   | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH       | no      |
   |                                          |         |
@@ -175,8 +178,7 @@ Prototype upstreaming status
 
 The following parts of the TLS 1.3 prototype remain to be upstreamed:
 
-- Pre-shared keys, session resumption and 0-RTT data (both client and server
-  side).
+- Sending (client) and receiving (server) early data (0-RTT data).
 
 - New TLS Message Processing Stack (MPS)
 

diff --git a/include/mbedtls/constant_time.h b/include/mbedtls/constant_time.h
@@ -1,6 +1,7 @@
 /**
  *  Constant-time functions
- *
+ */
+/*
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0
  *

diff --git a/include/mbedtls/legacy_or_psa.h b/include/mbedtls/legacy_or_psa.h
@@ -1,7 +1,10 @@
 /**
  *  Macros to express dependencies for code and tests that may use either the
- *  legacy API or PSA in various builds; mostly for internal use.
- *
+ *  legacy API or PSA in various builds. This whole header file is currently
+ *  for internal use only and both the header file and the macros it defines
+ *  may change or be removed without notice.
+ */
+/*
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0
  *

diff --git a/library/bignum.c b/library/bignum.c
@@ -867,8 +867,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
 int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    size_t i, j;
-    mbedtls_mpi_uint *o, *p, c, tmp;
+    size_t j;
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( A != NULL );
     MPI_VALIDATE_RET( B != NULL );
@@ -882,7 +881,7 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
         MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
 
     /*
-     * X should always be positive as a result of unsigned additions.
+     * X must always be positive as a result of unsigned additions.
      */
     X->s = 1;
 
@@ -892,27 +891,25 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
 
-    o = B->p; p = X->p; c = 0;
+    /* j is the number of non-zero limbs of B. Add those to X. */
 
-    /*
-     * tmp is used because it might happen that p == o
-     */
-    for( i = 0; i < j; i++, o++, p++ )
-    {
-        tmp= *o;
-        *p +=  c; c  = ( *p <  c );
-        *p += tmp; c += ( *p < tmp );
-    }
+    mbedtls_mpi_uint *p = X->p;
+
+    mbedtls_mpi_uint c = mbedtls_mpi_core_add( p, p, B->p, j );
+
+    p += j;
+
+    /* Now propagate any carry */
 
     while( c != 0 )
     {
-        if( i >= X->n )
+        if( j >= X->n )
         {
-            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
-            p = X->p + i;
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j + 1 ) );
+            p = X->p + j;
         }
 
-        *p += c; c = ( *p < c ); i++; p++;
+        *p += c; c = ( *p < c ); j++; p++;
     }
 
 cleanup:

diff --git a/library/bignum_core.c b/library/bignum_core.c
@@ -316,8 +316,6 @@ int mbedtls_mpi_core_write_be( const mbedtls_mpi_uint *X,
     return( 0 );
 }
 
-
-
 void mbedtls_mpi_core_shift_r( mbedtls_mpi_uint *X, size_t limbs,
                                size_t count )
 {
@@ -360,7 +358,24 @@ void mbedtls_mpi_core_shift_r( mbedtls_mpi_uint *X, size_t limbs,
     }
 }
 
+mbedtls_mpi_uint mbedtls_mpi_core_add( mbedtls_mpi_uint *X,
+                                       const mbedtls_mpi_uint *A,
+                                       const mbedtls_mpi_uint *B,
+                                       size_t limbs )
+{
+    mbedtls_mpi_uint c = 0;
+
+    for( size_t i = 0; i < limbs; i++ )
+    {
+        mbedtls_mpi_uint t = c + A[i];
+        c = ( t < A[i] );
+        t += B[i];
+        c += ( t < B[i] );
+        X[i] = t;
+    }
 
+    return( c );
+}
 
 mbedtls_mpi_uint mbedtls_mpi_core_add_if( mbedtls_mpi_uint *X,
                                           const mbedtls_mpi_uint *A,

diff --git a/library/bignum_core.h b/library/bignum_core.h
@@ -277,6 +277,28 @@ int mbedtls_mpi_core_write_be( const mbedtls_mpi_uint *A,
 void mbedtls_mpi_core_shift_r( mbedtls_mpi_uint *X, size_t limbs,
                                size_t count );
 
+/**
+ * \brief Add two fixed-size large unsigned integers, returning the carry.
+ *
+ * Calculates `A + B` where `A` and `B` have the same size.
+ *
+ * This function operates modulo `2^(biL*limbs)` and returns the carry
+ * (1 if there was a wraparound, and 0 otherwise).
+ *
+ * \p X may be aliased to \p A or \p B.
+ *
+ * \param[out] X    The result of the addition.
+ * \param[in] A     Little-endian presentation of the left operand.
+ * \param[in] B     Little-endian presentation of the right operand.
+ * \param limbs     Number of limbs of \p X, \p A and \p B.
+ *
+ * \return          1 if `A + B >= 2^(biL*limbs)`, 0 otherwise.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_add( mbedtls_mpi_uint *X,
+                                       const mbedtls_mpi_uint *A,
+                                       const mbedtls_mpi_uint *B,
+                                       size_t limbs );
+
 /**
  * \brief Conditional addition of two fixed-size large unsigned integers,
  *        returning the carry.

diff --git a/library/ecp.c b/library/ecp.c
@@ -2461,7 +2461,7 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
 
     /* Loop invariant: R = result so far, RP = R + P */
-    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
     while( i-- > 0 )
     {
         b = mbedtls_mpi_get_bit( m, i );

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
@@ -654,20 +654,20 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
      */
     p += 5;
 
-    if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
+    if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
     {
-        *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
+        *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
         ke_modes_len++;
 
-        MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
     }
 
-    if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
+    if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
     {
-        *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
+        *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
         ke_modes_len++;
 
-        MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
     }
 
     /* Now write the extension and ke_modes length */

diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
@@ -144,12 +144,12 @@ def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
             yield cls(a_value, b_value, 32).create_test_case()
             yield cls(a_value, b_value, 64).create_test_case()
 
-class BignumCoreAddIf(BignumCoreOperationArchSplit):
-    """Test cases for bignum core add if."""
+class BignumCoreAddAndAddIf(BignumCoreOperationArchSplit):
+    """Test cases for bignum core add and add-if."""
     count = 0
     symbol = "+"
-    test_function = "mpi_core_add_if"
-    test_name = "mbedtls_mpi_core_add_if"
+    test_function = "mpi_core_add_and_add_if"
+    test_name = "mpi_core_add_and_add_if"
 
     def result(self) -> List[str]:
         result = self.int_a + self.int_b