Commit graph

14806 commits

Author SHA1 Message Date
Gilles Peskine
32e584c38a Copyediting and minor clarifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:29 +01:00
Gilles Peskine
3ff79066b1 Note an interrogation about integer value representation
Especially 0 values may need special treatment since they can't be
used as an array size.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:29 +01:00
Gilles Peskine
6a530e8d26 Random driver: make initial_entropy_size mandatory
If a random driver has a built-in entropy source and doesn't need an
external entropy source, make the driver author declare this
explicitly, rather than it being a less secure default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:22 +01:00
Gilles Peskine
ee914f34fa Minor clarifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:14 +01:00
Gilles Peskine
609394c1cf Open question: can there be multiple RNG instances?
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:06 +01:00
Gilles Peskine
8d5092c11f get_random: no output on error
The get_random entry point was allowed to return partial data on both
PSA_SUCCESS and PSA_ERROR_INSUFFICIENT_ENTROPY, but there was no
meaningful difference between the two. Keep it simple: PSA_SUCCESS is
success but can be partial, and PSA_ERROR_INSUFFICIENT_ENTROPY is an
error with no output.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:56 +01:00
Gilles Peskine
1ef6ad48d1 Note that I'm not completly sure about the get_entropy flags
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:45 +01:00
Gilles Peskine
3eb65fbba6 Open question: should add_entropy take an estimated_entropy_bits parameter?
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:45 +01:00
Gilles Peskine
b89b4b9025 get_entropy: recommendations on conditioning and entropy estimates
Explicitly recommend that the driver accounts for environmental
conditions that can affect the amount of entropy.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:36 +01:00
Gilles Peskine
05ab2646a3 get_entropy: recommendations on the output_size
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:36 +01:00
Gilles Peskine
a14326f054 Make add_entropy optional
A random generation driver does not need to support entropy injection.
This will limit it to platforms where the RNG peripheral is the sole
entropy source and without an RNG seed saved into persistent storage.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:27 +01:00
Gilles Peskine
390c5a2c6f It is not meaningful for reseed_entropy_size to be 0
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:19 +01:00
Gilles Peskine
0e3b7ced4c Don't require a call to add_entropy when 0 bytes are needed
If an RNG peripheral includes an entropy source, it would presumably
declare "initial_entropy_size" and "reseed_entropy_size" to be 0. In
this case, don't require the core to call "add_entropy".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:10 +01:00
Gilles Peskine
5263e1ecdd Transparent drivers can have get_entropy as well
The `get_entropy` entry point can be provided by multiple transparent
drivers, and the core will call all of them. But apart from that,
`get_entropy` doesn't involve an opaque key or a location, so it can
be in a transparent driver.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:46:58 +01:00
Gilles Peskine
e80978a260 Specification for random generation and entropy drivers
Transparent drivers may provide a DRBG interface through "add_entropy"
and "get_random" entry points. This interface may also be used with a
non-deterministic generator, for chips that include a TRNG.

Opaque driver may provide a "get_entropy" entry point.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:46:42 +01:00
Gilles Peskine
1fc4c8d11b Let get_builtin_key be called to retrieve the key's attributes
Allow the core to call the "get_builtin_key" entry point to retrieve
the attributes of a built-in key. This is useful to implement
psa_get_key_attributes(), and also when the key data buffer's size
depends on the key type and size.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:41:50 +01:00
Paul Elliott
557b8d663a Remove Extraneous bytes from buffer post pem write
In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 17:29:42 +00:00
Gilles Peskine
a6454d2820 Minor clarifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 17:01:52 +01:00
Gilles Peskine
48d71f2aa4 New entry point get_builtin_key for opaque drivers
Allow opaque drivers to expose keys that were not created through the
PSA API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 17:01:37 +01:00
Gilles Peskine
51977355dc Remove the time stamp
Having a time stamp identifying each revision of the document is
useful, but it's also a pain because it creates a conflict whenever
there are multiple pending changes at the same time. The gain isn't
worth the pain, so I'm removing the time stamp.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 17:01:17 +01:00
Gilles Peskine
450dbd6d2d
Merge pull request #785 from gilles-peskine-arm/cipher-nist_kw-changelog
NIST_KW in cipher: credit the reporter
2020-12-07 14:47:48 +01:00
Ronald Cron
771090659e
Merge pull request #3393 from geecrypt/development
Support set *_drbg reseed interval before seed
2020-12-07 14:29:52 +01:00
Gilles Peskine
22a191199d NIST_KW in cipher: credit the reporter
This issue was found by Guido Vranken's Cryptofuzz running on the
OSS-Fuzz platform.

Fix #3665

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 14:26:07 +01:00
Janos Follath
3aae5d4ed7
Merge pull request #781 from mpg/cipher-auth-crypt-restricted
Fix buffer overflow with NIST-KW in cipher layer
2020-12-07 12:58:36 +00:00
Gilles Peskine
3a0535b465
Merge pull request #3916 from jdurkop/psa-crypto-config-hashes-3672
Add support to crypto config for hashes
2020-12-07 13:50:56 +01:00
Gilles Peskine
d33aabf388
Merge pull request #3942 from gilles-peskine-arm/ecp-bignum-error-checks-development
Add missing some error checks in ECP and bignum
2020-12-07 13:06:47 +01:00
Manuel Pégourié-Gonnard
841b6fa97f Fix unused param warnings in auth_xxcrypt_ext()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-07 10:42:21 +01:00
Janos Follath
7973e2b358
Merge pull request #772 from chris-jones-arm/development-restricted
Fix Diffie-Hellman large key size DoS
2020-12-07 09:28:55 +00:00
Gilles Peskine
4e0a4d444d Clarifying comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:08:30 +01:00
Gilles Peskine
a56d3d9e75 cipher_auth_xxcrypt_ext: Make NIST_KW case more robust
Don't invoke classic NIST_KW in case PSA gains support for NIST_KW.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:08:10 +01:00
Gilles Peskine
e09aeb4923 Remove redundant NIST_KW checks in cipher_auth_xxcrypt()
The internal functions mbedtls_cipher_aead_{encrypt,decrypt} reject
unsupported algorithms, so there's no need for an additional check in
the legacy wrappers.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:07:26 +01:00
Gilles Peskine
8a3d234859 Fail the test case immediately if cipher_reset_key fails
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:02:13 +01:00
Gilles Peskine
a2971ea62c Simplify some buffer comparisons in tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:47 +01:00
Gilles Peskine
70edd689a8 cipher_auth_xxcrypt(): fix some null pointer handling
Make sure that if a buffer is allowed to be empty, a null pointer is
accepted if the buffer length is 0. This was already the case for most
but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}.

Make sure to pass NULL for an empty buffer in the tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:26 +01:00
Manuel Pégourié-Gonnard
b23e31d86a Minor documentation/comment fixes
typos, overlong lines

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-07 09:57:35 +01:00
Gilles Peskine
e410bf7320 Add changelog entry for the memory management fixes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Gilles Peskine
e54be3a9c3 Fix uncaught error if fix_negative fails
fix_negative allocates memory for its result. The calling site didn't
check the return value, so an out-of-memory error could lead to an
incorrect calculation. Fix this.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Gilles Peskine
89b4130098 Fix memory leak in mbedtls_mpi_sub_abs
Fix a memory leak in mbedtls_mpi_sub_abs when the output parameter is
aliased to the second operand (X = A - X) and the result is negative.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Gilles Peskine
56f943a184 Always test in-place addition and subtraction
Run all the addition and subtraction tests with the result aliased to
the first operand and with the result aliased to the second operand.
Before, only some of the aliasing possibilities were tested, for only
some of the functions, with only some inputs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
gacquroff
1bfeb8a837 Add changelog entry file for bugfix 2927
Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 12:28:25 -08:00
Chris Jones
e64a46f466 Fix exponentiation tests with MBEDTLS_MPI_MAX_BITS larger than 256
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:48:27 +00:00
Chris Jones
add9948784 Fix whitespace in changelog entry
Extra whitespace and a missing newline at end of file was causing an error with
`check_files.py`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 15:45:29 +00:00
Chris Jones
7c430305e3 Move dependancy to specific test cases
Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases
which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables
previous tests that were turned off accidentally.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 15:22:25 +00:00
Chris Jones
4592bd8982 Fix broken testing on numbers that may be greater than MPI_MAX_SIZE
Previously `mbedtls_mpi_exp_mod` was tested with values that were over
`MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only
taken when the exponent is large enough however, on builds where
`MBEDTLS_MPI_MAX_SIZE` is under the size of these test values.

This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to
safely test (notably this is the case in config-thread.h).

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 14:24:33 +00:00
John Durkop
6ca2327150 Update guards for ALG_SHA_224 and ALG_SHA_384 in crypto library
The previous revision of guards around SHA_224 and SHA_384 were not
correct. This set of changes ensures the proper code is available
when SHA_224 and SHA_384 are enabled for use.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-12-03 06:07:04 -08:00
Paul Elliott
b250ac951d Set CMake policies for newer versions of CMake
Make sure that CMP0012 is set to NEW, without which FindPython3 and
FindPython2 functionality becomes broken with CMake 3.18.2 if searching
by location. CMP0012 being set to OLD is also deprecated as of 3.18.3.
Ensure CMP0011 is set to NEW to avoid warnings and deprecated behaviour
being issued about policy push / pop with CMake 3.18.0 or newer.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-03 13:02:14 +00:00
Manuel Pégourié-Gonnard
6df90523e1 Add ChangeLog entries for auth_crypt changes
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 13:00:58 +01:00
Chris Jones
e146bdcff9 Fix cases where exponentiation was not fully tested
In two test cases, the exponentiation computation was not being fully tested
as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the
case A is reduced to 0 and therefore the result of the computation will always
be 0.

This fixes that issue and therefore increases the test coverage to ensure
different computations are actually being run.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 11:52:40 +00:00
Gilles Peskine
227366b4b0 Merge branch 'development' into development-restricted 2020-12-03 12:39:44 +01:00
Chris Jones
aa850cdfdc Reword test cases
Reword test cases to be easier to read and understand.
Adds comments to better explain what the test is doing.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 11:35:41 +00:00