ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-10 00:49:04 +08:00
Code Issues Releases Wiki Activity

Merge pull request #9938 from bjwtaylor/ssl-ticket-api

Browse Source 
Move ssl_ticket to the PSA API
This commit is contained in:
David Horstmann 2025-02-05 10:41:09 +00:00 committed by GitHub
commit be658c47c8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 81 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.d/9874.txt Normal file
View File

@ -0,0 +1,5 @@
API changes
* Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API.
Instead of taking a mbedtls_cipher_type_t as an argument, this function
now takes 3 new arguments: a PSA algorithm, key type and key size, to
specify the AEAD for ticket protection.

8
include/mbedtls/ssl_ticket.h
View File

@ -20,7 +20,6 @@
*/ */
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/cipher.h"
#if defined(MBEDTLS_HAVE_TIME) #if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h" #include "mbedtls/platform_time.h"
@ -93,8 +92,9 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
* \param ctx Context to be set up * \param ctx Context to be set up
* \param f_rng RNG callback function (mandatory) * \param f_rng RNG callback function (mandatory)
* \param p_rng RNG callback context * \param p_rng RNG callback context
* \param cipher AEAD cipher to use for ticket protection. * \param alg AEAD cipher to use for ticket protection.
* Recommended value: MBEDTLS_CIPHER_AES_256_GCM. * \param key_type Cryptographic key type to use.
* \param key_bits Cryptographic key size to use in bits.
* \param lifetime Tickets lifetime in seconds * \param lifetime Tickets lifetime in seconds
* Recommended value: 86400 (one day). * Recommended value: 86400 (one day).
* *
@ -117,7 +117,7 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
*/ */
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher, psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime); uint32_t lifetime);
/** /**

11
library/ssl_ticket.c
View File

@ -186,19 +186,10 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
*/ */
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher, psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime) uint32_t lifetime)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t key_bits;
psa_algorithm_t alg;
psa_key_type_t key_type;
if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
&alg, &key_type, &key_bits) != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
if (PSA_ALG_IS_AEAD(alg) == 0) { if (PSA_ALG_IS_AEAD(alg) == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

11
programs/fuzz/fuzz_server.c
View File

@ -131,10 +131,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
#endif #endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
if (options & 0x4) { if (options & 0x4) {
if (mbedtls_ssl_ticket_setup(&ticket_ctx, if (mbedtls_ssl_ticket_setup(&ticket_ctx, //context
dummy_random, &ctr_drbg, dummy_random, //f_rng
MBEDTLS_CIPHER_AES_256_GCM, &ctr_drbg, //p_rng
86400) != 0) { PSA_ALG_GCM, //alg
PSA_KEY_TYPE_AES, //key_type
256, //key_bits
86400) != 0) { //lifetime
goto exit; goto exit;
} }

88
programs/ssl/ssl_server2.c
View File

@ -115,7 +115,9 @@ int main(void)
#define DFL_DUMMY_TICKET 0 #define DFL_DUMMY_TICKET 0
#define DFL_TICKET_ROTATE 0 #define DFL_TICKET_ROTATE 0
#define DFL_TICKET_TIMEOUT 86400 #define DFL_TICKET_TIMEOUT 86400
#define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM #define DFL_TICKET_ALG PSA_ALG_GCM
#define DFL_TICKET_KEY_TYPE PSA_KEY_TYPE_AES
#define DFL_TICKET_KEY_BITS 256
#define DFL_CACHE_MAX -1 #define DFL_CACHE_MAX -1
#define DFL_CACHE_TIMEOUT -1 #define DFL_CACHE_TIMEOUT -1
#define DFL_CACHE_REMOVE 0 #define DFL_CACHE_REMOVE 0
@ -661,7 +663,9 @@ struct options {
int dummy_ticket; /* enable / disable dummy ticket generator */ int dummy_ticket; /* enable / disable dummy ticket generator */
int ticket_rotate; /* session ticket rotate (code coverage) */ int ticket_rotate; /* session ticket rotate (code coverage) */
int ticket_timeout; /* session ticket lifetime */ int ticket_timeout; /* session ticket lifetime */
int ticket_aead; /* session ticket protection */ int ticket_alg; /* session ticket algorithm */
int ticket_key_type; /* session ticket key type */
int ticket_key_bits; /* session ticket key size in bits */
int cache_max; /* max number of session cache entries */ int cache_max; /* max number of session cache entries */
#if defined(MBEDTLS_HAVE_TIME) #if defined(MBEDTLS_HAVE_TIME)
int cache_timeout; /* expiration delay of session cache entries*/ int cache_timeout; /* expiration delay of session cache entries*/
@ -1472,38 +1476,71 @@ static int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
static int parse_cipher(char *buf) static int parse_cipher(char *buf)
{ {
int ret = 0;
if (strcmp(buf, "AES-128-CCM")) { if (strcmp(buf, "AES-128-CCM")) {
return MBEDTLS_CIPHER_AES_128_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_AES;
opt.ticket_key_bits = 128;
} else if (strcmp(buf, "AES-128-GCM")) { } else if (strcmp(buf, "AES-128-GCM")) {
return MBEDTLS_CIPHER_AES_128_GCM; opt.ticket_alg = PSA_ALG_GCM;
opt.ticket_key_type = PSA_KEY_TYPE_AES;
opt.ticket_key_bits = 128;
} else if (strcmp(buf, "AES-192-CCM")) { } else if (strcmp(buf, "AES-192-CCM")) {
return MBEDTLS_CIPHER_AES_192_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_AES;
opt.ticket_key_bits = 192;
} else if (strcmp(buf, "AES-192-GCM")) { } else if (strcmp(buf, "AES-192-GCM")) {
return MBEDTLS_CIPHER_AES_192_GCM; opt.ticket_alg = PSA_ALG_GCM;
opt.ticket_key_type = PSA_KEY_TYPE_AES;
opt.ticket_key_bits = 192;
} else if (strcmp(buf, "AES-256-CCM")) { } else if (strcmp(buf, "AES-256-CCM")) {
return MBEDTLS_CIPHER_AES_256_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_AES;
opt.ticket_key_bits = 256;
} else if (strcmp(buf, "ARIA-128-CCM")) { } else if (strcmp(buf, "ARIA-128-CCM")) {
return MBEDTLS_CIPHER_ARIA_128_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
opt.ticket_key_bits = 128;
} else if (strcmp(buf, "ARIA-128-GCM")) { } else if (strcmp(buf, "ARIA-128-GCM")) {
return MBEDTLS_CIPHER_ARIA_128_GCM; opt.ticket_alg = PSA_ALG_GCM;
opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
opt.ticket_key_bits = 128;
} else if (strcmp(buf, "ARIA-192-CCM")) { } else if (strcmp(buf, "ARIA-192-CCM")) {
return MBEDTLS_CIPHER_ARIA_192_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
opt.ticket_key_bits = 192;
} else if (strcmp(buf, "ARIA-192-GCM")) { } else if (strcmp(buf, "ARIA-192-GCM")) {
return MBEDTLS_CIPHER_ARIA_192_GCM; opt.ticket_alg = PSA_ALG_GCM;
opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
opt.ticket_key_bits = 192;
} else if (strcmp(buf, "ARIA-256-CCM")) { } else if (strcmp(buf, "ARIA-256-CCM")) {
return MBEDTLS_CIPHER_ARIA_256_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
opt.ticket_key_bits = 256;
} else if (strcmp(buf, "ARIA-256-GCM")) { } else if (strcmp(buf, "ARIA-256-GCM")) {
return MBEDTLS_CIPHER_ARIA_256_GCM; opt.ticket_alg = PSA_ALG_GCM;
opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
opt.ticket_key_bits = 256;
} else if (strcmp(buf, "CAMELLIA-128-CCM")) { } else if (strcmp(buf, "CAMELLIA-128-CCM")) {
return MBEDTLS_CIPHER_CAMELLIA_128_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_CAMELLIA;
opt.ticket_key_bits = 128;
} else if (strcmp(buf, "CAMELLIA-192-CCM")) { } else if (strcmp(buf, "CAMELLIA-192-CCM")) {
return MBEDTLS_CIPHER_CAMELLIA_192_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_CAMELLIA;
opt.ticket_key_bits = 192;
} else if (strcmp(buf, "CAMELLIA-256-CCM")) { } else if (strcmp(buf, "CAMELLIA-256-CCM")) {
return MBEDTLS_CIPHER_CAMELLIA_256_CCM; opt.ticket_alg = PSA_ALG_CCM;
opt.ticket_key_type = PSA_KEY_TYPE_CAMELLIA;
opt.ticket_key_bits = 256;
} else if (strcmp(buf, "CHACHA20-POLY1305")) { } else if (strcmp(buf, "CHACHA20-POLY1305")) {
return MBEDTLS_CIPHER_CHACHA20_POLY1305; opt.ticket_alg = PSA_ALG_CHACHA20_POLY1305;
opt.ticket_key_type = PSA_KEY_TYPE_CHACHA20;
opt.ticket_key_bits = 256;
} else {
ret = -1;
} }
return MBEDTLS_CIPHER_NONE; return ret;
} }
int main(int argc, char *argv[]) int main(int argc, char *argv[])
@ -1740,7 +1777,9 @@ int main(int argc, char *argv[])
opt.dummy_ticket = DFL_DUMMY_TICKET; opt.dummy_ticket = DFL_DUMMY_TICKET;
opt.ticket_rotate = DFL_TICKET_ROTATE; opt.ticket_rotate = DFL_TICKET_ROTATE;
opt.ticket_timeout = DFL_TICKET_TIMEOUT; opt.ticket_timeout = DFL_TICKET_TIMEOUT;
opt.ticket_aead = DFL_TICKET_AEAD; opt.ticket_alg = DFL_TICKET_ALG;
opt.ticket_key_type = DFL_TICKET_KEY_TYPE;
opt.ticket_key_bits = DFL_TICKET_KEY_BITS;
opt.cache_max = DFL_CACHE_MAX; opt.cache_max = DFL_CACHE_MAX;
#if defined(MBEDTLS_HAVE_TIME) #if defined(MBEDTLS_HAVE_TIME)
opt.cache_timeout = DFL_CACHE_TIMEOUT; opt.cache_timeout = DFL_CACHE_TIMEOUT;
@ -2191,9 +2230,7 @@ usage:
goto usage; goto usage;
} }
} else if (strcmp(p, "ticket_aead") == 0) { } else if (strcmp(p, "ticket_aead") == 0) {
opt.ticket_aead = parse_cipher(q); if (parse_cipher(q) != 0) {
if (opt.ticket_aead == MBEDTLS_CIPHER_NONE) {
goto usage; goto usage;
} }
} else if (strcmp(p, "cache_max") == 0) { } else if (strcmp(p, "cache_max") == 0) {
@ -2963,8 +3000,11 @@ usage:
#endif /* MBEDTLS_HAVE_TIME */ #endif /* MBEDTLS_HAVE_TIME */
{ {
if ((ret = mbedtls_ssl_ticket_setup(&ticket_ctx, if ((ret = mbedtls_ssl_ticket_setup(&ticket_ctx,
rng_get, &rng, rng_get,
opt.ticket_aead, &rng,
opt.ticket_alg,
opt.ticket_key_type,
opt.ticket_key_bits,
opt.ticket_timeout)) != 0) { opt.ticket_timeout)) != 0) {
mbedtls_printf( mbedtls_printf(
" failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n", " failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n",