Commit graph

4793 commits

Author SHA1 Message Date
Hanno Becker
7e6c178b6d Make key export callback and context connection-specific
Fixes #2188

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
22b34f75cd Remote key export identifier used for TLS < 1.2.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
ddc739cac4 Add missing documentation for key export callback parameters
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
457d61602f Define and implement new key export API for Mbed TLS 3.0
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
2d6e6f8fec Remove '_ext' suffix from SSL key exporter API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
78ba2af7c2 Remove old key export API
Seems to be an oversight that this wasn't marked deprecated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Manuel Pégourié-Gonnard
9a32d45819
Merge pull request #4517 from hanno-arm/ticket_api_3_0
Implement 3.0-API for SSL session resumption
2021-06-18 18:34:45 +02:00
Manuel Pégourié-Gonnard
ae35830295
Merge pull request #4661 from mpg/make-blinding-mandatory
Make blinding mandatory
2021-06-18 18:32:13 +02:00
Dave Rodgman
8c8166a7f1
Merge pull request #4640 from TRodziewicz/move_part_of_timing_module_out_of_the_library_and_to_test
Move part of timing module out of the library
2021-06-18 16:35:58 +01:00
TRodziewicz
963bb810f4 Removing global variable and moving variant function comment block
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 13:22:57 +02:00
Hanno Becker
5c5b820352 Fix typo in doc'n of session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 12:21:25 +01:00
Manuel Pégourié-Gonnard
9d4c2c4e42 Clarify how to create custom profiles
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:19:34 +02:00
TRodziewicz
75628d51b3 Code review fixes
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 12:59:38 +02:00
Gilles Peskine
39957503c5 Remove secp256k1 from the default X.509 and TLS profiles
For TLS, secp256k1 is deprecated by RFC 8422 §5.1.1. For X.509,
secp256k1 is not deprecated, but it isn't used in practice, especially
in the context of TLS where there isn't much point in having an X.509
certificate which most peers do not support. So remove it from the
default profile. We can add it back later if there is demand.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:52 +02:00
Gilles Peskine
a03fb29666 Document backward compatibility promises for the default TLS profile
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:05 +02:00
Gilles Peskine
a28f0f5082 Leave the preference order for hashes unspecified
We don't seem to have strong feelings about this, so allow ourselves to
change the order later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b1940a76ad In TLS, order curves by resource usage, not size
TLS used to prefer larger curves, under the idea that a larger curve has a
higher security strength and is therefore harder to attack. However, brute
force attacks are not a practical concern, so this was not particularly
meaningful. If a curve is considered secure enough to be allowed, then we
might as well use it.

So order curves by resource usage. The exact definition of what this means
is purposefully left open. It may include criteria such as performance and
memory usage. Risk of side channels could be a factor as well, although it
didn't affect the current choice.

The current list happens to exactly correspond to the numbers reported by
one run of the benchmark program for "full handshake/s" on my machine.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
377c91e1b7 Remove meaningless clause
We stated that curves were listed "in order of preference", but we never
explained what the preference was, so this was not meaningful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
5752e599b3 Reduce the default ECP window size
MBEDTLS_ECP_WINDOW_SIZE is a compromise between memory usage (growing based
on the value) and performance (faster with larger values). There are
disminishing returns as the value grows larger. Based on Manuel's benchmarks
recorded in https://github.com/ARMmbed/mbedtls/issues/4127, 4 is a good
compromise point, with larger values bringing little advantage. So reduce
the default from 6 to 4.

Document the default value as in optimized for performance mostly, but don't
document the specific value, so we may change it later or make it
platform-dependent.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
ae270bf386 Upgrade the default TLS hash and curve selection, matching X.509
Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.

Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.

Document more precisely what is allowed by default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
ffb92da622 Upgrade the default X.509 profile to the former "next" profile
Upgrade the default X.509 certificate verification profile
mbedtls_x509_crt_profile_default to the former value of
mbedtls_x509_crt_profile_next, which is hashes and curves with at least 255
bits (Curve25519 included), and RSA 2048 and above.

Document more precisely what goes into the default profile.

Keep the "next" profile unchanged for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
e96c5854d0 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:43:58 +02:00
Manuel Pégourié-Gonnard
55a7fb8322 Improve documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:42:03 +02:00
Manuel Pégourié-Gonnard
5314e08e08 Make the fields of mbedtls_x509_crt_profile public
These fields are supposed to be manipulated directly, that's how people
create custom profiles.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:32:01 +02:00
Manuel Pégourié-Gonnard
d51aaad4c9 Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
It was used to remove the code used when mbedtls_ecp_mul() received a
NULL RNG parameter. This code is no longer relevant (as the RNG may no
longer be NULL) and will be unconditionally removed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
84dea01f36 Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
39be1410fd Add RNG parameter to check_pair functions
- mbedtls_ecp_check_pub_priv() because it calls ecp_mul()
- mbedtls_pk_check_pair() because it calls the former

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f8c24bf507 Fix signature of check_pub_priv
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
aa3ed6f987 Make RNG parameters mandatory in ECP functions
Fix trivial faulty calls in ECP test suite and ECP/ECJPAKE self-tests (by
adding a dummy RNG).

Several tests suites are not passing yet, as a couple of library
function do call ecp_mul() with a NULL RNG. The complexity of the fixes
range from "simple refactoring" to "requires API changes", so these will
be addressed in separate commits.

This makes the option MBEDTLS_ECP_NO_INTERNAL_RNG, as well as the whole
"internal RNG" code, obsolete. This will be addressed in a future
commit, after getting the test suites to pass again.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
7861ecf838 Make RNG parameters mandatory in ECDH functions
Again, no check in the code - will be checked by ECP

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
1a87722bb6 Make RNG parameters mandatory in DHM functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
34d3756457 Make RNG parameters mandatory in PK functions
Again, no check here, will be checked by lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
c305b72ed1 Make RNG parameters mandatory in X.509 functions
Not adding a check in the code here, as this will be checked by the
lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
ad5390fc4f Clarify that RNG parameters are mandatory in SSL
No change here, these were already mandatory, it just wasn't explicit in
the documentation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Hanno Becker
ab4ecfcc2c Improve wording of documentation of new session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-17 05:12:16 +01:00
Thomas Daubney
4a7010d1aa Removes MBEDTLS_SSL_TRUNCATED_HMAC config option
Commit removes the
MBEDTLS_SSL_TRUNCATED_HMAC config option from config.h
and places a check that it is unset in check_config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:26:59 +01:00
Thomas Daubney
d7171e9f59 Removes truncated HMAC code from ssl.h
Commit removes conditionally compiled code
relating to MBEDTLS_SSL_TRUNCATED_HMAC from
ssl.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:26:59 +01:00
Mateusz Starzyk
d6f673d710 Remove outdated note about multiple calls to cipher update for
associated data.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
bd513bb53d Enable multiple calls to mbedtls_gcm_update_ad.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
TRodziewicz
15a7b73708 Documentation rewording
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 11:22:53 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Gilles Peskine
17575dcb03
Merge pull request #4629 from TRodziewicz/rename_functions_whose_deprecated_variants_have_been_removd
Rename the _ret() functions
2021-06-15 20:32:07 +02:00
TRodziewicz
90f304ff1a Fixing test_clang_opt (asm not defined)
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:48:01 +02:00
TRodziewicz
d854083773 Move part of timing module out of the library
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:47:44 +02:00
Manuel Pégourié-Gonnard
8cad2e22fc
Merge pull request #4595 from gilles-peskine-arm/alt-dummy-headers-3.0
Lighten and test constraints on context types in alternative implementations
2021-06-15 12:12:46 +02:00
Gilles Peskine
e5702489f5 mbedtls_dhm_get_value parameter order: context first, output last
mbedtls_dhm_get_value can be seen as either a copy function or a getter
function. Given the name and the semantics, it's more of a getter, even if
it "gets" by doing a copy. Therefore, put the context first, and the
selector next, leaving the output for last.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
bf69ea5b8f Make some fields of mbedtls_ecp_group public
The Mbed TLS code relies heavily on reading certain fields of
mbedtls_ecp_group directly. Make these fields public. Require
that MBEDTLS_ECP_ALT alternative implementations have them.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
cd07e22048 New function mbedtls_ecjpake_set_point_format
Use this instead of accessing the field directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
71acc6e8d9 New function mbedtls_dhm_get_value to copy a field of a DHM context
Reduce the need to break the DHM abstraction by accessing the context directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
487bbf6805 DHM: new functions to query the length of the modulus
Add two functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() to
query the length of the modulus in bytes or bits.

Remove the len field: the cost of calling mbedtls_dhm_get_len() each time
it's needed is negligible, and this improves the abstraction of the DHM
module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
601d34396c Update TLS presets when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
6e1387abed Update MBEDTLS_ECP_MAX_BITS when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
d0b16303bb Determine MBEDTLS_ECP_MAX_BITS automatically
MBEDTLS_ECP_MAX_BITS doesn't make sense as a configuration option: it
must not be smaller than the largest supported curve, and it's useless
to set it to a larger value. So unconditionally set it to the size of
the largest supported curve. Remove it from the build configuration.

Alternative implementations must no longer need define this macro.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
9ef1ea7444 Move the definition of derived values out of the settings section
Alternative implementations must no longer define these macros.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
cee21d76f1
Merge pull request #4606 from TRodziewicz/turn__SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt
Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config opt to a runtime opt
2021-06-14 19:03:28 +02:00
Ronald Cron
c4c761e35e Merge remote-tracking branch 'mbedtls/development' into mbedtls_private_with_python
Conflicts:
    include/mbedtls/ssl.h
    include/psa/crypto_struct.h

Conflicts fixed by using the code from development branch
and manually re-applying the MBEDTLS_PRIVATE wrapping.
2021-06-14 16:17:32 +02:00
TRodziewicz
3946f79cab Correction according to code review (function and param. names change
and docs rewording)

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 13:46:21 +02:00
TRodziewicz
8476f2f30a Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config option to a runtime option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:56:20 +02:00
TRodziewicz
1fcd72e93c change log and migr. guide fixes and _DEPRECATED_REMOVED removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:16:06 +02:00
Janos Follath
21f84643f8
Merge pull request #4317 from yanesca/psa-jpake-interface
J-PAKE interface definition for PSA Crypto
2021-06-11 13:47:25 +01:00
Ronald Cron
57864faf84
Merge pull request #4634 from Patater/mbed-can-do-timing
config: Allow Mbed to implement TIMING_C
2021-06-11 09:14:13 +02:00
Gilles Peskine
02b76b7d18
Merge pull request #4619 from TRodziewicz/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options
Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
2021-06-10 17:43:36 +02:00
Jaeden Amero
197496af69 config: Allow Mbed to implement TIMING_C
Mbed OS now provides POSIX-like time functions, although not alarm() nor
signal(). It is possible to implement MBEDTLS_TIMING_ALT on Mbed OS, so
we should not artificially prevent this in check-config. Remove the the
check that prevents implementing MBEDTLS_TIMING_ALT on Mbed OS.

Note that this limitation originally was added in the following commit,
although there isn't much context around why the restriction was
imposed: 63e7ebaaa1 ("Add material for generating yotta module"). In
2015, Mbed OS was quite a different thing: no RTOS, no threads, just an
asynchronous event loop model. I'd suppose the asynchronous event loop
model made it difficult before to implement MBEDTLS_TIMING_C on Mbed OS,
but that is no longer the case.

Fixes #4633

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-06-09 13:47:27 +01:00
TRodziewicz
3ecb92e680 Remove _X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 13:28:16 +02:00
TRodziewicz
26371e4793 Rename the _ret() functions
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-08 16:45:41 +02:00
Janos Follath
1f0131844c Clarify PSA_PAKE_STEP_ZK_PROOF format
Removing reference to RFC 7748 as it is more confusing than helpful. (It
decodes the scalars after masking which is not part of the encoding we
want to specify. Also, it has the explanation what it means by little
endian in a preceding section that is not trivial to find.)

We also explicitly specify constraint on leading zeroes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:30:48 +01:00
Janos Follath
46c02375b7 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:22:51 +01:00
Janos Follath
0dcda95ac0 Make check-names.sh happy
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:52:05 +01:00
Janos Follath
33434a9f60 Fix parenthesis spacing in crypto_struct.h
crypto_struct.h is implementation-specific so it was intended to have
Mbed TLS whitespace style.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:51:40 +01:00
Janos Follath
55dd5dc355 PSA PAKE: Clarify the documentation of NIZKP steps
The expression "the masking is omitted" assumes familiarity with
Montgomery curve private key format and even then can be confusing and
ambiguous or confusing.

Describe directly what format we mean and add some more background
information and reference to the standard as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b384ec19d1 PSA PAKE: fix J-PAKE documentation code rendering
4-space indent is only guaranteed to result in a code block if there's a
blank line just before (details vary depending on the markdown
implementation, and doxygen isn't exactly markdown anyway). In a bullet
list, you need 8 spaces since the list itself is a nested construct
which takes a 4-space indent (even though you don't have to indent
continuation lines inside a bullet point by 4 spaces, 1 is enough).

Using \code...\encode which is rendering as intended.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
3293dae00e psa_pake_setup(): simplify documentation
This level of detail can be confusing and could require even more detail
to clear it up. Simplifying it instead in alignment wiht the
documentation of existing setup functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b4db90fb27 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
38d29db75f Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
a46e28f786 PSA PAKE: use neutral pronouns
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
ec83eb605e Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
52f9efad22 Revert "Rename psa_pake_set_password()"
This reverts commit 03a5fd7780026b2ca0b4728352ded930f5a7cff9.

We're already calling the output of a PAKE a "shared secret". The
password is a shared secret (for PAKE where the verifier knows a
password-equivalent secret), but calling it "shared secret" or even just
"secret" would be confusing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
89ee05a805 Rename psa_pake_set_password()
Technically this function takes a low entropy secret as an input which
might or might not be the password. Using the term "secret" in the
function name is less misleading.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
559f05eefc PSA PAKE: remove psa_pake_set_password_stretch()
The password stretching (using slow and/or memory hard hashes) in PAKEs
usually serves two purposes:

- Defending against server compromise impersonation attacks. J-PAKE is an
augmented PAKE and as such, stores a password-equivalent and defending
against this class of attacks is out of scope.
- Preventing offline dictionary attacks. J-PAKE is proven to be zero
knowledge and leaks no information beyond the fact if the passwords
matched and offline dictionary attack is not possible.

In summary: J-PAKE does not benefit from pasword stretching and is
unlikely to be an input. This part of the API is not necessary at this
point and can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
7d69b3a993 PSA PAKE: add warning about stability
We are not confident about the stability of the PAKE interface (it is
just a proposal, not part of the standard yet).  So we should explicitly
document it as experimental, subject to change.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
702cf09ae9 PSA PAKE: move the API to crypto_extra.h
At this point this is a proposed PAKE interface for the PSA Crypto API
and not part of the official standard. Place the interface in
crypto_extra.h to make this clear.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:34 +01:00
Janos Follath
304766e11e PSA PAKE: make algorithm macro name consistent
The API has PSA_ALG_GCM and not PSA_ALG_AEAD_GCM, PSA_ALG_MD5 and not
PSA_ALG_HASH_MD5, etc., so PSA_ALG_PAKE_JPAKE should be PSA_ALG_JPAKE as
well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
a295918596 PSA PAKE: add input size macros
The caller is likely to receive the inputs on the wire, and having a
known size for which they can confidently reject longer inputs would be
helpful in cases where the application can't just use the input in
place.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
5e1948d2a3 PSA PAKE: define size macros as 0
Define the size macros to 0 rather than empty. That will lead to fewer
weird errors when we start implementing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Ronald Cron
d2cfa3e980 Improve mbedtls_rsa_init/set_padding() descriptions
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Ronald Cron
c1905a1c3d Change mbedtls_rsa_init() signature
Remove padding parameters as mbedtls_rsa_init()
cannot return an error code when padding
parameters are invalid.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Ronald Cron
ea7631be1c Change mbedtls_rsa_set_padding() signature
mbedtls_rsa_set_padding() now returns the error
code MBEDTLS_ERR_RSA_INVALID_PADDING when
padding parameters are invalid.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:10 +02:00
Manuel Pégourié-Gonnard
16fdab79a5
Merge pull request #4382 from hanno-arm/max_record_payload_api
Remove MFL query API and add API for maximum plaintext size of incoming records
2021-06-08 11:07:27 +02:00
TRodziewicz
0730cd5d9e Merge branch 'development' into Remove__CHECK_PARAMS_option 2021-06-07 15:41:49 +02:00
TRodziewicz
442fdc22ea Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-07 13:52:23 +02:00
Mateusz Starzyk
a74295fb52 Remove outdated note about direct manipulation of private members.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:30:55 +02:00
Mateusz Starzyk
8fc95a06a6 Wrap variable missed by the python script.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:28:24 +02:00
Mateusz Starzyk
2abe51cc75 Extend setup_and_run script to cover remaining configurations.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:08:01 +02:00
Mateusz Starzyk
854a25c7a4 Merge branch 'development' into mbedtls_private_with_python
Conflicts:
         include/mbedtls/ecp.h

Conflict resolved by using the code from development branch
and manually applying the MBEDTLS_PRIVATE wrapping.
2021-06-07 09:49:01 +02:00
Manuel Pégourié-Gonnard
9371a40476 Stop referencing private constants in documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:42 +02:00
Manuel Pégourié-Gonnard
cac90a15ed Hide constants for TLS 1.0 and TLS 1.1
ssl_server2 had a check that we never try to use a minor version lower
than 2 with DTLS, but that check is no longer needed, as there's no way
that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer
public.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:33 +02:00
Hanno Becker
d60b6c62d5 Remove per-version ciphersuite configuration API
This commit removes the API

```
    mbedtls_ssl_conf_ciphersuites_for_version()
```

which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.

With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.

This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and

```
   mbedtls_ssl_conf_ciphersuites()
```

can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:20:10 +02:00
Manuel Pégourié-Gonnard
0c1a42a147
Merge pull request #4611 from gilles-peskine-arm/random-range-uniformity-3.0
Fix non-uniform random generation in a range
2021-06-04 10:43:15 +02:00
Manuel Pégourié-Gonnard
f9f9cc217c
Merge pull request #4579 from tom-daubney-arm/rm_ecdh_legacy_context_config_option
Remove `MBEDTLS_ECDH_LEGACY_CONTEXT` config option
2021-06-04 10:02:59 +02:00
Gilles Peskine
7ed7c5a37d mbedtls_mpi_random: document MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
Note that this error has a negligible probability with a "crypto-sized"
bound, but macroscopic probability with a small bound.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
1e918f44c9 mbedtls_mpi_random: check for invalid arguments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
02ac93a1a3 Move mbedtls_mpi_random to the bignum module
Since mbedtls_mpi_random() is not specific to ECC code, move it from
the ECP module to the bignum module.

This increases the code size in builds without short Weierstrass
curves (including builds without ECC at all) that do not optimize out
unused functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Thomas Daubney
537e64305d Corrects documentation issues
Commit corrects incorrect docs in
ecdh.h and config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-03 15:46:33 +01:00
Janos Follath
79e1c47a54 PSA PAKE: explain implicit key confirmation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7c59b7a073 Improve psa_pake_set_peer()/user() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
56a4d7a59f Simplify PAKE input/output format documentation
Make input/output format documentation easier to find:
- Add direct reference to the steps from the input/output functions
- Move the format description directly to the step constants

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ead0e4fc7b PSA PAKE: Clarify J-PAKE algorithm documentation
- Transformed setup description to a more explicit pseudocode based
approach.
- Explained implicit vs explicit key confirmation

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
d416838ffd Rename psa_pake_set_password_mhf()
This step is not necessarily a memory-hard function. Memory-hard
functions are the best of the breed at the moment, but that's due to
current hardware designs, and CPU-hard-but-not-memory-hard functions
like PBKDF2 are acceptable as well. We're using “key stretching” as the
generic term for such functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
3ae6696811 Clarify psa_pake_setup() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
19271ea183 PSA PAKE: Clarify documentation of valid states
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
9a04aeaff5 PSA PAKE: improve and fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7b8910322c PSA PAKE: refine documentation of return values
The key derivation operation passed to psa_pake_set_password_mhf() might
enter an error state before the function returns. If this happens, the
user needs to know about it so that they can properly abort it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
e1a080f1f8 Improve psa_pake_set_password_mhf() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
1062a24152 Fix psa_pake_set_password_mhf() parameter list
The type of the key derivation operation was incorrect.

Also neither the PAKE nor key_derivation algorithm knows how many bytes
to transfer at this stage.

There is no optimal or recommended size, PAKEs don't mandate it either
(with the exception of OPAQUE, but that uses it internally and won't be
using this interface).

Adding an input length parameter to allow the application to control how
many bytes the PAKE takes from the key derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
14ce06afe2 PSA PAKE: fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ef816f37be Fix precedence in psa_pake_cs_set_primitive()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ed82716546 Remove always false comparison PSA_PAKE_PRIMITIVE
Always false comparison triggered compiler warnings. Removing comparison
while preserving semantics to achieve clean build.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
60fa7c59b2 PSA PAKE: document operation parameters
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
b0bcb633ff Link PSA_KEY_TYPE_PASSWORD in the documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
fe0c4493f5 Add psa_pake_set_password_mhf()
Using memory hard functions with PAKEs is the more secure option. It
should be as convenient and efficient to use as less secure options, but
so far it required creating an additional temporary key object.

With psa_pake_set_password_mhf() this eliminates the need for this.

Similarly we could add a convenience function to supply the password
directly from character strings, but that would make the less secure
option more convenient again and therfore we are not doing it now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
56cc9ccc39 PSA PAKE: Align macro names with psa_pake_step_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
3c09c47333 PSA PAKE: remove redundant steps
PAKE constructions that have multiple key shares will always consume and
produce the key shares in numerical order. So using PSA_PAKE_DATA_XXX_X
would demand step-sequence validation, and provides no functional
utility over having only PSA_PAKE_DATA_XXX.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a71811aa4c Fix typo
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
78b9e40662 PSA PAKE: reintroduce psa_pake_primitive_t
If PSA_PAKE_OUTPUT_SIZE takes cipher_suite as a parameter and it is a
structure it can't be a compile-time constant anymore.

Reintroducing psa_pake_primitive_t, because it can be constructed as an
integral type and holds enough information to allow PSA_PAKE_OUTPUT_SIZE
calculating accurate estimates on the output size in compile time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a86c3131a8 PSA PAKE: divide setup into several steps
There are too many parameters to the setup function. This makes it hard
to figure out how to call the function and read code that calls the
function. This also opens the suspicion that there's yet another
parameter that we're missing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
beb78d4d41 Rename psa_pake_data_t
"Data" is too vague, renaming it to psa_pake_step_t. It is still
somewhat vague, but at least consistent with the naming used in key
derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
57cfc407e0 Remove obsolete __DOXYGEN_ONLY__ blocks
__DOXYGEN_ONLY__ blocks were only used to typeset the PSA specification
back when it was extracted from Mbed TLS headers. They are no longer
used and should be removed.

The PSA Crypto Driver API is still under development and might be
extracted from Mbed TLS headers, leaving them there for now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
f53c7af916 PSA PAKE: introduce psa_pake_family_t
It is the size of something that has no a priori reason to consist of 8
bits.  This should be psa_pake_family_t, both for documentation (and
possibly static analysis) and in case 8 bits turn out not to be enough.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
1459aa5656 PSA PAKE: improve documentation
Minor documentation improvement and fixes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
f75be64ef5 PSA PAKE: fix identifier value
Identifier value was not consistent with PSA conventions (last byte is
reserved for hash algorithms or used in algorithms parametrized by
a hash).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
5b44cfd430 PSA PAKE: remove alg parameter from setup
The cipher suite now defines the algorithm itself as well. Passing the
algorithm separately is redundant and error prone.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
684da03532 PSA PAKE: remove obsolete types and macros
Making the cipher suite struct internal made a number of types and
macros in the interface unused.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
cd56ff9c59 PSA PAKE: make cipher suite opaque
Hiding the structure of the cipher suite implementation allows for
greater flexibility.

To preserve maximum flexibility, the constructor is replaced by
individual setter/getter functions.

Convenience macros and or functions can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
82b54b96d3 PSA PAKE: Align macro names
In the key types API, PSA Crypto uses ECC to denote Elliptic curve
cryptography and DH to denote Finite Field Diffie-Hellman.

Change PSA_PAKE_PRIMITIVE_TYPE_XXX macros to be aligned.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
fc3577daae Remove reference to PSA_PAKE_KEY_SHARE_SIZE
The macro PSA_PAKE_KEY_SHARE_SIZE has been removed, we need to remove
references to it from the documentation as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
2ba6079d47 PSA: fix wording for implementation defined types
There were remnants of the PSA specification wording in the
documentation that can be confusing in Mbed TLS.

We need to make it clear what the consequences of being implementation
defined are in Mbed TLS.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
8005e8a167 Shrink psa_pake_side_t to uint8_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
ef1b8c9a76 PSA PAKE: Relate JPAKE documentation to RFC8236
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
7ebcbf34f9 Remove psa_pake_get/set_key_share() functions
The main purpose of psa_pake_get_key_share() is to provide a more
straightforward and convenient call flow for regular PAKEs. Most PAKEs
have a single key share and need a flow like this:

op=PSA_PAKE_OPERATION_INIT;
psa_pake_setup();
psa_pake_get_key_share();
psa_pake_set_key_share();
psa_pake_get_implicit_key();

Adding psa_pake_get/set_key_share() functions cuts out the
psa_pake_data_t constants from the users vision, hiding complexity that
exists only for unrelated PAKEs that aren't relevant for the user.

This comes with the cost of the two additional API functions that we need
to maintain.

Since the current stream of work focuses on enabling J-PAKE, there are
no benefits to these functions for now.

Once algorithms that can benefit from this simplification are added,
adding back these functions can be reconsidered.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
fb4203dcff PSA PAKE: Call the scheme algorithm
The documentation is calling PAKEs protocols but it has an
psa_algorithm_t identifier. To align the terminology, the documentation
should call them algorithms as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
020da462d2 Fix PSA_PAKE_PRIMITIVE macro
Fix the typo in the macro definition and more specific parameter names
allow for future scripts to check validity of arguments.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
1101edb948 PSA PAKE: typo fixes in documentation
Also removes the mention of THREAD as we can't give a publicly available
reference for it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
ca2c167dcb PSA PAKE: fix doxygen warnings
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
7f1e81a98d PSA PAKE: specify key type and usage
The PSA_KEY_TYPE_PASSWORD key type to which this documentation change
refers to is not yet present in the code and will be introduced by a
parallel line of work.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
b378d57840 PSA PAKE: add output size macros
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
9c6b147d98 PSA PAKE: Add J-PAKE to the interface
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
8a09ca9d94 PSA PAKE: Add dummy operation context
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
508afeca67 PSA PAKE: Add cipher suite structure
PAKE protocols make use of a range of cryptographic schemes and
primitives. Standards allow for several options to use for each of them.
They call the combination of specific algorithms cipher suites,
configurations or options.

Cipher suites are represented by a separate data type for several
reasons:
1. To allow for individual PAKE protocols to provide pre-defined cipher
   suites.
2. To organise cipher suites into a unit that can be handled separately
   from the operation context. The PAKE operation flow is already
   complex, will be even more so when key confirmation is added.
   Handling them separately should reduce the surface of the interface
   the application developer needs to pay attention at any given time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
38a5d35646 PSA PAKE: Add type for representing primitives
In most of the PAKEs the primitives are prime order groups, but some of
them might need the ring structure or just are using completely different
algebraic structures (eg. SRP or PQC schemes).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
b86273a6dc PSA PAKE: Add integral types
Add integral types for the draft version of PSA Crypto API PAKE
interface.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00