The code will make the decision based on availability of MD, not of
MD+this_hash. The later would only be possible at runtime (the hash
isn't known until then, that's the whole point of MD), so we'd need to
have both MD-based and PSA-based code paths in a single build, which
would have a very negative impact on code size. So, instead, we choose
based on the presence of MD, which is know at compile time, so we only
have one of the two code paths in each build.
Adjust the macros so that they match the logic of the code using them.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Previously the whole .function file had a global dependency on
MBEDTLS_SHA1_C. This hasn't been correct for a long time:
- on principle, dependency declarations in .function files are for
compile-time dependencies;
- in practice, a number of test cases do not depend on SHA-1, as they only
use SHA-256 or SHA-512 - those cases should not be skipped in builds
without SHA-1;
- this was "taken advantage of" to skip dependency declarations for
test cases that only depended on SHA-1.
The previous commit removed the global dependency on SHA1_C; as a result
the test cases that actually depend on SHA-1 were not skipped in builds
without SHA-1. This commit fixes that by adding dependency declarations
where they belong: in the .data file.
All cases compute hashes using MD is available, or PSA otherwise; so
MD_OR_PSA is appropriate here.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
sed -i -f md_or_psa_hash.sed \
tests/suites/test_suite_pkcs1_v21.data
tests/suites/test_suite_pk.data
with md_or_psa_hash.sed containing:
s/MBEDTLS_MD5_C/MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA/g
s/MBEDTLS_RIPEMD160_C/MBEDTLS_HAS_ALG_RIPEMD160_VIA_MD_OR_PSA/g
s/MBEDTLS_SHA1_C/MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA/g
s/MBEDTLS_SHA224_C/MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA/g
s/MBEDTLS_SHA256_C/MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA/g
s/MBEDTLS_SHA384_C/MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA/g
s/MBEDTLS_SHA512_C/MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA/g
(The only lines in pk.data that still had old-style dependencies where
the ones about PKCS1_V21.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Previously MD_C was auto-enabled based on the fact that ALG_RSA_PSS was
requested, but that's no longer the case since the previous commit.
We can fix this in one of two ways: either enable MD_C, or enable all
the PSA_WANT_ALG_SHA_xxx that are needed for test. Go for MD_C because
it's a single line and avoids having to enumerate a list that might grow
in the future.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Test coverage not there yet, as the entire test_suite_pkcs1_v21 is
skipped so far - dependencies to be adjusted in a future commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This allows callers not to worry with md_info and makes it easier to
provide a PSA version for when MD_C is not available.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This will also make it easier to provide a PSA-based version for when MD
is not available.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Some of them no longer need md_ctx, some of those no longer need the
exit dance that was used to free it, or need it on a smaller scope.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is a first step towards making a version of this function that
uses PSA when MD is not available.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Since 11e9310 add mbedtls_aes_init call in mbedtls_ctr_drbg_init, it
should not init aes_ctx again in mbedtls_ctr_drbg_seed.
Signed-off-by: kXuan <kxuanobj@gmail.com>
Internal macros are not present as symbols, visible or usable outside
the compilation unit and it is safe to allow them to have a name without
namespace prefix.
We also allow them to start with lower case letters as some of our
internal macros already have names like that.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Application may enabled AES_ALT and define mbedtls_aes_context by its own.
The initial state of user-defined mbedtls_aes_context may not all byte zero.
In mbedtls_ctr_drbg_init, the code set all byte to zero, including the AES
context nested in the ctr_drbg context.
And in mbedtls_ctr_drbg_free, the code calls mbedtls_aes_free on an AES
context without calling mbedtls_aes_init.
If user-defined AES context requires an non-zero init, the mbedtls_aes_free
call in mbedtls_ctr_drbg_free is illegal.
This patch fix this issue by add mbedtls_aes_init in mbedtls_ctr_drbg_init.
So aes context will always be initialized to correct state.
Signed-off-by: kXuan <kxuanobj@gmail.com>
Looking at the bigger picture it is clear that if `ssl->session` is NULL,
there will be a failure much earlier, and that is well protected from,
however, the practice of dereferencing a pointer which has not been
verified in prior for validity goes against secure coding practices.
Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
Extract functions declared in bignum_mod.h into a source file with a
matching name.
We are doing this because:
- This is a general best practice/convention
- We hope that this will make resolving merge conflicts in the future
easier
- Having them in a unified source file is a premature optimisation at
this point
This makes library/bignum_new.c empty and therefore it is deleted.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Extract functions declared in bignum_mod_raw.h into a source file with a
matching name.
We are doing this because:
- This is a general best practice/convention
- We hope that this will make resolving merge conflicts in the future
easier
- Having them in a unified source file is a premature optimisation at
this point
Signed-off-by: Janos Follath <janos.follath@arm.com>
Extract functions declared in bignum_core.h into a source file with a
matching name.
We are doing this because:
- This is a general best practice/convention
- We hope that this will make resolving merge conflicts in the future
easier
- Having them in a unified source file is a premature optimisation at
this point
Signed-off-by: Janos Follath <janos.follath@arm.com>
Tests function with various ECP point conditions, covering freshly
initialized, zeroed, non-zero, and freed points.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
When USE_PSA_INIT() failed because lack of seedfile, mbedtls_x509write_csr_free()
crashed when called on an unitialized mbedtls_x509write_csr struct.
This moves mbedtls_x509write_csr_init before calling USE_PSA_INIT(),
which could probably fail, and uses the same flow in x509_csr_check()
and x509_csr_check_opaque().
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This reverts commit 62c5901f0a5061a8825e19c77f88c91fea235078.
Reverting commit due the macros are meant to be local and not following the
naming convention.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
Unfortunately reusing the new function from the signed constant time
comparison is not trivial.
One option would be to do temporary conditional swaps which would prevent
qualifying input to const. Another way would be to add an additional
flag for the sign and make it an integral part of the computation, which
would defeat the purpose of having an unsigned core comparison.
Going with two separate function for now and the signed version can be
retired/compiled out with the legacy API eventually.
The new function in theory could be placed into either
`library/constant_time.c` or `library/bignum_new.c`. Going with the
first as the other functions in the second are not constant time yet and
this distinction seems more valuable for new (as opposed to belonging to
the `_core` functions.
Signed-off-by: Janos Follath <janos.follath@arm.com>
- We don't check for NULL pointers this deep in the library
- Accessing a NULL pointer when the limb number is 0 as a mistake is the
very similar to any other out of bounds access
- We could potentially mandate at least 1 limb representation for 0 but
we either would need to enforce it or the implementation would be less
robust.
- Allowing zero limb representation - (NULL, 0) in particular - for zero
is present in the legacy interface, if we disallow it, the
compatibility code will need to deal with this (more code size and
opportunities for mistakes)
In summary, interpreting (NULL, 0) as the number zero in the core
interface is the least of the two evils.
Signed-off-by: Janos Follath <janos.follath@arm.com>