Gabor Mezei
979d34ca7d
Add mod_raw_mul function
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-12-15 15:04:20 +01:00
Werner Lewis
214ae64349
Replace \p with \c for non-parameter code typeset
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:36:07 +00:00
Werner Lewis
1d89ebf548
Clarify all functions operate modulo N
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:35:41 +00:00
Werner Lewis
a306886b3a
Add modulus to parameter ordering
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:35:41 +00:00
Werner Lewis
2e70b9afef
Reword bignum sizes section
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:35:41 +00:00
Werner Lewis
2bd263da1e
Fix grammar and spelling
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:35:40 +00:00
Werner Lewis
945a165a3c
Clarify output requirements
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:22:27 +00:00
Werner Lewis
eac8be76d6
Remove unnecessary type comment
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 13:22:17 +00:00
Werner Lewis
e1eb75dc99
Specify modulus constraints
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-15 12:27:56 +00:00
Manuel Pégourié-Gonnard
50faa55e4d
Merge pull request #6732 from wernerlewis/bignum_6019_mod_add
...
Bignum: Implement mbedtls_mpi_mod_add()
2022-12-15 11:39:24 +01:00
Dave Rodgman
01f6e61781
Merge pull request #986 from Mbed-TLS/merge-back-3.3.0-3
...
Merge back 3.3.0 3
2022-12-14 19:18:05 +00:00
Dave Rodgman
ebef3562c3
Revert "Add generated files"
...
This reverts commit c18d932705
.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-12-14 19:14:00 +00:00
Dave Rodgman
e90ed7d249
Bump versions for libmbedcrypto and libmbedtls
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-12-14 17:04:00 +00:00
Manuel Pégourié-Gonnard
c98624af3c
Merge pull request #6680 from valeriosetti/issue6599
...
Allow isolation of EC J-PAKE password when used in TLS
2022-12-14 11:04:33 +01:00
Valerio Setti
a3f99591f6
sha: make SHA-224 independent from SHA-256
...
Using proper configuration options (i.e. MBEDTLS_SHA224_C and
MBEDTLS_SHA256_C) it is now possible to build SHA224 and SHA256
independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-14 10:56:54 +01:00
Manuel Pégourié-Gonnard
4064a82802
Merge pull request #5600 from yuhaoth/pr/refactor-cookie-members-of-handshake
...
Refactor cookie members of handshake
2022-12-14 10:55:34 +01:00
Valerio Setti
898e7a3afe
test: sha: test SHA384 and SHA512 separately
...
This is meant to adapt to the new library design in which
SHA384 and SHA512 can be built independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-14 10:50:54 +01:00
Werner Lewis
eed01aabd3
Clarify wording in documentation
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-14 09:44:00 +00:00
Valerio Setti
43363f5962
sha: make SHA-384 independent from SHA-512
...
Using proper configuration options (i.e. MBEDTLS_SHA384_C and
MBEDTLS_SHA512_C) it is now possible to build SHA384 and SHA512
independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-14 08:53:23 +01:00
Manuel Pégourié-Gonnard
2b70a3f831
Merge pull request #6558 from lpy4105/6416-psa_macros_name_typo
...
check_names: extend typo check to PSA macro/enum names
2022-12-13 09:56:27 +01:00
Manuel Pégourié-Gonnard
48232ed2c1
Merge pull request #6743 from minosgalanakis/bignum/implement_modular_negation
...
Bignum: Implement fixed width modular negation
2022-12-13 09:54:38 +01:00
Bence Szépkúti
f7641544ea
Correct the fix for the PKCS 7 memory leak
...
This corrects an issue in the origina fix in
4f01121f6e
.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2022-12-12 21:59:03 +01:00
Dave Rodgman
8a05c069a5
Merge pull request #6751 from ZachFleck42/development
...
Fix typo in `library/entropy.c`
2022-12-12 16:30:54 +00:00
Werner Lewis
5e9d2e9019
Add conventions for bignum mod and mod_raw
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-12 14:00:25 +00:00
Manuel Pégourié-Gonnard
a9ac61203b
Merge pull request #6666 from daverodgman/fast_unaligned
...
Fast unaligned memory access macros
2022-12-12 12:18:17 +01:00
Minos Galanakis
5e8443e6ef
mbedtls_mpi_mod_raw_neg: Updated documentation.
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-12-12 11:13:56 +00:00
Minos Galanakis
21fe8bdeac
bignum_mod_raw: Added modular negation.
...
This patch adds the `mpi_mod_raw_neg()` method.
Co-authored-by: Hanno Becker <hanno.becker@arm.com>
Co-authored-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-12-12 11:13:56 +00:00
Valerio Setti
016f682796
tls: pake: small code refactoring for password setting functions
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-09 14:17:50 +01:00
Tom Cosgrove
5f09930017
Clarify use of temporary in mbedtls_mpi_mod_raw_inv_prime()
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-09 10:58:15 +00:00
Dave Rodgman
c18d932705
Add generated files
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-12-09 09:44:10 +00:00
Manuel Pégourié-Gonnard
df0c73c308
Readability improvement in pk_wrap.c
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-12-09 10:09:34 +01:00
Manuel Pégourié-Gonnard
79ae7eb4d1
Use deterministic ECDSA in PSA when we do in legacy
...
This fixes the two failing cases in test_suite_pk when ECP_RESTARTABLE
and USE_PSA_CRYPTO are both enabled. The two failing cases where
ECDSA restartable sign/verify: ECDSA, max_ops=0 (disabled)
ECDSA restartable sign/verify: ECKEY, max_ops=0 (disabled)
associated with test function pk_sign_verify_restart(). The failure was
caused by the interaction of several things that are each reasonable on
their own:
1. The test function relies on ECDSA restartable, which is reasonable as it
allows making sure that the generated signature is correct with a simple
memcmp().
2. The implementation of pk_sign_restartable() has a shortcut to
dispatch to the sign function (as opposed to sign_restartable) when
restart is disabled (max_ops == 0).
3. When USE_PSA is enabled, the sign function dispatches to PSA, which
so far always used ECDSA (non-deterministic) even when the non-PSA
version would use deterministic ECDSA.
This could be fixed by changing any of those. I chose (3) because I
think it makes sense that when PK dispatches to PSA instead of legacy
this should not change which version of ECDSA is selected.
OTOH, I think it makes sense to keep (2), because that means more
opportunities to dispatch to PSA.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-12-09 10:07:19 +01:00
Jerry Yu
0c2a738c23
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Jerry Yu
141bbe7bee
tls13: Adjust include files
...
- remove duplicate and unused included
- Adjust the order to system, mbedtls global, local.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Jerry Yu
ddda050604
tls13: Upstream various fix in prototype
...
- Adjust max input_max_frag_len
- Guard transform_negotiate
- Adjust function position
- update comments
- fix wrong requirements
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Jerry Yu
2e19981e17
tls13: guards transform negotiate
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Valerio Setti
eb3f788b03
tls: pake: do not destroy password key in TLS
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-08 18:42:58 +01:00
Dave Rodgman
48223bc19e
Bump version to 3.3.0. No changes to .so versions.
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-12-08 14:43:19 +00:00
Dave Rodgman
a5b2c52885
Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-3.3.0rc0-pr
2022-12-08 14:10:59 +00:00
Zachary Fleckenstein
73defe4da0
Fix typo in library/entropy.c
...
Signed-off-by: Zachary Fleckenstein <ZachFleck42@Gmail.com>
2022-12-08 07:28:29 -05:00
Tom Cosgrove
6129268fee
Bignum: Implement mbedtls_mpi_mod_raw_inv_prime() and tests
...
Fixes #6023 .
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-08 09:44:10 +00:00
Tom Cosgrove
a7f0d7b029
mbedtls_mpi_core_exp_mod() ouuput may alias input A
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-08 08:46:28 +00:00
Valerio Setti
ae7fe7ee53
tls: pake: avoid useless psa_pake_abort in setting opaque password
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-07 17:36:59 +01:00
Valerio Setti
70d1fa538a
tls: pake: fix missing return values check
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-07 16:20:27 +01:00
Valerio Setti
c689ed8633
tls: pake: minor adjustments
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-07 14:40:38 +01:00
Dave Rodgman
90af1a10ab
Merge pull request #6734 from daverodgman/fix_test_dep_spelling
...
Fix spelling of test dependency
2022-12-07 09:06:29 +00:00
Ronald Cron
fbba0e9d75
Merge pull request #6537 from yuhaoth/pr/tls13-refactor-early-data-configuration-interface
...
TLS 1.3: Refactor early data configuration interface.
2022-12-07 09:42:12 +01:00
Janos Follath
d45924d862
Merge pull request #6733 from tom-cosgrove-arm/issue-6293-mod_exp-memory
...
Have mbedtls_mpi_core_exp_mod() take a temporary instead of allocating memory
2022-12-07 08:32:31 +00:00
Janos Follath
1d26d976e8
Merge pull request #6731 from tom-cosgrove-arm/issue-6293-mod_exp
...
Require input to mbedtls_mpi_core_exp_mod() to already be in Montgomery form
2022-12-07 08:31:49 +00:00
Dave Rodgman
556e8a3219
Fix additional mis-spelling
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-12-06 16:31:25 +00:00
Dave Rodgman
92011eef34
Merge pull request #6717 from tom-cosgrove-arm/fix-typos-2212
...
Fix typos prior to release
2022-12-06 15:00:34 +00:00
Tom Cosgrove
0a0ddedfb7
Have mbedtls_mpi_core_exp_mod() take a temporary instead of allocating memory
...
Last PR needed for #6293
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-06 14:37:18 +00:00
Werner Lewis
e1b6b7c0ac
Implement mbedtls_mpi_mod_add()
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-12-06 11:55:32 +00:00
Tom Cosgrove
ecda186893
Require input to mbedtls_mpi_core_exp_mod() to already be in Montgomery form
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-06 10:46:30 +00:00
Jerry Yu
6ee56aa18f
Add default values for conf->*early_data*
...
- early_data default to disable
- max_early_data_size default to built-in value
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-06 18:00:47 +08:00
Jerry Yu
39da9857df
remove limitation of max_early_data_size
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-06 16:58:36 +08:00
Jerry Yu
12c46bd14f
fix various issues
...
- disable reuse of max_early_data_size.
- make conf_early_data available for server.
- various comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-06 11:02:51 +08:00
Tom Cosgrove
ed4f59eec3
Fix another typo where 'PSK' was 'PKS'
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-05 12:07:50 +00:00
Jerry Yu
e01304f6d8
fix type conversion issue
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-05 19:58:46 +08:00
Jerry Yu
ac5ca5a0ea
Refactor cookie members of handshake struct
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-05 19:58:45 +08:00
Dave Rodgman
acbb6dc364
Merge remote-tracking branch 'origin/development' into merge-dev
2022-12-05 10:59:23 +00:00
Tom Cosgrove
1797b05602
Fix typos prior to release
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-04 17:19:59 +00:00
Valerio Setti
757f359474
tls: pake: do not destroy key on errors while setting opaque password
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-02 11:07:11 +01:00
Gilles Peskine
70375b2028
Move mbedtls_mpi_core_random to the proper source file
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:46:26 +01:00
Gilles Peskine
78cf3bbf22
Bignum core: break mbedtls_mpi_core_random out of mbedtls_mpi_random
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:45:45 +01:00
Gilles Peskine
4a8c5cdfbf
Bignum core: random: prototype
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:44:07 +01:00
Gilles Peskine
26be89b3f6
Bignum core: random: prepare to break out the core function
...
Shuffle things around a bit inside mbedtls_mpi_random() in preparation for
breaking out mbedtls_mpi_core_random().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:06:43 +01:00
Gilles Peskine
8a32a75aa2
mbedtls_mpi_random: avoid local allocation
...
Rewrite the minimum bound comparison to avoid a local allocation. This costs
a bit of code size, but saves RAM. This is in preparation for moving the
bulk of the function to the bignum_core module where allocation is not
permitted.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:06:43 +01:00
Gilles Peskine
6f949ea67b
New constant-flow function mbedtls_mpi_core_uint_le_mpi
...
Compare a single-limb MPI with a multi-limb MPI. This is rather ad hoc, but
will be useful for mbedtls_mpi_core_random.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-12-01 23:06:43 +01:00
Jerry Yu
cc4e007ff6
Add max_early_data_size to mbedtls_ssl_config
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-01 23:11:48 +08:00
Tom Cosgrove
62b20488f1
Implement mbedtls_mpi_mod_sub()
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-01 14:27:37 +00:00
Valerio Setti
0944329036
tls: pake: add check for empty passwords in mbedtls_ssl_set_hs_ecjpake_password()
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-01 15:06:09 +01:00
Paul Elliott
266f79c136
Merge pull request #6426 from aditya-deshpande-arm/driver-wrapper-key-agreement
...
Add driver dispatch layer for raw key agreement, along with test call for transparent drivers.
2022-12-01 11:40:52 +00:00
Dave Rodgman
2dae4b3ef6
Support armcc builtin byteswap routine
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-30 15:18:39 +00:00
Dave Rodgman
2d0f27d0fc
Make use of optimised bswap from ARIA
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-30 12:16:21 +00:00
Ronald Cron
7df787c019
Merge pull request #6538 from yuhaoth/pr/tls13-add-early-data-transform-computation
2022-11-30 09:56:00 +01:00
Gilles Peskine
edaa17b350
Merge pull request #6547 from yanesca/extract_mod_exp_from_prototype
...
Bignum: Extract mod exp from prototype
2022-11-29 21:40:07 +01:00
Aditya Deshpande
b6bc7524f9
Minor formatting fixes to address code review comments
...
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2022-11-29 16:53:29 +00:00
Manuel Pégourié-Gonnard
0b9b560770
Merge pull request #6601 from valeriosetti/issue6502
...
Avoid assumptions about implementation in EC J-PAKE tests
2022-11-29 11:21:23 +01:00
Manuel Pégourié-Gonnard
f9720cfa78
Merge pull request #6670 from gilles-peskine-arm/pkcs7-use-after-free-20221127
...
PKCS7: Fix some memory management errors
2022-11-29 11:17:27 +01:00
Manuel Pégourié-Gonnard
ffc330fafa
Merge pull request #6264 from hannestschofenig/rfc9146_2
...
CID update to RFC 9146
2022-11-29 09:25:14 +01:00
Jerry Yu
aec08b3f42
fix various format issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-29 15:19:27 +08:00
Janos Follath
97915c8685
Merge pull request #6619 from minosgalanakis/bignum/add_high_lv_IO_methods
...
Bignum: Adding High level I/O methods
2022-11-28 17:27:48 +00:00
Valerio Setti
a9a97dca63
psa_pake: add support for opaque password
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-28 18:26:16 +01:00
Dave Rodgman
6d23ff60dd
Make use of optimised bswap from bignum
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-28 15:41:13 +00:00
Dave Rodgman
f7f1f748e3
Support built-in byteswap routines from clang, gcc, MSVC
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-28 15:41:13 +00:00
Dave Rodgman
a5110b0d79
Make use of efficient unaligned access functions
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-28 15:41:13 +00:00
Dave Rodgman
6298b24127
Add byteswap routines
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-28 15:41:13 +00:00
Dave Rodgman
e5c42594e5
Add byte order detection macro
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-28 15:41:13 +00:00
Dave Rodgman
a360e1987a
Add efficent unaligned get/put functions
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-28 15:41:04 +00:00
Dave Rodgman
d98ac8b75e
Merge remote-tracking branch 'dave/fast_xor' into fast_unaligned
2022-11-28 15:06:25 +00:00
Janos Follath
1f8afa22a4
Bignum Mod: improve documentation and style
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-28 14:58:08 +00:00
Aditya Deshpande
1ac41dec09
Add test function for opaque driver (simply returns PSA_ERROR_NOT_SUPPORTED), and address other review comments.
...
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2022-11-28 14:46:30 +00:00
Janos Follath
84bee4c492
mbedtls_mpi_mod_write: improve readability
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-28 10:27:14 +00:00
Jerry Yu
3d78e08ac0
erase early secrets and transcripts
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
a5db6c0ce3
fix coding style issues.
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
e31688b7fa
fix comments issue
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
a8771839e8
Refactor make_traffic_keys
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
3ce61ffca6
fix comments and function name issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
b094e124f2
fix various issues
...
- Alignments
- comment words in doxygen paragraph
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
91b560f38d
Add compute early transform
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
3d9b590f02
guards transform_earlydata
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Jerry Yu
84a6edac10
change signature of get_cipher_key_info
...
- it is a static function. The name is not follow nameing ruler
- move the position.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Gilles Peskine
4f01121f6e
Fix memory leak on error in pkcs7_get_signers_info_set
...
mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.
Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811 ).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 22:02:10 +01:00
Gilles Peskine
e7f8c616d0
Fix dangling freed pointer in pkcs7_free_signer_info
...
This may have been a use-after-free, but I haven't worked out whether it was
a problem or not. Even if it turns out to have been ok, keeping invalid
pointers around is fragile.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 21:55:29 +01:00
Gilles Peskine
47a732635b
Simplify control flow in PKCS7 functions
...
Remove useless goto in several functions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 21:55:29 +01:00
Gilles Peskine
290f01b3f5
Fix dangling freed pointer on error in pkcs7_get_signers_info_set
...
This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.
Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798 ).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-27 21:55:29 +01:00
Janos Follath
6eb92c0410
Bignum Mod: improve documentation and style
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-26 17:34:37 +00:00
Janos Follath
8dfc8c41b7
mbedtls_mpi_mod_write: prevent data corruption
...
The function wasn't converting back data to internal representation when
writing it out.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-26 15:39:02 +00:00
Janos Follath
d7bb35257b
mbedtls_mpi_mod_read/write: restrict pre-conditions
...
Require equality for the number of limbs in the modulus and the residue.
This makes these functions consistent with residue_setup().
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-26 14:59:27 +00:00
Janos Follath
75b9f0fd2e
mbedtls_mpi_mod_read/write: remove redundant checks
...
The function isn't documented as accepting null pointer, and there's no
reason why it should be. Just let it dereference the pointer.
The null/zero checks are only marginally useful: they validate that m
and r are properly populated objects, not freshly initialized ones. For
that, it's enough to check that the pointers aren't null or that the
sizes aren't zero, we don't need to check both.
Also, use separate if statements for unrelated checks.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-26 14:28:50 +00:00
Gilles Peskine
89e31adbee
Move mps modules to the correct library
...
This is a private interface only, so it's an ABI change but not an API change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-26 14:18:45 +01:00
Gilles Peskine
898db6b8e5
Move ssl_debug_helpers_generated to the correct library
...
This is a private interface only, so it's an ABI change but not an API change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-26 14:15:32 +01:00
Janos Follath
ee530cc644
Bignum Mod: improve documentation
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
fc6fbb4e96
Bignum Mod: improve documentation
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
41427dee80
Bignum Mod: improve documentation
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
91295d2b8f
Bignum Mod: remove endianness from modulus
...
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
3e3fc91c33
Bignum Mod: pass endianness as a parameter
...
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Passing endianness as a parameter is a step towards removing it from the
modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
d3eed33709
Bignum Mod Raw: pass endianness as a parameter
...
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Passing endianness as a parameter is a step towards removing it from the
modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
50cd4b842b
Bignum Mod: Restrict residue setup
...
In theory we could allow residues to have more allocated limbs than the
modulus, but we might or might not need it in the end.
Go for the simpler option for now and we can extend it later if we
really need it.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
b62bad442e
Bidnum Mod: fix check in setup
...
We want to make sure that the value has at least as many limbs allocated
as the modulus as we need this to be able to do any operations in
constant time.
An invariant of the API is that the residue values are canonical, make
sure that the residue is compared to the entire modulus.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-25 17:55:00 +00:00
Minos Galanakis
8b375451c5
bignum_mod: Refactored mbedtls_mpi_mod_read/write()
...
This patch adjusts the I/O methods and the tests.
Documentation has also been updated to be more clear.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-11-25 17:55:00 +00:00
Minos Galanakis
aed832ac16
bignum_mod: Adjusted input checking for mbedtls_mpi_mod_residue_setup()
...
This patch adjusts the logic of the size checking of the method,
and refactors the tests. Documentation has also been updated.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-11-25 17:55:00 +00:00
Minos Galanakis
a17ad48e2d
bignum_mod: Fixed an issue with input checking in mpi_mod_residue_setup
...
This patch is inverting the input type checking logic in the method,
in order to ensure that residue < modulus.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-11-25 17:55:00 +00:00
Minos Galanakis
81f4b11010
bignum_mod: Added mbedtls_mpi_mod_read/write()
IO functions
...
This patch adds input and ouput fucntions in the `bignum_mod` layer.
The data will be automatically converted between Cannonical and
Montgomery representation if required.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-11-25 17:55:00 +00:00
Janos Follath
590ae5363d
Merge pull request #6656 from tom-cosgrove-arm/bignum_pr_6225-updated
...
Bignum: add mod_raw_add
2022-11-25 17:53:31 +00:00
Dave Rodgman
a616afeae4
Remove redundant inline workarounds
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-25 17:11:45 +00:00
Dave Rodgman
5a1d00f03d
Merge remote-tracking branch 'origin/development' into fast_xor
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-25 17:10:25 +00:00
Dave Rodgman
bf9b23abf8
Merge pull request #6648 from gilles-peskine-arm/psa-ecb-null-0
...
Fix NULL+0 undefined behavior in PSA crypto ECB
2022-11-25 17:07:46 +00:00
Bence Szépkúti
6e85673e8d
Merge pull request #3431 from naynajain/development-pkcs7
...
PKCS7 Parser - RFC 2315
2022-11-25 15:55:46 +01:00
Janos Follath
505a228b7b
Merge pull request #6606 from gabor-mezei-arm/6222_bignum_low_level_subtraction
...
Bignum: Add low level subtraction
2022-11-25 13:27:23 +00:00
Gilles Peskine
7d23778178
Explain why p + n isn't good enough
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-25 13:34:59 +01:00
Gilles Peskine
5a34b36bbd
Remove more now-redundant definitions of inline
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-25 13:26:44 +01:00
Dave Rodgman
f1419dbbe8
Merge pull request #6381 from tom-cosgrove-arm/pr2164
...
mbedtls: fix possible false success in mbedtls_cipher_check_tag()
2022-11-25 10:55:10 +00:00
Manuel Pégourié-Gonnard
61336848a9
Fix bug when legacy CID is enabled but not used
...
When legacy CID is enabled at compile time, but not used at runtime, we
would incorrectly skip the sequence number at the beginning of the AAD.
There was already two "else" branches for writing the sequence number
but none of them was taken in that particular case.
Simplify the structure of the code: with TLS 1.2 (we're already in that
branch), we always write the sequence number, unless we're using
standard CID.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-11-25 11:48:17 +01:00
Dave Rodgman
8f6583d836
Fix for MSVC unsupported #inline keyword
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-25 09:16:41 +00:00
Bence Szépkúti
ae79fb2c2e
Merge branch 'development' into pr3431
2022-11-25 03:12:43 +01:00
Dave Rodgman
b8c4a0d940
Minor formatting tweaks
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 21:18:55 +00:00
Dave Rodgman
7a910a8be0
Minor formatting tweaks
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 21:17:40 +00:00
Dave Rodgman
875d2383d0
Improve documentation
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 20:43:15 +00:00
Dave Rodgman
aaf69fd682
Fix missing newline
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 20:40:28 +00:00
Dave Rodgman
c58858865b
Fix off-by-one error
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 20:35:04 +00:00
Dave Rodgman
66433444fc
Fix static inline linker issues
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 20:07:39 +00:00
Dave Rodgman
4b910c1ed1
Fix whitespace
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 19:44:52 +00:00
Dave Rodgman
069e7f462a
Correct mixed up comments
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 19:37:26 +00:00
Dave Rodgman
96d61d14d8
Use memcpy for unaligned accesses
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 19:33:22 +00:00
Dave Rodgman
fbc23225d6
Tidy up alignment-related code into separate header
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 18:07:37 +00:00
Tom Cosgrove
abddad4af8
Add note about aliasing of operands for mbedtls_mpi_mod_raw_add()
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-11-24 16:22:43 +00:00
Werner Lewis
e4c0a6c3ba
Change cast to correct type
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-11-24 16:18:06 +00:00
Werner Lewis
1a277d9ad6
Replace comparison with XOR
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-11-24 16:18:06 +00:00
Werner Lewis
d391b8ce61
Change types and move const before type
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-11-24 16:18:06 +00:00
Werner Lewis
9fa91ebcb9
Use modulus structure in mbedtls_mpi_mod_raw_add
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-11-24 16:18:06 +00:00
Werner Lewis
0eea827cbd
Rename MPI_CORE(add_mod) to mbedtls_mpi_mod_raw_add
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-11-24 16:18:06 +00:00
Hanno Becker
a45b6fee91
Extract MPI_CORE(add_mod) from the prototype
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-11-24 16:17:49 +00:00
Dave Rodgman
6921959b83
Remove unused variable
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 09:27:15 +00:00
Ronald Cron
4cf77e99ab
Merge pull request #6621 from ronald-cron-arm/tls13-early-data-write
...
TLS 1.3: Add definition of mbedtls_ssl_{write,read}_early_data
2022-11-24 09:58:07 +01:00
Dave Rodgman
358c7d6eb0
Fix naming inconsistency
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 20:29:03 +00:00
Dave Rodgman
dd3103e9e7
Tidy up UNALIGNED_UINT32_T macro
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 19:42:13 +00:00
Dave Rodgman
e7cd137606
Define UNALIGNED_UINT32_PTR for unaligned access
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 19:14:26 +00:00
Dave Rodgman
a6778013b4
Tidy up UBSan detection
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 17:17:30 +00:00
Dave Rodgman
468df317bf
Fix MSVC support for inline keyword
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 16:56:35 +00:00
Dave Rodgman
1bab27f983
Prevent unaligned access under ASan builds
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 16:51:59 +00:00
Dave Rodgman
3c8eb7e990
Provide external definition of mbedtls_xor
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 14:50:03 +00:00
Dave Rodgman
63d114305f
Whitespace cleanup
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 14:03:30 +00:00
Dave Rodgman
f9a1c37bc8
Whitespace cleanup
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-23 14:02:00 +00:00
Gabor Mezei
02d2313829
Fix documentation
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-11-23 14:44:14 +01:00
Gabor Mezei
3411e949cd
Cas variable to proper type
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-11-23 14:44:13 +01:00
Gabor Mezei
4c7cf7d742
Add low level subtraction with modulus
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-11-23 14:44:07 +01:00
Janos Follath
531a871b88
Merge pull request #6235 from tom-cosgrove-arm/issue-6231-core-sub-int
...
Bignum: extract core_sub_int from the prototype
2022-11-23 13:32:02 +00:00
Ronald Cron
4a8c9e2cff
tls13: Add definition of mbedtls_ssl_{write,read}_early_data
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-11-23 14:29:37 +01:00
Gilles Peskine
42649d9270
Fix NULL+0 undefined behavior in ECB encryption and decryption
...
psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to
a null pointer when the cipher does not use an IV. This is undefined
behavior, although it works as naively expected on most platforms. This
can cause a crash with modern Clang+ASan (depending on compiler optimizations).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-23 14:16:52 +01:00
Manuel Pégourié-Gonnard
ef25a99f20
Merge pull request #6533 from valeriosetti/issue5847
...
Use PSA EC-JPAKE in TLS (1.2) - Part 2
2022-11-23 13:27:30 +01:00
Ronald Cron
1d1d53622f
Merge pull request #6490 from xkqian/tls13_parse_early_data_indication_ee
...
The internal CI merge job ran successfully.
2022-11-23 12:31:25 +01:00
Ronald Cron
cb0e680779
Merge pull request #6476 from yuhaoth/pr/fix-tls13-mbedtls_ssl_is_handshake_over
...
TLS 1.3: Fix tls13 mbedtls ssl is handshake over
2022-11-23 12:12:02 +01:00
Manuel Pégourié-Gonnard
660b396e41
Merge pull request #975 from yanesca/issue-946
...
Fix RSA side channel
2022-11-23 10:30:35 +01:00
Xiaokang Qian
b157e915ad
Move the early data status set afeter all of the extensions parse
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-23 08:12:26 +00:00
Xiaokang Qian
e861ba01d4
Remove the duplicate early_data_status check
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-23 03:21:02 +00:00
Xiaokang Qian
ca09afc60a
Remove useless function and parse early data in ee
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-23 02:16:49 +00:00
Moritz Fischer
a6a94ad599
lms: Move merkle tree generation to heap allocation
...
Larger height (e.g. H=20) trees cannot be put on the stack.
Allocate memory for them based on need using mbedtls_calloc().
Signed-off-by: Moritz Fischer <moritzf@google.com>
2022-11-22 15:49:56 -08:00
Janos Follath
3321b5842c
mpi_exp_mod: improve documentation
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
7d89d351e6
Zeroize sensitive data
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
0b270a5603
Explain a little more
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
4380d7b7f3
Simplify cleanup logic
...
Take advantage of the fact that there's a single point of failure.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
3b63d09fea
Make the main loop's logic clearer
...
The loop ends when there are no more bits to process, with one twist: when
that happens, we need to clear the window one last time. Since the window
does not start empty (E_limbs==0 is not supported), the loop always starts
with a non-empty window and some bits to process. So it's correct to move
the window clearing logic to the end of the loop. This lets us exit the loop
when the end of the exponent is reached.
It would be clearer not to do the final window clearing inside the loop, so
we wouldn't need to repeat the loop termination condition (end of exponent
reached) inside the loop. However, this requires duplicating the code to
clear the window. Empirically, this causes a significant code size increase,
even if the window clearing code is placed into a function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
c718a3ce94
Simplify exponent bit selection
...
Use indices instead of mutating data to extract the bits of the exponent.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
d83b5cb504
Local readability improvements
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
0de0a049f1
Move window precomputation into an auxiliary function
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
cf979b0fc1
Define variables closer to their use
...
Make variables const where possible.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
7af166b827
Change E closer to where it's used
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:54 +00:00
Gilles Peskine
07f2c69511
More consistent variable names
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-22 21:22:53 +00:00
Janos Follath
0ec6e3f394
mpi_core_mod_exp: improve style and documentation
...
No intended change in behaviour.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 21:22:53 +00:00
Janos Follath
a77911e5c1
core_exp_mod: improve window selection
...
We are looking at the exponent at limb granularity and therefore
exponent bits can't go below 32.
The `mpi_` prefix is also removed as it is better not to have prefix at
all than to have just a partial. (Full prefix would be overly long and
would hurt readability.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 21:22:53 +00:00
Janos Follath
59cbd1be27
Make mbedtls_mpi_core_ct_uint_table_lookup static
...
Now that we have a function that calls
mbedtls_mpi_core_ct_uint_table_lookup(), the compiler won't complain if
we make it static.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 21:22:53 +00:00
Janos Follath
bad42c4d0d
mpi_core_exp_mod: fix local variable type
...
On platforms with size_t different from int, mismatch between size_t and
mpi_uint can cause incorrect results or complaints from the compiler.
Signed-off-by: Janos Follath <janos.follath@arm.com>
mpi_core_exp_mod: Cast local variable explicitly
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 21:22:53 +00:00
Janos Follath
b6673f0f19
Add modular exponentiation to bignum core
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 21:22:53 +00:00
Dave Rodgman
fdd967ebdc
Detect support for unaligned memory access
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 18:55:17 +00:00
Aditya Deshpande
5e3c70e3be
Merge branch 'development' into driver-wrapper-key-agreement
2022-11-22 17:58:52 +00:00
Aditya Deshpande
8cc1470c18
Merge branch 'development' into driver-wrapper-key-agreement
2022-11-22 17:55:53 +00:00
Valerio Setti
6d4e75f0c6
psa_crypto_pake: initialize psa_status_t stack variables
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 18:52:17 +01:00
Valerio Setti
fdb77cdae3
psa_crypto_pake: internally call to psa_pake_abort() in case of errors
...
In this way, in case of error, it is not possible to continue using
the same psa_pake_operation_t without reinitializing it.
This should make the PSA pake's behavior closer to what expected by
the specification
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 18:41:01 +01:00
Dave Rodgman
c36a56e890
Use mbedtls_xor in TLS messaging layer
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
74b345f282
Use mbedtls_xor in PKCS #5
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
99a507ee55
Use mbedtls_xor in md
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
d22fb73e3e
Use mbedtls_xor in GCM
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
2e9db8e9bf
Use mbedtls_xor in DES
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
ffb5499988
Use mbedtls_xor in CTR_DRBG
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
8c0ff81ce7
Use mbedtls_xor in CMAC
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:44 +00:00
Dave Rodgman
c1d9022bab
Use mbedtls_xor in ChaCha20
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:43 +00:00
Dave Rodgman
0d3b55bca8
Use mbedtls_xor in ccm
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:43 +00:00
Dave Rodgman
d23399eb69
Use mbedtls_xor in Camellia
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:43 +00:00
Dave Rodgman
7bb6b84b29
Use mbedtls_xor in ARIA
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:43 +00:00
Dave Rodgman
a8cf607458
Use mbedtls_xor in AES
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:43 +00:00
Janos Follath
3165f063b5
mpi_exp_mod: use x_index consistently
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
c8d66d50d0
mpi_exp_mod: reduce the table size by one
...
The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
060009518b
mpi_exp_mod: fix out of bounds access
...
The table size was set before the configured window size bound was
applied which lead to out of bounds access when the configured window
size bound is less.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
9c09326572
mpi_mod_exp: be pedantic about right shift
...
The window size starts giving diminishing returns around 6 on most
platforms and highly unlikely to be more than 31 in practical use cases.
Still, compilers and static analysers might complain about this and
better to be pedantic.
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:11 +00:00
Janos Follath
be54ca77e2
mpi_exp_mod: improve documentation
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
74601209fa
mpi_exp_mod: remove the 'one' variable
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
b2c2fca974
mpi_exp_mod: simplify freeing loop
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
3646ff02ad
mpi_exp_mod: move X next to the precomputed values
...
With small exponents (for example, when doing RSA-1024 with CRT, each
prime is 512 bits and we'll use wsize = 5 which may be smaller that the
maximum - or even worse when doing public RSA operations which typically
have a 16-bit exponent so we'll use wsize = 1) the usage of W will have
pre-computed values, then empty space, then the accumulator at the very
end.
Move X next to the precomputed values to make accesses more efficient
and intuitive.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
7fa11b88f3
mpi_exp_mod: rename local variables
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
844614814e
mpi_exp_mod: remove memory ownership confusion
...
Elements of W didn't all have the same owner: all were owned by this
function, except W[x_index]. It is more robust if we make a proper copy
of X.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
f08b40eaab
mpi_exp_mod: improve documentation
...
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
b764ee1603
mpi_exp_mod: protect out of window zeroes
...
Out of window zeroes were doing squaring on the output variable
directly. This leaks the position of windows and the out of window
zeroes.
Loading the output variable from the table in constant time removes this
leakage.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Janos Follath
8e7d6a0386
mpi_exp_mod: load the output variable to the table
...
This is done in preparation for constant time loading that will be added
in a later commit.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-11-22 15:04:10 +00:00
Valerio Setti
99d88c1ab4
tls: psa_pake: fix missing casting in mbedtls_psa_ecjpake_write_round
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 16:03:43 +01:00
Dave Rodgman
c3d8041fe7
Introduce mbedtls_xor
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 15:01:39 +00:00
Tom Cosgrove
452c99c173
Use mbedtls_mpi_core_sub_int() in mbedtls_mpi_sub_abs()
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-11-22 14:58:15 +00:00
Tom Cosgrove
f7ff4c9a11
Tidy up, remove MPI_CORE(), and apply the naming convention
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-11-22 14:58:15 +00:00
Hanno Becker
d9b2348d8f
Extract MPI_CORE(sub_int) from the prototype
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-11-22 14:58:15 +00:00
Bence Szépkúti
a17d038ee1
Merge branch 'development' into pr3431
2022-11-22 15:54:52 +01:00
Gilles Peskine
4f19d86e3f
Merge pull request #6608 from mprse/ecjpake_password_fix
...
Make a copy of the password key in operation object while setting j-pake password
2022-11-22 14:52:12 +01:00
Aditya Deshpande
2f7fd76d91
Replace PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE with PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE in psa_key_agreement_internal().
...
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2022-11-22 11:10:34 +00:00
Valerio Setti
d4a9b1ab8d
tls: psa_pake: remove useless defines and fix a comment
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 11:11:10 +01:00
Xiaokang Qian
8bee89994d
Add parse function for early data in encrypted extentions
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-22 09:40:07 +00:00
Przemek Stekiel
0bdec19c93
Further optimizations of pake set_password implementation
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-22 09:10:35 +01:00
Jerry Yu
fdd24b8c49
Revert change in flight transmit
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-22 14:08:03 +08:00
Gilles Peskine
339406daf9
Merge pull request #6609 from gilles-peskine-arm/mpi_sint-min-ub
...
Fix undefined behavior in bignum: NULL+0 and -most-negative-sint
2022-11-21 19:51:58 +01:00
Przemek Stekiel
ad0f357178
Optimize pake code that sets/use password key
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-21 15:04:37 +01:00
Przemek Stekiel
e2d6b5f45b
psa_key_slot_get_slot_number: Move documentation to header file
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-21 15:03:52 +01:00
Valerio Setti
5151bdf46e
tls: psa_pake: add missing braces
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-21 14:30:02 +01:00
Valerio Setti
79f6b6bb1b
tls: psa_pake: fixing mbedtls_psa_ecjpake_write_round()
...
It might happen that the psa_pake_output() function returns
elements which are not exactly 32 or 65 bytes as expected, but
1 bytes less.
As a consequence, insted of hardcoding the expected value for
the length in the output buffer, we write the correct one as
obtained from psa_pake_output()
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-21 14:17:03 +01:00
Dave Rodgman
9e1836cc16
Merge pull request #6593 from Mbed-TLS/fix_tls12_sent_sigalgs
...
Fix TLS1.2 signature algorithms list entry getting overwritten by length.
2022-11-21 10:09:57 +00:00
Jerry Yu
9b421456b0
Revert change in dtls1.2
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:35 +08:00
Jerry Yu
668070d5f4
Remove unnecessary replace
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:35 +08:00
Jerry Yu
a8d3c5048f
Rename new session ticket name for TLS 1.3
...
NewSessionTicket is different with TLS 1.2.
It should not share same state.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:35 +08:00
Jerry Yu
cfda4bbeac
Replace handshake over in flight transmit
...
Fix deadloop in DTLS resumption test.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:35 +08:00
Jerry Yu
1fb3299ad7
Replace internal usage of is_handshake_over.
...
NEW_SESSION_TICKETS* are processed in handshake_step.
Change the stop condition from `mbedtls_ssl_is_handshake_over`
to directly check.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Jerry Yu
5ed73ff6de
Add NEW_SESSION_TICKET* into handshake over states
...
All state list after HANDSHAKE_OVER as is_handshakeover
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Jerry Yu
6848a61922
Revert "Replace internal usage of mbedtls_ssl_is_handshake_over"
...
This reverts commit 1d3ed2975e7ef0d84050a3aece02eec1f890dec3.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Jerry Yu
e219c11b4e
Replace internal usage of mbedtls_ssl_is_handshake_over
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Valerio Setti
61ea17d30a
tls: psa_pake: fix return values in parse functions
...
Ensure they all belong to the MBEDTLS_ERR_SSL_* group
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-18 12:11:00 +01:00
Valerio Setti
aca21b717c
tls: psa_pake: enforce not empty passwords
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 18:20:50 +01:00
Valerio Setti
819de86895
tls: removed extra white spaces and other minor fix
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 18:05:19 +01:00
Valerio Setti
6b3dab03b5
tls: psa_pake: use a single function for round one and two in key exchange read/write
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 17:14:54 +01:00
Valerio Setti
9bed8ec5d8
tls: psa_pake: make round two reading function symmatric to the writing one
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 16:36:19 +01:00
Valerio Setti
30ebe11f86
tls: psa_pake: add a check on read size on both rounds
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 16:35:02 +01:00
Valerio Setti
a988364767
tls: psa_pake: fix missing new round one parsing function on tls12 server
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 16:35:02 +01:00
Valerio Setti
a08b1a40a0
tls: psa_pake: move move key exchange read/write functions to ssl_tls.c
...
Inlined functions might cause the compiled code to have different sizes
depending on the usage and this not acceptable in some cases.
Therefore read/write functions used in the initial key exchange are
moved to a standard C file.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 16:34:59 +01:00
Andrzej Kurek
ec71b0937f
Introduce a test for single signature algorithm correctness
...
The value of the first sent signature algorithm is overwritten.
This test forces only a single algorithm to be sent and then
validates that the client received such algorithm.
04 03 is the expected value for SECP256R1_SHA256.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-11-17 14:58:14 +00:00
Paul Elliott
96a0fd951f
Fix signature algorithms list entry getting overwritten by length.
...
Fix bug whereby the supported signature algorithm list sent by the
server in the certificate request would not leave enough space for the
length to be written, and thus the first element would get overwritten,
leaving two random bytes in the last entry.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-11-17 14:58:14 +00:00
Przemek Stekiel
369ae0afc3
Zeroize pake password buffer before free
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-17 14:14:31 +01:00
Przemek Stekiel
152ae07682
Change password ec j-pake operation fields to more suitable
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-17 13:24:36 +01:00
Ronald Cron
d12922a69a
Merge pull request #6486 from xkqian/tls13_add_early_data_indication
...
The merge job of the internal CI ran successfully. This is good to go.
2022-11-17 12:48:50 +01:00
Przemyslaw Stekiel
1def5becc2
Add psa_get_and_lock_key_slot_with_policy to header file
...
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-16 16:28:04 +01:00
Valerio Setti
6f1b5741ae
tls12: psa_pake: simplify EC info parsing in server's 2nd round
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-16 14:50:13 +01:00
Valerio Setti
4a9caaa0c9
tls12: psa_pake: check elliptic curve's TLS ID on handshake
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-16 14:50:10 +01:00
Valerio Setti
fbbc1f3812
tls12: psa_pake: use proper defines for the output size of each step in ECJPAKE
...
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-16 14:49:52 +01:00
Valerio Setti
02c25b5f83
tls12: psa_pake: use common code for parsing/writing round one and round two data
...
Share a common parsing code for both server and client for parsing
round one and two.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-16 13:56:12 +01:00
Ronald Cron
e9f92c4fbc
tls: Fix in_cid buffer size in transform structure
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-11-16 10:23:05 +01:00
Xiaokang Qian
0cc4320e16
Add EARLY_DATA guard to the early data extension in session ticket
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-16 08:43:50 +00:00
Gilles Peskine
ef7f4e47b1
Express abs(z) in a way that satisfies GCC and MSVC
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-15 23:25:27 +01:00
Gilles Peskine
af601f9751
Fix undefined behavior with the most negative mbedtls_mpi_sint
...
When x is the most negative value of a two's complement type,
`(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x`
has well-defined behavior and does what was intended.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-15 23:02:14 +01:00
Gilles Peskine
db14a9d180
Fix NULL+0 in addition 0 + 0
...
Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() when
both operands are 0 and the left operand is represented with 0 limbs.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-15 23:00:21 +01:00
Przemek Stekiel
348410f709
Make a copy of the key in operation while setting pake password
...
Additionally use psa_get_and_lock_key_slot_with_policy() to obtain key.
This requires making this function public. This will have to be solved while adding driver dipatch for EC-JPAKE.
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-15 22:22:07 +01:00
Gilles Peskine
4a768dd17d
Fix negative zero created by (-A) + (+A) or (-A) - (-A)
...
In mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi(), and by extention
mbedtls_mpi_add_int() and mbedtls_mpi_sub_int(), when the resulting value
was zero, the sign bit of the result was incorrectly set to -1 when the
left-hand operand was negative. This is not a valid mbedtls_mpi
representation. Fix this: always set the sign to +1 when the result is 0.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-15 20:36:18 +01:00
Gilles Peskine
72ee1e3f3c
Unify mbedtls_mpi_add_mpi and mbedtls_mpi_sub_mpi
...
mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() have the same logic, just
with one bit to flip in the sign calculation. Move the shared logic to a new
auxiliary function. This slightly reduces the code size (if the compiler
doesn't inline) and reduces the maintenance burden.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-15 20:30:09 +01:00
Xiaokang Qian
2cd5ce0c6b
Fix various issues cause rebase to latest code
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-15 10:33:53 +00:00
Dave Rodgman
d384b64dd2
Merge branch 'development' into rfc9146_2
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-14 17:43:15 +00:00
Janos Follath
4d0ea7f4cc
Merge pull request #6550 from minosgalanakis/minos/6017_add_montgomery_conversion
...
Bignum: Add Montgomery conversion from/to cannonical form
2022-11-14 11:12:13 +00:00
Xiaokang Qian
fe3483f9a1
Update early data doument and config dependencies
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:16:22 +00:00
Xiaokang Qian
ae07cd995a
Change ticket_flag base on review
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:16:22 +00:00
Xiaokang Qian
2d87a9eeb5
Pend one alert in case wrong EXT_EARLY_DATA length
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:16:22 +00:00
Xiaokang Qian
a042b8406d
Address some format issues
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:16:19 +00:00
Xiaokang Qian
f447e8a8d3
Address comments base on reviews
...
Improve early data indication check
Update test case to gnutls server
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:15:36 +00:00
Xiaokang Qian
a341225fd0
Change function name ssl_tls13_early_data_has_valid_ticket
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:15:05 +00:00
Xiaokang Qian
01323a46c6
Add session ticket related check when send early data
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:15:05 +00:00
Xiaokang Qian
ecc2948f21
Fix format issues
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:15:05 +00:00
Xiaokang Qian
76332816c7
Define the EARLY_DATA_STATUS
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:15:05 +00:00
Xiaokang Qian
338f727683
Move EARLY_DATA_OFF/ON guard to ssl_misc.h
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:15:03 +00:00
Xiaokang Qian
b781a2323c
Move ssl_tls13_has_configured_ticket() back to tls13 client
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:13:51 +00:00
Xiaokang Qian
893ad81966
Remove useless early_secrets field
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:13:51 +00:00
Xiaokang Qian
911c0cc4f0
Fix format issues in comments
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:13:50 +00:00
Xiaokang Qian
0e97d4d16d
Add early data indication to client side
...
Add fields to mbedtls_ssl_context
Add write early data indication function
Add check whether write early data indication
Add early data option to ssl_client2
Add test cases for early data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2022-11-14 03:13:50 +00:00
Paul Elliott
aeb8bf2ab0
Merge pull request #6170 from yuhaoth/pr/tls13-cleanup-extensions-parser
...
TLS 1.3: Add extension check for message parsers
2022-11-11 19:00:46 +00:00
Minos Galanakis
d9299c388e
bignum_mod_raw: Refactored Montgomery conversion functions
...
This patch updates the `mbedtls_mpi_mod_raw_conv_xx()` methods
as follows:
* Renamed for simplicity: conv_fwd -> from_mont_rep, conv_inv -> to_mont_rep.
* Uncoupled the dependency on the legaly bignum interface.
* `mbedtls_mpi` is no longer used for temporary buffer allocation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-11-11 10:54:58 +00:00
Hanno Becker
5ad4a93596
bignum_mod_raw: Added conversion methods for internal/public data representation
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2022-11-11 10:54:58 +00:00
Dave Rodgman
f58172fe43
Merge remote-tracking branch 'origin/development' into pr3431
2022-11-10 09:54:49 +00:00
Gilles Peskine
ed4b34aa7c
Merge pull request #6570 from gilles-peskine-arm/bignum-mbedtls_test_read_mpi_core-nonempty
...
Forbid empty mpi_core in test data
2022-11-09 19:02:24 +01:00
Jerry Yu
97be6a913e
fix various issues
...
- typo error
- replace `ssl->hanshake` with handshake
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-09 22:43:31 +08:00