* Early return since there's nothing to clean up
* Get rid of unnecessary local variable
* Check algorithm validity for MAC in the PSA core instead of in the driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Apparently it was at some point assumed that there would be
support for MAC algorithms with IV, but that hasn't been
implemented yet. Until that time, these context structure
members are superfluous and can be removed.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Typedef'ed structures are suffixed _t
Also updated the initialiser macro with content that actually
matches the structure's content.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Since HMAC moved into its own compilation unit, the internal API needed
to be documented and finalized. This means no more reaching deep into
the operation structure from within the PSA Crypto core. This will make
future refactoring work easier, since internal HMAC is now opaque to the
core.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Step 3/x in moving the driver. Separate commits should make for easier
review.
Additional changes on top of code movement:
* Copied the implementation of safer_memcmp from psa_crypto into
psa_cipher_mac since the mac_verify driver implementation
depends on it, and it isn't available through external linkage
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Step 2/x in moving the driver. Separate commits should make for easier
review.
Additional changes on top of code movement:
* Early-return success on input with zero-length to mac_update, to
avoid NULL pointers getting passed into the driver dispatch
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Step 1/x in moving the driver. Separate commits should make for easier
review.
Additional changes on top of just moving code:
* Added a sanity check on the key buffer size for CMAC.
* Transfered responsibility for resetting the core members of the
PSA MAC operation structure back to the core (from the driver
wrapper layer)
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This is a temporary measure. Other operations in the PSA Core which rely
on this internal HMAC API should be rewritten to use the MAC API instead,
since they can then leverage accelerated HMAC should a platform provide
such acceleration support.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Zephyr's native posix port define _POSIX_C_SOURCE with a higher value
during the build, so when mbedTLS defines it with a different value
breaks the build.
As Zephyr is already defining a higher value is guaranteed that mbedTLS
required features will be available. So, just define it in case it was
not defined before.
[taken from Zephyr mbedtls module:
76dcd6eeca]
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Signed-off-by: David Brown <david.brown@linaro.org>
Move the key buffer size calculation code under
tests to avoid check-names.sh to complain about
"likely macros with typos".
This removes the calculation of key buffer
sizes for the test driver from the wrapper based on
static size data. But the code is still there in test
code to be used when we go back to work on the
generation of the driver wrapper.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Handling the receipt of a handshake record after the initial handshake
requires non-trivial logic depending on the protocol version and the
endpoint. This logic is currently embedded in mbedtls_ssl_read().
With the introduction of support for [D]TLS 1.3, the logic will become
even more complex, since [D]TLS 1.3 drops support for renegotiation --
which in [D]TLS 1.2 is the main purpose of post-handshake handshake
messages -- but instead introduces numerous other post-handshake
handshake messages.
In order to pave the way for those changes, this commit improves
readability and maintainability of mbedtls_ssl_read() by moving
the TLS <=1.2 logic for handling post-handshake handshake messages
into a separate helper function ssl_handle_hs_message_post_handshake().
The logic of the code is entirely unchanged.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The server-side `Certificate` handshake message writer checks
whether a certificate is present, and if not fails with:
```
MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
```
This should never happen, since the library checks the presence
of a suitable certificate before picking a ciphersuite. It is
therefore more suitable to convert this check into an assertion,
and fail with MBEDTLS_ERR_SSL_INTERNAL_ERROR upon failure.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit removes the unused error code
```
MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
```
from the public API for Mbed TLS 3.0.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The error code MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH is only
returned from the internal function
```
mbedtls_ssl_set_calc_verify_md()
```
Moreover, at every call-site of this function, it is only
checked whether the return value is 0 or not, while the
exact return value is irrelevant.
The behavior the library is therefore unchanged if we return 1
instead of MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH in
`mbedtls_ssl_set_calc_verify_md()`. This commit makes this change.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This error is used when the output buffer isn't large enough
to hold our own certificate.
In the interest of cleaning up the error space for 3.0, this commit
removes MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and replaces its single
use by MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The SSL error code MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED is unused.
Remove it for Mbed TLS 3.0.
The code being unused comes as a surprise, at is seems to be
reasonable to report it to the user upon peer CRT verification
failure. However, this study (can potentially re-introduction
of the code) can be left for 3.x, while the error code removal
can only happen in 3.0.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The SSL error code MBEDTLS_ERR_SSL_UNKNOWN_CIPHER is unused.
Remove it for Mbed TLS 3.0 and leave a comment indicating the
gap in the error code space it creates.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
pk_get_pk_alg will either return 0 or a pk error code. This means that
the error code will always be a high level module ID and so we just
return ret.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.
check_config is the only module which enforces that SHA512 is
enabled together with SHA384.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
The new compile-time option MBEDTLS_X509_REMOVE_INFO removes various
X.509 debugging strings and functionality, including
```
mbedtls_x509_crt_verify_info()
```
which ssl_client2.c and ssl_server2.c use to print human readable
descriptions of X.509 verification failure conditions. Those
conditions are also grepped for in numerous ssl-opt.sh tests.
Instead of disabling those tests if MBEDTLS_X509_REMOVE_INFO is set,
this commit essentially moves mbedtls_x509_crt_verify_info() to
ssl_client2.c and ssl_server2.c. However, instead of just copy-pasting
the code from x509_crt.c, the following approach is used:
A macro MBEDTLS_X509_CRT_ERROR_INFO_LIST is introduced which for each
verification failure condition invokes a user-defined macro X509_CRT_ERROR_INFO
with (a) the numerical error code, (b) the string presentation of the
corresponding error macro, (c) the info string for the error condition.
This macro can thus be used to generate code which somehow iterates over
the verifiation failure conditions, but the list of error conditions and
information strings is nowhere duplicated.
This is then used to re-implement mbedtls_x509_crt_verify_info() in
x509_crt.c and to provide a functionally equivalent (yet slightly different)
version in ssl_client2.c and ssl_server2.c in case MBEDTLS_X509_REMOVE_INFO
is set.
This way, little changes to ssl-opt.sh will be necessary in case
MBEDTLS_X509_REMOVE_INFO is set because the info strings for the
verification failure conditions will be printed regardless of whether
MBEDTLS_X509_REMOVE_INFO is set or not.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The introduction of positive options to control the presence
of pre-existing functionality breaks the build for users of
handwritten configurations.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add implementation for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
Merging as it has been ready for four days now and I prefer not having to go through other rebases especially given the coming change of scope of development (3.0 rather than 2.2x).
Improve comments explaining error code checking, fix incorrect comments
and make a small formatting fix.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
* group setting of attributes before calling get_builtin_key
* return early instead of going to exit when no resources are allocated yet
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
The GCM interface now has separate functions to start the operation
and to pass the associated data.
This is in preparation for allowing the associated data to be passed
in chunks with repeatated calls to mbedtls_gcm_update_ad().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Alternative implementations of GCM may delay the output of partial
blocks from mbedtls_gcm_update(). Add an output length parameter to
mbedtls_gcm_update() to allow such implementations to delay the output
of partial blocks. With the software implementation, there is no such
delay.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Alternative implementations of GCM may delay the output of partial
blocks from mbedtls_gcm_update(). Add an output parameter to
mbedtls_gcm_finish() to allow such implementations to pass the final
partial block back to the caller. With the software implementation,
this final output is always empty.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_gcm_update now accepts inputs of arbitrary size. There is no
longer a requirement that all calls except the last one pass a
multiple of 16 bytes.
This commit updates the library code and adjusts the GCM tests to
exercise arbitrarily aligned input sizes.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Leverage the fact that the get_builtin_key entrypoint returns a key's
attributes, such that a proper size for the builtin key's buffer can
be calculated through the driver's get_key_buffer_size hook.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Since the loading attempt of a builtin key might be followed by trying
to load a persistent key, we can only wipe the allocated key data, not
the associated metadata.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
The macro always meant 'location', but was mistakenly named 'lifetime'.
Naming it location instead makes much more sense, and drives home the
conceptual differences between location and lifetime values.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Instead of the full attributes struct, it now only takes/returns what it
actually needs to.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Builtin key support for the test driver is always compiled in, and no
longer guarded by MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS.
Parsing the key slot from the buffer by cast and assign instead of memcmp.
For exporting keys, the test driver no longer reaches into the key
identifier in order to check whether a key is builtin, but rather
assumes so based on the key buffer length. It's the driver's
responsibility to be able to detect the key material it returned as part
of the get_builtin_key operation.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
As part of test_psa_crypto_drivers, define a builtin symmetric
plus an ECC key on the test driver lifetime.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This reverts commit c75d9f589b.
This was merged by mistake in development instead of development_3.0.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This reverts commit 48f6d0d6e5.
This was merged by mistake in development instead of development_3.0.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This reverts commit 9a86843470.
This was merged by mistake in development instead of development_3.0.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
An incorrect error code addition was spotted by the new invasive testing
infrastructure whereby pk_get_pk_alg will always return a high level
error or zero and pk_parse_key_pkcs8_unencrypted_der will try to add
another high level error, resulting in a garbage error code.
Apply the same fix from ae3741e8a to fix the bug.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Replace all occurences of error code addition in the library with the new
MBEDTLS_ERROR_ADD macro.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
This commit improves the readability of the SSL session cache
reference implementation of mbedtls_ssl_cache_set() by moving
the logic for finding a suitable free slot for the session to
store into a static helper function.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Session-ID based session resumption requires that the resumed session
is consistent with the client's ClientHello in terms of choice of
ciphersuite and choice of compression.
This check was previously assumed to be performed in the session cache
implementation, which seems wrong: The session cache should be an id-based
lookup only, and protocol specific checks should be left to Mbed TLS.
This commit
- adds an explicit ciphersuite and compression consistency check after
the SSL session cache has been queried
- removes the ciphersuite and compression consistency check from
Mbed TLS' session cache reference implementation.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Add a missing guard for the definition and declaration of
mbedtls_test_hook_error_add.
Also make the declaration always visible when MBEDTLS_TEST_HOOKS is
enabled. This fixes an issue when MBEDTLS_ERROR_C is not defined but
MBEDTLS_TEST_HOOKS is.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Fix unused parameter warnings when MBEDTLS_TEST_HOOKS is not enabled.
A few issues were caught by check-names.sh namely:
- mbedtls_error_add was not capitalised.
- mbedtls_test_hook_error_add was being defined multiple times as the
definition was in a header.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
The previous implementation of the error addition interface did not comply
with the invasive testing architecture guidelines. This commit fixes that
by:
- Renaming functions/macros/variables to follow the mbedtls_error_xxx or
mbedtls_test_hook_xxx convention.
- Making mbedtls_test_hook_error_add a global variable that can be set
by the testing code.
- Using a static inline function call, as opposed to macro, to keep
discrepancies between debug and production version to a minimum.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Change the signature of the `hook` parameter of `mbedtls_set_err_add_hook`
to use the actual signature of the function as opposed to `void *`. This
fixes a warning when compiling with clang `-pedantic`.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
`error.c` and error.h are the more logical place to keep this code and it
prevents issues with building `common.c` and conflicts with other projects
that use mbedtls (such as mbedOS).
`error.c` has been automatically generated by first adding the code to
`error.fmt` and then running `./scripts/generate_errors.pl`.
Also add parenthesis to the addition in `MBEDTLS_ERR_ADD`.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Fix building by adding `common.c` to the build scripts (both make and Cmake).
Also reworks the hook function pointer (also renamed to `err_add_hook`) to be
a static local to `common.c` with a setter function to set the pointer to a
checking function.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
`error.c` is a file generated from `error.h` and thus cannot contain the code
that was previously added. This commit fixes that issue by moving the
`MBEDTLS_ERR_ADD` macro and associated function and function pointer into
`common.h` and `common.c`.
Also fix a typo in `tests/include/test/helpers.h` where tabs were accidentally
used instead of spaces.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
All occurences of manual error code addition/combination, in `rsa.c`, have
been replaced with the `MBEDTLS_ERR_ADD` macro.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Adds a macro (`MBEDTLS_ERR_ADD`) to add error codes together and check that the
result will not be corrupted. This additional check is only enabled during
testing when `MBEDTLS_TEST_HOOKS` is defined.
Also includes a reference usage example in `rsa.c` where two high-level error
codes could be incorrectly added together under the right conditions. This now
ensures that when this error occurs during testing it will be correctly
reported.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Corresponds better to the validation done in other modules of PSA Crypto.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Capitalise the MPS trace macros, as per the coding style (and make a slight
change to naming convention to avoid a name collision).
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
As we want to do Mbed TLS aead operations as a
driver does, aead operations should not access
the key slot as key slots are not available to
drivers.
Second step in this PR: do not unlock the key slot
as part of operation abort.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
As we want to do Mbed TLS aead operations as a
driver does, aead operations should not access
the key slot as key slots are not available to
drivers.
First step in this PR: move key resolution from
aead operation setup to psa_aead_encrypt/decrypt
APIs.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Fix the subtraction in fix_negative, which was incorrectly not looking
for a carry. This caused the result to be wrong when the least
significant limb of N was 0. Fix#4296.
The bug was introduced by d10e8fae9e
"Optimize fix_negative". Thanks to Philippe Antoine (catenacyber) for
reporting the bug which was found by his EC differential fuzzer.
Credit to OSS-Fuzz.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This header file will contain declarations of functions that are not
part of the public ABI/API, and must not be called from other modules,
but can be called from unit tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move the handling of the sign out of the base-specific loops. This
both simplifies the code, and corrects an edge case: the code in the
non-hexadecimal case depended on mbedtls_mpi_mul_int() preserving the
sign bit when multiplying a "negative zero" MPI by an integer, which
used to be the case but stopped with PR #2512.
Fix#4295. Thanks to Guido Vranken for analyzing the cause of the bug.
Credit to OSS-Fuzz.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
