When legacy CID is enabled at compile time, but not used at runtime, we
would incorrectly skip the sequence number at the beginning of the AAD.
There was already two "else" branches for writing the sequence number
but none of them was taken in that particular case.
Simplify the structure of the code: with TLS 1.2 (we're already in that
branch), we always write the sequence number, unless we're using
standard CID.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to
a null pointer when the cipher does not use an IV. This is undefined
behavior, although it works as naively expected on most platforms. This
can cause a crash with modern Clang+ASan (depending on compiler optimizations).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The loop ends when there are no more bits to process, with one twist: when
that happens, we need to clear the window one last time. Since the window
does not start empty (E_limbs==0 is not supported), the loop always starts
with a non-empty window and some bits to process. So it's correct to move
the window clearing logic to the end of the loop. This lets us exit the loop
when the end of the exponent is reached.
It would be clearer not to do the final window clearing inside the loop, so
we wouldn't need to repeat the loop termination condition (end of exponent
reached) inside the loop. However, this requires duplicating the code to
clear the window. Empirically, this causes a significant code size increase,
even if the window clearing code is placed into a function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We are looking at the exponent at limb granularity and therefore
exponent bits can't go below 32.
The `mpi_` prefix is also removed as it is better not to have prefix at
all than to have just a partial. (Full prefix would be overly long and
would hurt readability.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
Now that we have a function that calls
mbedtls_mpi_core_ct_uint_table_lookup(), the compiler won't complain if
we make it static.
Signed-off-by: Janos Follath <janos.follath@arm.com>
On platforms with size_t different from int, mismatch between size_t and
mpi_uint can cause incorrect results or complaints from the compiler.
Signed-off-by: Janos Follath <janos.follath@arm.com>
mpi_core_exp_mod: Cast local variable explicitly
Signed-off-by: Janos Follath <janos.follath@arm.com>
In this way, in case of error, it is not possible to continue using
the same psa_pake_operation_t without reinitializing it.
This should make the PSA pake's behavior closer to what expected by
the specification
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
It might happen that the psa_pake_output() function returns
elements which are not exactly 32 or 65 bytes as expected, but
1 bytes less.
As a consequence, insted of hardcoding the expected value for
the length in the output buffer, we write the correct one as
obtained from psa_pake_output()
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
NEW_SESSION_TICKETS* are processed in handshake_step.
Change the stop condition from `mbedtls_ssl_is_handshake_over`
to directly check.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
Inlined functions might cause the compiled code to have different sizes
depending on the usage and this not acceptable in some cases.
Therefore read/write functions used in the initial key exchange are
moved to a standard C file.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
The value of the first sent signature algorithm is overwritten.
This test forces only a single algorithm to be sent and then
validates that the client received such algorithm.
04 03 is the expected value for SECP256R1_SHA256.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Fix bug whereby the supported signature algorithm list sent by the
server in the certificate request would not leave enough space for the
length to be written, and thus the first element would get overwritten,
leaving two random bytes in the last entry.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
When x is the most negative value of a two's complement type,
`(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x`
has well-defined behavior and does what was intended.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() when
both operands are 0 and the left operand is represented with 0 limbs.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Additionally use psa_get_and_lock_key_slot_with_policy() to obtain key.
This requires making this function public. This will have to be solved while adding driver dipatch for EC-JPAKE.
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
In mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi(), and by extention
mbedtls_mpi_add_int() and mbedtls_mpi_sub_int(), when the resulting value
was zero, the sign bit of the result was incorrectly set to -1 when the
left-hand operand was negative. This is not a valid mbedtls_mpi
representation. Fix this: always set the sign to +1 when the result is 0.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() have the same logic, just
with one bit to flip in the sign calculation. Move the shared logic to a new
auxiliary function. This slightly reduces the code size (if the compiler
doesn't inline) and reduces the maintenance burden.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
