Commit graph

134 commits

Author SHA1 Message Date
Dave Rodgman
f2e3eb8bd9 Add OID for HMAC-RIPEMD160
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-27 15:46:05 +01:00
Dave Rodgman
5cc67a3ee2 Add OIDs for HMAC-SHA3
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-27 14:44:35 +01:00
Dave Rodgman
a2cdc840de Fix pre-existing missing closing #endif comment
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-27 14:44:13 +01:00
Dave Rodgman
527f48f14d Add OID definitions for SHA3
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-05 18:57:30 +01:00
Valerio Setti
81d75127ba library: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-19 19:24:05 +02:00
Gilles Peskine
d598eaf212
Merge pull request #7106 from davidhorstmann-arm/parse-oid-from-string
Parse an OID from a string
2023-06-06 20:57:17 +02:00
David Horstmann
62e7fae109 Fix bug in calculation of maximum possible bytes
Each DER-encoded OID byte can only store 7 bits of actual data, so take
account of that.

Calculate the number of bytes required as:

number_of_bytes = ceil(subidentifier_size * 8 / 7)

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-02 15:51:28 +01:00
David Horstmann
02127ab022 Allow subidentifiers of size UINT_MAX
Make overflow check more accurate and add testcases

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-02 15:51:17 +01:00
David Horstmann
45d5e2dc1a Rename minimum_mem to resized_mem
This new name is clearer about its purpose.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-01 15:10:33 +01:00
David Horstmann
5d074168f3 Rearrange declarations for readability
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-01 15:09:27 +01:00
David Horstmann
017139751a Change behaviour away from NUL-terminated strings
Instead, require the length of the string to be passed. This is more
useful for our use-case, as it is likely we will parse OIDs from the
middle of strings.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-01 15:04:20 +01:00
David Horstmann
6883358c16 Hoist variable declarations to before goto
This should appease IAR, which does not like declarations in the middle
of goto sequences.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-05-31 17:27:28 +01:00
David Horstmann
25d65e8527 Refactor while loop for simplicity
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-05-31 14:53:07 +01:00
David Horstmann
ada7d72447 Improve line spacing after variable declarations
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-05-31 14:49:56 +01:00
Gilles Peskine
97edeb4fb8
Merge pull request #6866 from mprse/extract-key-ids
Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions v.2
2023-05-08 20:38:29 +02:00
Jethro Beekman
0167244be4 Read and write X25519 and X448 private keys
Signed-off-by: Jethro Beekman <jethro@fortanix.com>
Co-authored-by: Gijs Kwakkel <gijs.kwakkel@fortanix.com>
Signed-off-by: Gijs Kwakkel <gijs.kwakkel@fortanix.com>
2023-05-04 13:01:47 +02:00
David Horstmann
9643575d92 Limit OIDs to 128 components
The longest OID known by oid-info.com is 34 components[1], so 128
should be plenty and will limit the potential for attacks.

[1] http://oid-info.com/get/1.3.6.1.4.1.1248.1.1.2.1.3.21.69.112.115.111.110.32.83.116.121.108.117.115.32.80.114.111.32.52.57.48.48

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-04-26 11:50:14 +01:00
David Horstmann
861e5d2742 Change to using an alloc-realloc strategy
Allocate enough memory to guarantee we can store the OID, encode into
the buffer, then realloc and copy into a buffer of exactly the right
size.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-04-19 18:37:45 +01:00
Valerio Setti
d4a5d461de library: add remaining changes for the new ECP_LIGHT symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Przemek Stekiel
db323aa241 Fix Subject Key Identifier, Authority Key Identifier entries in oid_x509_ext
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-04 17:48:28 +02:00
toth92g
a41954d0cf Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions. Updating mbedtls_x509_crt_free function to also free the new dynamic elements (issuer field of AuthorityKeyId).
A few tests are also added which test the feature with a correct certificate and multiple ones with erroneous ASN1 tags.

Signed-off-by: toth92g <toth92g@gmail.com>
2023-04-04 17:48:27 +02:00
Manuel Pégourié-Gonnard
7224086ebc Remove legacy_or_psa.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:29:31 +01:00
Manuel Pégourié-Gonnard
ebef58d301 OID + misc crypto: use MD_CAN and fix failures
After this, only PK, X.509 and TLS remain to be done.

Deterministic uses HMAC-DRBG which uses MD, so it needs crypto_init()
when using a driver-only hash.

Also, remove a special-purpose macro that's no longer needed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-03-21 16:28:00 +01:00
Demi Marie Obenour
889534a4d2 Fix segfault in mbedtls_oid_get_numeric_string
When passed an empty OID, mbedtls_oid_get_numeric_string would read one
byte from the zero-sized buffer and return an error code that depends on
its value.  This is demonstrated by the test suite changes, which
check that an OID with length zero and an invalid buffer pointer does
not cause Mbed TLS to segfault.

Also check that second and subsequent subidentifiers are terminated, and
add a test case for that.  Furthermore, stop relying on integer division
by 40, use the same loop for both the first and subsequent
subidentifiers, and add additional tests.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-03-16 01:06:41 -04:00
David Horstmann
ce16474d91 Correct INT_MAX overflow check to UINT_MAX
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-23 13:50:48 +00:00
David Horstmann
376e8df9d6 Clarify structure of parsing with comments:
1. Parse through to get the required buffer length.
2. Having allocated a buffer, parse into the buffer.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
89d67bd472 Remove superfluous sizeof(unsigned char)
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
7cdfda12da Fixup: Correct signedness of val local variable
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
0f4ee418d8 Use return for errors only in oid_parse_number()
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
59400ffed5 Improve header docs and rename parameter
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
03329970de Correct error in processing of second component
Root nodes 0 and 1 may have up to 40 children (0 - 39), not 39 children
(0 - 38) as previously thought.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
18ec9d7da1 Change some error codes to be more accurate
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 18:27:59 +00:00
David Horstmann
92337c0e62 Add function to parse an OID from a string
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-22 16:34:26 +00:00
David Horstmann
5b5a0b618c Change error codes to more appropriate codes
The more precise error codes are borrowed from the ASN1 module.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:24:12 +00:00
David Horstmann
f51851dc70 Change += to |= for clearer semantics
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 15:44:24 +00:00
David Horstmann
34b3f1b757 Make overflow checks more readable
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 13:46:53 +00:00
David Horstmann
9c1887c4c7 Disallow overlong encoding when parsing OIDs
OID subidentifiers are encoded as follow. For every byte:
* The top bit is 1 if there is another byte to come, 0 if this is the
last byte.
* The other 7 bits form 7 bits of the number. These groups of 7 are
concatenated together in big-endian order.

Overlong encodings are explicitly disallowed by the BER/DER/X690
specification. For example, the number 1 cannot be encoded as:

0x80 0x80 0x01

It must be encoded as:

0x01

Enforce this in Mbed TLS' OID DER-to-string parser.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 12:02:27 +00:00
David Horstmann
c7f700c795 Fix incorrect printing of OIDs
The first 2 components of an OID are combined together into the same
subidentifier via the formula:

subidentifier = (component1 * 40) + component2

The current code extracts component1 and component2 using division and
modulo as one would expect. However, there is a subtlety in the
specification[1]:

>This packing of the first two object identifier components recognizes
>that only three values are allocated from the root node, and at most
>39 subsequent values from nodes reached by X = 0 and X = 1.

If the root node (component1) is 2, the subsequent node (component2)
may be greater than 38. For example, the following are real OIDs:
* 2.40.0.25, UPU standard S25
* 2.49.0.0.826.0, Met Office
* 2.999, Allocated example OID

This has 2 implications that the current parsing code does not take
account of:
1. The second component may be > 39, so (subidentifier % 40) is not
correct in all circumstances.
2. The first subidentifier (containing the first 2 components) may be
more than one byte long. Currently we assume it is just 1 byte.

Improve parsing code to deal with these cases correctly.

[1] Rec. ITU-T X.690 (02/2021), 8.19.4

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-14 17:00:25 +00:00
Valerio Setti
178b5bdddf pk: move MBEDTLS_PK_CAN_ECDSA_SOME macro to pk.h and fix tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-13 11:15:06 +01:00
Valerio Setti
ce0caa3384 oid: fix comment in #endif
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:52:31 +01:00
Valerio Setti
f972ce8d69 oid: replace ECDSA_C with new macros for ECDSA capabilities
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:52:31 +01:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Gilles Peskine
0fe6631486
Merge pull request #6291 from gilles-peskine-arm/platform.h-unconditional-3.2
Include platform.h unconditionally
2022-10-13 10:19:22 +02:00
Manuel Pégourié-Gonnard
07018f97d2 Make legacy_or_psa.h public.
As a public header, it should no longer include common.h, just use
build_info.h which is what we actually need anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-09-16 12:02:48 +02:00
Gilles Peskine
945b23c46f Include platform.h unconditionally: automatic part
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.

There should be no change in behavior since just including the header should
not change the behavior of a program.

This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-09-15 20:33:07 +02:00
Przemek Stekiel
bf01c64e9d oid.c: unify dependencies (VIA_MD_OR_PSA->VIA_LOWLEVEL_OR_PSA)
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-08-19 10:15:56 +02:00
Przemek Stekiel
de81028f00 Adjust dependencies in library/oid.c
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-08-19 10:15:56 +02:00
Manuel Pégourié-Gonnard
73692b7537 Rework macros expressing dependencies
Fix usage with sed:

s/MBEDTLS_OR_PSA_WANT_\([A-Z_0-9]*\)/MBEDTLS_HAS_\1_VIA_LOWLEVEL_OR_PSA/
s/MBEDTLS_USE_PSA_WANT_\([A-Z_0-9]*\)/MBEDTLS_HAS_\1_VIA_MD_OR_PSA_BASED_ON_USE_PSA/

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-21 12:11:53 +02:00
Manuel Pégourié-Gonnard
f88b1b5375 Introduce MBEDTLS_OR_PSA_WANT_xxx helper macros
Currently just replacing existing uses, but the real point of having
these conditions as a single macro is that we'll be able to use them in
tests case dependencies, see next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-15 12:08:14 +02:00
Manuel Pégourié-Gonnard
fe2b9b5397 Make mbedtls_oid_get_md_alg() always available
This is a step towards building with RSA PKCS#1v1.5 without MD.

Also loosen guards around oid data: the OID definitions clearly don't
depend on our software implementation.

We could simply have no dependency as this is just data. But for the
sake of code size, let's have some guards so that people who don't use
MD5, SHA1 or RIPEMD160 don't have to pay the price for them.

Note: this is used for RSA (PKCS#v1.5) signatures among other things, an
area that is not influenced by USE_PSA, so the guards should not depend
on it either.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00