Commit graph

4716 commits

Author SHA1 Message Date
Ronald Cron
3698fa1043
Merge pull request #4673 from gilles-peskine-arm/psa_crypto_spm-from_platform_h
Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
2021-06-25 09:01:08 +02:00
Gilles Peskine
1fed4b8324
Merge pull request #4720 from gilles-peskine-arm/gcm-finish-outlen
Add output_length parameter to mbedtls_gcm_finish
2021-06-24 20:02:40 +02:00
Gilles Peskine
fedd52ca19
Merge pull request #4707 from gilles-peskine-arm/require-matching-hashlen-rsa-implementation
Require matching hashlen in RSA functions: implementation
2021-06-24 10:28:20 +02:00
Gilles Peskine
5a7be10419 Add output_length parameter to mbedtls_gcm_finish
Without this parameter, it would be hard for callers to know how many bytes
of output the function wrote into the output buffer. It would be possible,
since the cumulated output must have the same length as the cumulated input,
but it would be cumbersome for the caller to keep track.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 21:51:32 +02:00
Gilles Peskine
f06b92d724
Merge pull request #4567 from mstarzyk-mobica/gcm_ad
Enable multiple calls to mbedtls_gcm_update_ad
2021-06-23 19:36:23 +02:00
Dave Rodgman
cb17fc34cf
Merge pull request #4671 from mpg/x509-crt-profile-public
Make the fields of mbedtls_x509_crt_profile public
2021-06-23 16:06:12 +01:00
Ronald Cron
4f7cc1bb63
Merge pull request #4713 from gilles-peskine-arm/psa-storage-format-test-lifetimes-3.0
PSA storage format: test lifetimes
Almost straightforward of #4392 thus merging with only one approval.
2021-06-23 15:22:03 +02:00
Ronald Cron
44a0ae920c
Merge pull request #4710 from mstarzyk-mobica/ccm_taglen
Add missing tag_len in ccm api.
PR-4710-merge TLS Testing  run successfully and the failure in PR-4710-head TLS Testing are CI problems thus merging.
2021-06-23 14:20:26 +02:00
Gilles Peskine
91466c8d3f Hopefully clarify the example
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
52bb83e6ad Fix mbedtls_svc_key_id_is_null when KEY_ID_ENCODES_OWNER
A null key id is a null key id even when it has an owner attached to it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
d133bb2909 New macro PSA_KEY_LIFETIME_IS_READ_ONLY
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:43:08 +02:00
Mateusz Starzyk
82c48c992c Adjust tag_len documentation for the mbedtls_ccm_finish().
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-23 12:39:40 +02:00
Gilles Peskine
c9d86a05ce
Merge pull request #4665 from yanesca/issue-3990-fix_psa_verify_with_alt
Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:38 +02:00
Mateusz Starzyk
98d45b90b0 Add missing tag_len in ccm api.
Function ccm_set_lengths requires tag_len argument for
the B[0] calculation.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-23 10:49:22 +02:00
Gilles Peskine
e9bc857327
Merge pull request #4552 from hanno-arm/mbedtls_3_0_key_export
Implement modified key export API for Mbed TLS 3.0
2021-06-22 18:52:37 +02:00
Gilles Peskine
9dbbc297a3 PK signature function: require exact hash length
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 18:39:41 +02:00
Manuel Pégourié-Gonnard
e7885e5441 RSA: Require hashlen to match md_alg when applicable
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-22 12:29:27 +02:00
Manuel Pégourié-Gonnard
3e7ddb2bb6
Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0
Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00
Manuel Pégourié-Gonnard
508d3a5824
Merge pull request #4664 from tom-daubney-arm/rm_truncated_HMAC_ext
Remove truncated HMAC extension
2021-06-22 11:53:10 +02:00
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
Janos Follath
b795332401 mbedtls_rsa_rsassa_pss_*: improve documentation
Hashes used in RSA-PSS encoding (EMSA-PSS-ENCODE, see §9.1.1 in RFC
8017):

- H1: Hashing the message (step 2)
- H2: Hashing in the salt (step 6)
- H3: Mask generation function (step 9)

According to the standard:

- H1 and H2 MUST be done by the same hash function
- H3 is RECOMMENDED to be the same as the hash used for H1 and H2.

According to the implementation:

- H1 happens outside of the function call. It might or might not happen
and the implementation might or might not be aware of the hash used.
- H2 happens inside the function call, consistency with H1 is not
enforced and might not even be possible to detect.
- H3 is done with the same hash as H2 (with the exception of
mbedtls_rsassa_pss_verify_ext(), which takes a dedicated parameter for
the hash used in the MGF).

Issues with the documentation:

- The comments weren't always clear about the three hashes involved and
often only mentioned two of them (which two varied from function to
function).
- The documentation was giving the impression that the standard
recommends aligning H2 and H1 (which is not a recommendation but a
must).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-21 10:39:04 +01:00
Hanno Becker
d8f32e72b4 Move export callback and context to the end of SSL context
This saves some code when compiling for Thumb, where access to
fields with offset index > 127 requires intermediate address
computations. Frequently used fields should therefore be located
at the top of the structure, while less frequently used ones --
such as the export callback -- can be moved to the back.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
e0dad720ee Remove return value from key export callback
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
7e6c178b6d Make key export callback and context connection-specific
Fixes #2188

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
22b34f75cd Remote key export identifier used for TLS < 1.2.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
ddc739cac4 Add missing documentation for key export callback parameters
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
457d61602f Define and implement new key export API for Mbed TLS 3.0
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
2d6e6f8fec Remove '_ext' suffix from SSL key exporter API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
78ba2af7c2 Remove old key export API
Seems to be an oversight that this wasn't marked deprecated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Manuel Pégourié-Gonnard
9a32d45819
Merge pull request #4517 from hanno-arm/ticket_api_3_0
Implement 3.0-API for SSL session resumption
2021-06-18 18:34:45 +02:00
Manuel Pégourié-Gonnard
ae35830295
Merge pull request #4661 from mpg/make-blinding-mandatory
Make blinding mandatory
2021-06-18 18:32:13 +02:00
Dave Rodgman
8c8166a7f1
Merge pull request #4640 from TRodziewicz/move_part_of_timing_module_out_of_the_library_and_to_test
Move part of timing module out of the library
2021-06-18 16:35:58 +01:00
TRodziewicz
963bb810f4 Removing global variable and moving variant function comment block
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 13:22:57 +02:00
Hanno Becker
5c5b820352 Fix typo in doc'n of session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 12:21:25 +01:00
Manuel Pégourié-Gonnard
9d4c2c4e42 Clarify how to create custom profiles
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:19:34 +02:00
TRodziewicz
75628d51b3 Code review fixes
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 12:59:38 +02:00
Gilles Peskine
39957503c5 Remove secp256k1 from the default X.509 and TLS profiles
For TLS, secp256k1 is deprecated by RFC 8422 §5.1.1. For X.509,
secp256k1 is not deprecated, but it isn't used in practice, especially
in the context of TLS where there isn't much point in having an X.509
certificate which most peers do not support. So remove it from the
default profile. We can add it back later if there is demand.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:52 +02:00
Gilles Peskine
a03fb29666 Document backward compatibility promises for the default TLS profile
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:05 +02:00
Gilles Peskine
a28f0f5082 Leave the preference order for hashes unspecified
We don't seem to have strong feelings about this, so allow ourselves to
change the order later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b1940a76ad In TLS, order curves by resource usage, not size
TLS used to prefer larger curves, under the idea that a larger curve has a
higher security strength and is therefore harder to attack. However, brute
force attacks are not a practical concern, so this was not particularly
meaningful. If a curve is considered secure enough to be allowed, then we
might as well use it.

So order curves by resource usage. The exact definition of what this means
is purposefully left open. It may include criteria such as performance and
memory usage. Risk of side channels could be a factor as well, although it
didn't affect the current choice.

The current list happens to exactly correspond to the numbers reported by
one run of the benchmark program for "full handshake/s" on my machine.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
377c91e1b7 Remove meaningless clause
We stated that curves were listed "in order of preference", but we never
explained what the preference was, so this was not meaningful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
5752e599b3 Reduce the default ECP window size
MBEDTLS_ECP_WINDOW_SIZE is a compromise between memory usage (growing based
on the value) and performance (faster with larger values). There are
disminishing returns as the value grows larger. Based on Manuel's benchmarks
recorded in https://github.com/ARMmbed/mbedtls/issues/4127, 4 is a good
compromise point, with larger values bringing little advantage. So reduce
the default from 6 to 4.

Document the default value as in optimized for performance mostly, but don't
document the specific value, so we may change it later or make it
platform-dependent.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
ae270bf386 Upgrade the default TLS hash and curve selection, matching X.509
Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.

Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.

Document more precisely what is allowed by default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
ffb92da622 Upgrade the default X.509 profile to the former "next" profile
Upgrade the default X.509 certificate verification profile
mbedtls_x509_crt_profile_default to the former value of
mbedtls_x509_crt_profile_next, which is hashes and curves with at least 255
bits (Curve25519 included), and RSA 2048 and above.

Document more precisely what goes into the default profile.

Keep the "next" profile unchanged for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
e96c5854d0 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:43:58 +02:00
Manuel Pégourié-Gonnard
55a7fb8322 Improve documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:42:03 +02:00
Manuel Pégourié-Gonnard
5314e08e08 Make the fields of mbedtls_x509_crt_profile public
These fields are supposed to be manipulated directly, that's how people
create custom profiles.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:32:01 +02:00
Manuel Pégourié-Gonnard
d51aaad4c9 Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
It was used to remove the code used when mbedtls_ecp_mul() received a
NULL RNG parameter. This code is no longer relevant (as the RNG may no
longer be NULL) and will be unconditionally removed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
84dea01f36 Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
39be1410fd Add RNG parameter to check_pair functions
- mbedtls_ecp_check_pub_priv() because it calls ecp_mul()
- mbedtls_pk_check_pair() because it calls the former

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00