Commit graph

12622 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
4d8c836cdc
Merge pull request #346 from gilles-peskine-arm/mpi_copy_shrink
Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:01 +01:00
Janos Follath
f317dc4918
Merge pull request #350 from gilles-peskine-arm/asn1-tests-parse_prefixes-trailing_garbage
test_suite_asn1parse: improve testing of trailing garbage in parse_prefixes
2020-02-05 15:40:22 +00:00
Janos Follath
4fde885d1f
Merge pull request #357 from gilles-peskine-arm/merge-crypto-development-20200203
Update Mbed Crypto with latest Mbed TLS changes as of 2020-02-03
2020-02-04 11:00:51 +00:00
Gilles Peskine
2579675935 Merge remote-tracking branch 'upstream-public/development' into development
Files deleted by us: keep them deleted.

```
git rm $(git status -s | sed -n 's/^DU //p')
```

Individual files with conflicts:

* `README.md`: keep the crypto version.
* `doxygen/input/doc_mainpage.h`: keep the crypto version (with an obsolete Mbed Crypto version number).
* `include/mbedtls/error.h`:
    * `ERROR`: similar additions made through parallel commits, with only whitespace differences. Align with the tls version.
* `library/CMakeLists.txt`: keep the crypto version.
* `library/Makefile`: keep the crypto version.
* `scripts/generate_errors.pl`: keep the crypto version (the relevant changes were made through parallel commits).
* `tests/scripts/check-test-cases.py`:
    * `Results`: keep the crypto version, which has both the new argument to the constructor (added in crypto only) and the class docstring (added through parallel commits).
* `tests/suites/helpers.function`:
    * `ARRAY_LENGTH`, `ASSERT_ALLOC`: additions in the same location. Keep both, in indifferent order.
* `tests/suites/target_test.function`:
    * `receive_uint32`: keep the crypto version which has an additional bug fix. The tls changes made in tls are irrelevant after this bug fix.
* `visualc/VS2010/mbedTLS.vcxproj`: run `scripts/generate_visualc_files.pl`.

Review of non-conflicting changes:

* `all.sh`: 1 change.
    * zlib test components: don't add them.
* `include/CMakeLists.txt`: 1 change.
    * `target_include_directories`: doesn't work as is (different target name). Don't take the change.
* All other non-conflicting changes: take them.
2020-02-03 18:52:36 +01:00
Gilles Peskine
a9da093617 shrink tests: clearer description 2020-02-03 16:18:30 +01:00
Gilles Peskine
9a6ecee4de Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-02-03 16:15:47 +01:00
Janos Follath
b7000d4b2f
Merge pull request #345 from gilles-peskine-arm/psa_mac_verify_finish-status
Fix possible error code mangling in psa_mac_verify_finish
2020-02-03 13:55:11 +00:00
Gilles Peskine
c69c2c5bf5
Merge pull request #263 from hanno-arm/asn1_traversal_api
Introduce ASN.1 SEQUENCE traversal API
2020-02-03 13:35:19 +01:00
Hanno Becker
34aada2df5 Replace use of uint8_t by unsigned char in ASN.1 seq traversal API
The rest of the ASN.1 API uses `unsigned char`, too.
2020-02-03 10:39:55 +00:00
Hanno Becker
1505f636a2 ASN.1: Reimplement mbedtls_asn1_get_sequence_of() via traversal API 2020-01-31 15:40:51 +00:00
Gilles Peskine
36ce88be1e
Merge pull request #2999 from catenacyber/fuzzrsa
Checks mbedtls_rsa_export return in fuzz targets
2020-01-31 16:38:43 +01:00
Gilles Peskine
c0611a5a61
Merge pull request #352 from jack-fortanix/jack/parse-rsa-crt-params
Parse RSA parameters DP, DQ and QP from PKCS1 private keys
2020-01-31 16:37:31 +01:00
Hanno Becker
199b709e53 ASN.1: Add ASN.1 SEQUENCE traversal API 2020-01-31 15:37:26 +00:00
Gilles Peskine
b5c74a53d8 Document one more error code for mbedtls_asn1_get_sequence_of
Also fix a copypasta.
2020-01-31 15:37:26 +00:00
Hanno Becker
12ae27dd0e ASN.1: Introduce helper function to free ASN.1 sequence 2020-01-31 15:37:26 +00:00
Hanno Becker
63e38fe914 ASN.1: Add helper macro to compare ASN.1 buffer to OID string 2020-01-31 15:37:26 +00:00
Hanno Becker
cba7122d74 ASN.1: Add helper macro to detect string types 2020-01-31 15:37:26 +00:00
Gilles Peskine
512d040963
Merge pull request #2964 from gilles-peskine-arm/psa-streamline_encodings-types_and_curves-ls
USE_PSA_CRYPTO: update elliptic curve encoding
2020-01-31 16:30:02 +01:00
Jaeden Amero
2b91abaae6
Merge pull request #2984 from piotr-now/iotssl-2955-move-handshake-to-prescribed-state
Add test for prescribed states of handshake with the custom IO callbacks
2020-01-31 14:16:53 +00:00
Gilles Peskine
42459805ce USE_PSA_CRYPTO: don't rely on the curve encoding
Adapt to the change of encoding of elliptic curve key types in PSA
crypto. Before, an EC key type encoded the TLS curve identifier. Now
the EC key type only includes an ad hoc curve family identifier, and
determining the exact curve requires both the key type and size. This
commit moves from the old encoding and old definitions from
crypto/include/mbedtls/psa_util.h to the new encoding and definitions
from the immediately preceding crypto submodule update.
2020-01-31 14:57:43 +01:00
Gilles Peskine
81d3100250 Update crypto submodule
Previously in d8752858fc:
* #333: Streamline PSA key type encodings: prepare
* #323: Initialise return values to an error

Previously in dbcb44202c:
* #291: Test MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
* #334: Fix some pylint warnings

Previously in ceceedb532:
* #348: Bump version to Mbed TLS 2.20.0 and crypto SO version to 4
* #354: Fix incrementing pointer instead of value

In this commit:
* #349: Fix minor defects found by Coverity
* #179: Add option to build SHA-512 without SHA-384
* #327: Implement psa_hash_compute and psa_hash_compare
* #330: Streamline PSA key type and curve encodings
2020-01-31 14:57:16 +01:00
Gilles Peskine
819799cfc6
Merge pull request #330 from gilles-peskine-arm/psa-streamline_encodings-types_and_curves
Streamline PSA key type and curve encodings
2020-01-31 14:52:15 +01:00
Gilles Peskine
3e819b7d69 psa_key_agreement_ecdh: zeroize output on failure
If psa_key_agreement_ecdh fails, there may be output that leaks
sensitive information in the output buffer. Zeroize it.

If this is due to an underlying failure in the ECDH implementation, it
is currently not an issue since both the traditional Mbed TLS/Crypto
implementation and Everest only write to the output buffer once every
intermediate step has succeeded, but zeroizing is more robust. If this
is because the recently added key size check fails, a leak could be a
serious issue.
2020-01-31 10:24:21 +01:00
Gilles Peskine
7cfcb3fc03 Change the encoding of key types to have a parity bit
Change the encoding of key types, EC curve families and DH group
families to make the low-order bit a parity bit (with even parity).

This ensures that distinct key type values always have a Hamming
distance of at least 2, which makes it easier for implementations to
resist single bit flips.
2020-01-31 10:24:21 +01:00
Gilles Peskine
7d7c8dc8b0 Test parsing invalid key type in storage 2020-01-31 10:24:21 +01:00
Gilles Peskine
46e6f9de4a Document the vendor range for EC curve and DH group families 2020-01-31 10:24:21 +01:00
Gilles Peskine
f65ed6f254 Change key types to a 16-bit encoding
All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.

Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.

Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.

Reorder psa_core_key_attributes_t to avoid padding.
2020-01-31 10:24:21 +01:00
Gilles Peskine
b87b719467 Remove old values of curve encodings
Remove the values of curve encodings that are based on the TLS registry
and include the curve size, keeping only the new encoding that merely
encodes a curve family in 8 bits.

Keep the old constant names as aliases for the new values and
deprecate the old names.
2020-01-31 10:24:21 +01:00
Gilles Peskine
d1959dcd4a Change auxiliary functions for TLS to the new PSA EC curve encoding
This is a change to an internal API that is exposed only for the sake
of Mbed TLS.
2020-01-31 10:24:21 +01:00
Gilles Peskine
80d26fb56f Switch psa_crypto tests to the new curve encoding 2020-01-31 10:24:21 +01:00
Gilles Peskine
4080c91e73 pk: USE_PSA_CRYPTO: don't translate via the TLS ID
Use the same translation function that the PSA crypto implementation
uses.
2020-01-31 10:15:32 +01:00
Gilles Peskine
89177e862b Convert USE_PSA_CRYPTO pk interface to the new PSA EC curve encoding 2020-01-31 10:15:32 +01:00
Gilles Peskine
33b1c69908 pk tests: USE_PSA_CRYPTO: test several curves 2020-01-31 10:15:32 +01:00
Gilles Peskine
85f47c9d69 pk tests: USE_PSA_CRYPTO: test attributes of the PSA key 2020-01-31 10:15:32 +01:00
Gilles Peskine
45c29ce4c0 Move size-specific curve/group constants to crypto_compat.h 2020-01-31 10:15:32 +01:00
Gilles Peskine
228abc5773 Define EC curve family constants
Define constants for ECC curve families and DH group families. These
constants have 0x0000 in the lower 16 bits of the key type.

Support these constants in the implementation and in the PSA metadata
tests.

Switch the slot management and secure element driver HAL tests to the
new curve encodings. This requires SE driver code to become slightly
more clever when figuring out the bit-size of an imported EC key since
it now needs to take the data size into account.

Switch some documentation to the new encodings.

Remove the macro PSA_ECC_CURVE_BITS which can no longer be implemented.
2020-01-31 10:15:32 +01:00
Gilles Peskine
025fccdc32 Change the encoding of EC curves and DH groups to include the size
Change the representation of psa_ecc_curve_t and psa_dh_group_t from
the IETF 16-bit encoding to a custom 24-bit encoding where the upper 8
bits represent a curve family and the lower 16 bits are the key size
in bits. Families are based on naming and mathematical similarity,
with sufficiently precise families that no two curves in a family have
the same bit size (for example SECP-R1 and SECP-R2 are two different
families).

As a consequence, the lower 16 bits of a key type value are always
either the key size or 0.
2020-01-31 10:15:32 +01:00
Gilles Peskine
d8197cb902 mbedtls_psa_parse_tls_ecc_group: make no assumption on PSA encodings
Don't assume that the PSA encoding of elliptic curves is identical to
the TLS encoding. This is currently true but about to change.

The new implementation only works when MBEDTLS_ECP_C is defined. This
is ok because the function is only used with MBEDTLS_ECP_C defined.
2020-01-31 10:15:32 +01:00
Gilles Peskine
fc2459db13 Remove mbedtls_psa_translate_ecc_group
Internally, use the corresponding function from psa_crypto.c instead.
Externally, this function is not used in Mbed TLS and is documented as
"may change at any time".
2020-01-31 10:15:32 +01:00
Gilles Peskine
5055b239bf Expose mbedtls/psa curve identifier conversions from psa_crypto.c 2020-01-31 10:15:32 +01:00
Gilles Peskine
4295e8b9c5 Rework PSA curve to mbedlts group id conversion
Don't rely on the bit size encoded in the PSA curve identifier, in
preparation for removing that.

For some inputs, the error code on EC key creation changes from
PSA_ERROR_INVALID_ARGUMENT to PSA_ERROR_NOT_SUPPORTED or vice versa.
There will be further such changes in subsequent commits.
2020-01-31 10:15:32 +01:00
Gilles Peskine
c7ef5b3f45 Rework mbedlts group id to PSA curve conversion
Don't rely on the PSA curve identifier determining the key size, in
preparation for removing that.
2020-01-31 10:15:32 +01:00
Gilles Peskine
2eea95cb5d Extract the block size from the key type encoding 2020-01-31 10:15:32 +01:00
Gilles Peskine
7bfcfac164 Change key type encodings to avoid bit 16
Key types are now encoded through a category in the upper 4 bits (bits
28-31) and a type-within-category in the next 11 bits (bits 17-27),
with bit 16 unused and bits 0-15 only used for the EC curve or DH
group.

For symmetric keys, bits 20-22 encode the block size (0x0=stream,
0x3=8B, 0x4=16B).
2020-01-31 10:15:32 +01:00
Gilles Peskine
8fe6e0de3a Symmetric key types only use the upper 16 bits of psa_key_type_t
Change the numerical encoding of values for symmetric key types to
have 0000 as the lower 16 bits. Now the lower 16 bits are only used
for key types that have a subtype (EC curve or DH group).
2020-01-31 10:15:32 +01:00
Piotr Nowicki
2a1f178d7c Add test for prescribed states of handshake with the custom IO callbacks 2020-01-31 10:06:04 +01:00
Manuel Pégourié-Gonnard
350d4c3630
Merge pull request #327 from gilles-peskine-arm/psa-hash_compute
Implement psa_hash_compute and psa_hash_compare
2020-01-31 09:31:41 +01:00
Manuel Pégourié-Gonnard
ead19fecf9
Merge pull request #2975 from mpg/add-zlib-tests-dev
Add zlib tests and fix runtime bug
2020-01-31 09:22:24 +01:00
Janos Follath
b719d4bede Merge pull request #2963 from jiblime/zlib-fix into development 2020-01-30 16:15:16 +00:00
Gilles Peskine
13faa2d920 Don't declare a parameter as const
An earlier commit fixed this for psa_hash_compare. psa_mac_verify had
the same flaw.
2020-01-30 16:32:21 +01:00