Valerio Setti
202bb71dcd
ssl_tls12_server: do not export/import opaque keys
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-06 17:05:24 +01:00
Valerio Setti
bced8bc8d7
ssl_tls12_server: export/import PK parsed key in TLS side
...
Instead of setting both algorithm and enrollement algorithm in the
PK module when parsing the key:
- for Weierstrass keys we only set ECDSA algorithm,
- for Montgomery keys we don't set any algorithm.
Reasons:
- PK module can only do ECDSA and not ECDH
- ECDH is only used in TLS
- Montgomery keys cannot be used to do ECDSA, while Weierstrass ones
can do both ECDSA and ECDH.
So the idea is that once TLS needs the key to do ECDH (either Weierstrass
and Montgomery), it exports the one parsed from the PK module and then
re-imports it setting proper algorithm and flags. In this way the TLS
module will own the new key so it will be its duty to clear it on
exit.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-06 10:40:47 +01:00
Dave Rodgman
c37ad4432b
misc type fixes in ssl
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
a3d0f61aec
Use MBEDTLS_GET_UINTxx_BE macro
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
e4a6f5a7ec
Use size_t cast for pointer subtractions
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
16799db69a
update headers
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-02 19:47:20 +00:00
Gilles Peskine
f6f4695824
Merge pull request #8320 from valeriosetti/issue8263
...
Fix dependencies of mbedtls_pk_ec_ro and mbedtls_pk_ec_rw
2023-10-18 10:03:46 +00:00
Valerio Setti
74cb404b0d
ssl: improve ssl_check_key_curve()
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-16 13:40:50 +02:00
Valerio Setti
4d0e84628c
ssl: reorganize guards surrounding ssl_get_ecdh_params_from_cert()
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-11 13:15:29 +02:00
Valerio Setti
e7cefae5f4
ssl: fix getting group id in ssl_check_key_curve()
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-06 13:19:48 +02:00
Gilles Peskine
3713bee34c
Remove leftover local debug line
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 18:43:18 +02:00
Gilles Peskine
530c423ad2
Improve some debug messages and error codes
...
On a parsing error in TLS, return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, not a
crypto error code.
On error paths, emit a level-1 debug message. Report the offending sizes.
Downgrade an informational message's level to 3.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:42:11 +02:00
Gilles Peskine
c8df898204
Fix buffer overflow in TLS 1.2 ClientKeyExchange parsing
...
Fix a buffer overflow in TLS 1.2 ClientKeyExchange parsing. When
MBEDTLS_USE_PSA_CRYPTO is enabled, the length of the public key in an ECDH
or ECDHE key exchange was not validated. This could result in an overflow of
handshake->xxdh_psa_peerkey, overwriting further data in the handshake
structure or further on the heap.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:02:33 +02:00
Gilles Peskine
eda1b1f744
Merge pull request #7921 from valeriosetti/issue7613
...
TLS: Clean up ECDSA dependencies
2023-09-20 12:47:55 +00:00
Dave Rodgman
b7825ceb3e
Rename uint->bool operators to reflect input types
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-10 11:58:18 +01:00
Dave Rodgman
c98f8d996a
Merge branch 'development' into safer-ct5
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-07 11:47:35 +01:00
Valerio Setti
e9646ecd08
tls: fix guards for ECDSA support
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-03 09:15:28 +02:00
Valerio Setti
45d56f3d25
tls: replace ECDSA_C and PK_CAN_ECDSA_SOME with key exchange related ones
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-01 19:02:38 +02:00
Manuel Pégourié-Gonnard
de8f56e936
Merge pull request #7884 from valeriosetti/issue7612
...
TLS: Clean up (EC)DH dependencies
2023-08-01 07:13:36 +00:00
Gilles Peskine
bb07377458
Merge pull request #7935 from AgathiyanB/add-enum-casts
...
Add type casts for integer and enum types
2023-07-26 11:27:27 +02:00
Valerio Setti
ea59c43499
tls: fix a comment a rename a variable/symbol
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-25 11:14:03 +02:00
Valerio Setti
60d3b91eba
tls: use TLS 1.2 macros in ssl_tls12_server.c
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-25 10:43:53 +02:00
Agathiyan Bragadeesh
8b52b88b6d
Add type casts in ssl library
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-07-17 15:14:42 +01:00
Valerio Setti
c2232eadfb
tls: replace PK_CAN_ECDH guards with new helpers
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Valerio Setti
7aeec54094
tls: replace ECDH_C guards with new helpers
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Przemek Stekiel
46b2d2b643
Fix code style
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-07-07 09:34:17 +02:00
Przemek Stekiel
615cbcdbdf
Provide additional comments for claryfication
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-07-06 12:16:39 +02:00
Przemek Stekiel
7ac93bea8c
Adapt names: dh -> xxdh
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-07-05 09:26:26 +02:00
Przemek Stekiel
6f199859b6
Adapt handshake fields to ffdh
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-07-05 09:25:00 +02:00
Manuel Pégourié-Gonnard
56b159a12a
Merge pull request #7627 from mprse/ffdh_tls13_v2
...
Make use of FFDH keys in TLS 1.3 v.2
2023-07-03 10:12:33 +02:00
Dave Rodgman
9fbb0cf08e
Merge remote-tracking branch 'origin/development' into safer-ct5
2023-06-28 18:52:02 +01:00
Przemek Stekiel
7dda271c1d
Fix description of functions
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-28 09:16:08 +02:00
Tom Cosgrove
db041cc82f
Merge pull request #7665 from AndrzejKurek/optimize-error-translation-code-size
...
Optimize error translation code size
2023-06-28 08:09:00 +01:00
Valerio Setti
6835b4a6ed
tls: always zeroize buffer on exit
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-22 09:06:31 +02:00
Valerio Setti
3589a4c644
tls: keep buffer declaration in a single line
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-22 09:02:44 +02:00
Valerio Setti
b46217d5c1
tls: never destroy a priavte key that is not owned/created by TLS module
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-16 13:18:52 +02:00
Valerio Setti
0813b6f28d
tls: optimize code in ssl_get_ecdh_params_from_cert()
...
When MBEDTLS_PK_USE_PSA_EC_DATA is defined, opaque and non-opaque keys
are basically stored in the same way (only a diffferent ownership for
the key itself), so they should be treated similarly in the code.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-16 12:18:53 +02:00
Andrzej Kurek
1e4a030b00
Fix wrong array size calculation in error translation code
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-13 05:46:47 -04:00
Andrzej Kurek
1c7a99856f
Add missing ifdefs
...
Make sure that the error translating functions
are only defined when they're used.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-13 05:46:47 -04:00
Andrzej Kurek
0064484a70
Optimize error translation code size
...
Introducing an intermediate function
saves code size that's otherwise taken by excessive,
repeated arguments in each place that
was translating errors.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-13 05:46:46 -04:00
Dave Rodgman
c216d94560
Merge remote-tracking branch 'origin/development' into safer-ct5
2023-06-13 10:36:37 +01:00
Przemek Stekiel
75a5a9c205
Code cleanup
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-13 09:57:23 +02:00
Przemek Stekiel
da4fba64b8
Further code optimizations
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-06 12:31:09 +02:00
Przemek Stekiel
24e50d3dbd
Compile out length check to silent the compiler warning
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-06 12:31:08 +02:00
Manuel Pégourié-Gonnard
6076f4124a
Remove hash_info.[ch]
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
8857984b2f
Replace hash_info macro with MD macro
...
Now the MD macro also accounts for PSA-only hashes.
Just a search-and-replace, plus manually removing the definition in
hash_info.h.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
7b1136836c
Merge pull request #7438 from valeriosetti/issue7074
...
Avoid parse/unparse private ECC keys in PK with USE_PSA when !ECP_C
2023-06-01 10:06:45 +02:00
Dave Rodgman
293eedd3ad
Use new CT interface in ssl_tls12_server.c
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-26 12:42:48 +01:00
Valerio Setti
d0405093d9
tls: use pk_get_group_id() instead of directly accessing PK's structure
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-24 16:02:32 +02:00
Thomas Daubney
f9f0ba8211
Use functions in alignment.h to get value
...
Refactor code using get functions from alignment.h to
read values.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2023-05-24 06:24:16 +01:00