psa_aead_encrypt_setup() and psa_aead_decrypt_setup() were returning
PSA_ERROR_INVALID_ARGUMENT, while the same failed checks were producing
PSA_ERROR_NOT_SUPPORTED if they happened in psa_aead_encrypt() or
psa_aead_decrypt().
The PSA Crypto API 1.1 spec will specify PSA_ERROR_INVALID_ARGUMENT
in the case that the supplied algorithm is not an AEAD one.
Also move these shared checks to a helper function, to reduce code
duplication and ensure that the functions remain in sync.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
* Updated the default argument to create less noise with argument
passing.
* Reworded ChangeLog to match MbedTLS documentation/ announcement
requirements
Signed-off-by: Archana <archana.madhavan@silabs.com>
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.
Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_pk_parse_key() makes a temporary copy of the key when it calls
pk_parse_key_pkcs8_encrypted_der(), because that function requires a
writable buffer. pk_parse_key_pkcs8_encrypted_der() always rejects an
empty password, so skip calling it in that case, which allows us to
skip the allocation as well.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Running the out of source CMake test on Ubuntu 16.04 using more than one
processor (as the CI does) can create a race condition whereby the build
fails to see a generated file, despite that file actually having been
generated. This problem appears to go away with 18.04 or newer, so make
the out of source tests not supported on Ubuntu 16.04
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Under gcc11(+) both message and received would cause errors for
potentially being used uninitialised. We fixed many of these issues in
another PR, but this one is only seen under certain configs.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Previously passing a NULL or zero length password into either
mbedtls_pkcs12_pbe() or mbedtls_pkcs12_derive() could cause an infinate
loop, and it was also possible to pass a NULL password, with a non-zero
length, which would cause memory corruption.
I have fixed these errors, and improved the documentation to reflect the
changes and further explain what is expected of the inputs.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
It was unmaintained and untested, and the fear of breaking it was holding us
back. Resolves#4934.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
PSA_ALG_RSA_PSS algorithm now accepts only the same salt length for
verification that it produces when signing, as documented.
Fixes#4946.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move GCM's update output buffer length verification
from PSA AEAD to the built-in implementation of the GCM.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
The requirement of minimum 15 bytes for output buffer in
psa_aead_finish() and psa_aead_verify() does not apply
to the built-in implementation of the GCM.
Alternative implementations are expected to verify the
length of the provided output buffers and to return
the MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the
buffer length is too small.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
This option only gated an ability to set a callback,
but was deemed unnecessary as it was yet another define to
remember when writing tests, or test configurations. Fixes#4653.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
MBEDTLS_CHECK_RETURN_TYPICAL defaults off, but is enabled if
MBEDTLS_CHECK_RETURN_WARNING is enabled at compile time.
(MBEDTLS_CHECK_RETURN_CRITICAL is always enabled.)
The default is off so that a plausible program that builds with one version
of Mbed TLS in the default configuration will still build under the next
version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Combine the changelog entries for the memory constraints fix on
aarch64 and amd64, since these are essentially fixing the same
issue.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Also fiixed the following merge problems:
crypto_struct.h : Added MBEDTLS_PRIVATE to psa_aead_operation_s
members (merge conflict)
psa_crypto_aead.c : Added ciphertext_length to mbedtls_gcm_finish
call (change of API during development)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Add memory constraints to the aarch64 inline assembly in MULADDC_STOP.
This fixes an issue where Clang 12 and 13 were generating
non-functional code on aarch64 platforms. See #4962, #4943
for further details.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
MULADDC_CORE reads from (%%rsi) and writes to (%%rdi). This fragment is
repeated up to 16 times, and %%rsi and %%rdi are s and d on entry
respectively. Hence the complete asm statement reads 16 64-bit words
from memory starting at s, and writes 16 64-bit words starting at d.
Without any declaration of modified memory, Clang 12 and Clang 13 generated
non-working code for mbedtls_mpi_mod_exp. The constraints make the unit
tests pass with Clang 12.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This parameter was set but not used, which was pointless. Clang 14 detects
this and legitimately complains.
Remove the parameter. This is an internal function, only called once. The
caller already has a sufficient check on the output buffer size which
applies in more cases, so there is no real gain in robustness in adding the
same check inside the internal function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Conflicts:
library/ccm.c
Conflict resolved by re-applying the MBEDTLS_BYTE_0 macro.
Conflict resolved by ignoring the MBEDTLS_PUT_UINT16_BE macro
used in development branch on the 'b' buffer, because the 'b'
buffer is removed in current branch.
The numerical identifier of the CID extension hasn't been settled yet
and different implementations use values from different drafts. Allow
configuring the value at compile time.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The makefiles look for python3 on Unix-like systems where python is often
Python 2. This uses sh code so it doesn't work on Windows. On Windows, the
makefiles just assume that python is Python 3.
The code was incorrectly deciding not to try python3 based on WINDOWS_BUILD,
which indicates that the build is *for* Windows. Switch to checking WINDOWS,
which indicates that the build is *on* Windows.
Fix#4774
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
mbedtls_ecdsa_write_signature() and mbedtls_ecdsa_write_signature_restartable()
now take an extra parameter indicating the size of the output buffer for the
signature.
No change to RSA because for RSA, the output size is trivial to calculate.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used
as intended, for keys that cannot be modified through normal use of the API.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* development: (66 commits)
Document the return type change in the migration guide
Fix return type of example key export callbacks
Add change log
psa: mac: Add driver dispatch tests for psa_mac_verify
psa: mac: Add driver delegation support for psa_mac_verify()
psa: mac: Introduce psa_mac_compute_internal
psa: mac: Add driver dispatch tests for psa_mac_compute
psa: mac: Improve MAC finalization code
psa: mac: Add driver delegation support for psa_mac_compute()
psa: mac: Add MAC compute builtin implementation
psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
psa: mac: Split psa_mac_setup()
psa: mac: Re-organize psa_mac_setup() internal function
Move export callback and context to the end of SSL context
Improve ChangeLog wording for key export
Remove return value from key export callback
Make key export callback and context connection-specific
Remove all occurrences of TLS < 1.2 PRF identifier
Remote key export identifier used for TLS < 1.2.
Add missing documentation for key export callback parameters
...
mbedtls_mpi_read_binary{,_le} (in https://github.com/ARMmbed/mbedtls/pull/4276)
and mbedtls_mpi_read_string (in https://github.com/ARMmbed/mbedtls/pull/4644)
changed their behavior on an empty input from constructing an MPI object with
one limb to not allocating a limb. In principle, this change should be
transparent to applications, however it caused a bug in the library and it does
affect the value when writing back out, so list the change in the changelog.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In Mbed TLS 2.26.0, the bug was hard to trigger, since all methods for
parsing a bignum (mbedtls_mpi_read_xxx functions) constructed an mbedtls_mpi
object with at least one limb.
In the development branch, after the commit
"New internal function mbedtls_mpi_resize_clear", this bug could be
triggered by a TLS server, by passing invalid custom Diffie-Hellman
parameters with G=0 transmitted as a 0-length byte string.
Since the behavior change in mbedtls_mpi_read_binary and
mbedtls_mpi_read_binary_le (constructing 0 limbs instead of 1 when passed
empty input) turned out to have consequences despite being in principle an
internal detail, mention it in the changelog.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
