Commit graph

10664 commits

Author SHA1 Message Date
Przemek Stekiel
7b730175b3 Simplify psa_pake_computation_stage_s structure
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
b09c487546 Combine core pake computation stage(step,sequence,state) into single driver step
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
9a5b812aa8 Cleanup the code
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
2797d37424 Split handling of memory allocation for password between core and driver
Driver is now responsible for creating its own copy of the password in the setup function.
After calling pake setup driver entry point core frees memory for password.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
e12ed36a6c Move JPAKE state machine logic from driver to core
- Add `alg` and `computation_stage` to `psa_pake_operation_s`.
  Now when logic is moved to core information about `alg` is required.
  `computation_stage` is a structure that provides a union of computation stages for pake algorithms.
- Move the jpake operation logic from driver to core. This requires changing driver entry points for `psa_pake_output`/`psa_pake_input` functions and adding a `computation_stage` parameter. I'm not sure if this solution is correct. Now the driver can check the current computation stage and perform some action. For jpake drivers `step` parameter is now not used, but I think it needs to stay as it might be needed for other pake algorithms.
- Removed test that seems to be redundant as we can't be sure that operation is aborted after failure.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
be5e27b5ad Remove redundant code
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
ca67483b15 psa_crypto_pake.h: adapt function descriptions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
51eac53b93 Divide pake operation into two phases collecting inputs and computation.
Functions that only set inputs do not have driver entry points.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Przemek Stekiel
061f6949fd Make psa_get_and_lock_key_slot_with_policy() static function
psa_get_and_lock_key_slot_with_policy() becomes public temporarily as part of:
https://github.com/Mbed-TLS/mbedtls/pull/6608

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Przemek Stekiel
0c78180ee5 mbedtls_psa_pake_get_implicit_key: move psa_key_derivation_input_bytes call to upper layer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Przemek Stekiel
6c7644150a Adapt pake impl for driver dispatch
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Przemek Stekiel
2e73649f9c Add pake psa crypto driver wrappers implementation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Neil Armstrong
5ae609631e Move the common parameters check code out of the wrapper
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2023-02-22 11:25:30 +01:00
Neil Armstrong
a7d08c3009 Add PSA PAKE api calling the PAKE wrappers
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2023-02-22 11:25:30 +01:00
Neil Armstrong
7da8c56b84 Add PSA PAKE wrappers
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2023-02-22 11:25:30 +01:00
Neil Armstrong
56b8d23ca1 Add mbedtls_ prefix to PSA PAKE over MbedTLS implementation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2023-02-22 11:25:30 +01:00
Manuel Pégourié-Gonnard
63e33dd175 Fix unchecked return value
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-22 10:09:40 +01:00
Jerry Yu
3304c204ba Improve readabilities
- Add more comments
- Adjust setkey_enc

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-22 14:37:11 +08:00
Jerry Yu
4d786a732b Fix regression issue for clang workaround.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-22 11:01:07 +08:00
Gilles Peskine
ffb92b0789
Merge pull request #7105 from davidhorstmann-arm/fix-oid-printing-bug
Fix bugs in OID to string conversion
2023-02-21 23:16:44 +01:00
Manuel Pégourié-Gonnard
da7979bb91 Restore debug message removed by mistake
Also while at it, fix debug level for existing DEBUG_RET: errors should
always be level 1.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
8e176f747c Fix wrong return statement
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
626aaed213 Fix unused variable warnings in some builds
Found by depends.py MBEDTLS_SHA512_C

In principle, the case where neither SHA-256 nor SHA-384 are available
should never occur, as both TLS 1.2 and TLS 1.3 depend on one of those
being defined. However for now dependencies for TLS 1.2 are not as tight
as they should be; this will be fixed later and is tracked as #6441.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
43cc127d3a Fix code style
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
e1a4caa934 Handle hash errors in calc_finished
That's the last family of functions. All calls to mbedtls_sha* and
psa_hash_* in library/ssl_tls.c are now checked for errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b9b564e64b Handle hash errors in calc_verify
On top on some calls not being checked, the PSA path was missing a call
to abort() on errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
df94901566 Handle hash errors in update_checksum
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b72ff498c9 Handle hash errors in reset_checksum
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b8b07aa24a Handle errors from functions that now return int
A few functions were changed from returning void to returning int three
commits ago. Make sure their callers check the return values.

This commits was basically a matter of declaring newly-int-returning
functions MBEDTLS_CHECK_RETURN_CRITICAL and then fixing the resulting
warnings. A few functions had to be made int in the process; they were
applied the same process as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
d7a7a23308 Use reset_checksum in reset_transcript_for_hrr
This function was manually resetting just the hash that would be used;
it's simpler to just call the function that resets all hashes. This also
avoids calling low-level code from TLS 1.3.

While at it, remove the guards about SHA-256 || SHA-384 that were around
update_checksum, as they are redundant: update_checksum already has
appropriate guards (and TLS 1.3 already depends on one of those tow
hashes being present anyway).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
537f231fd9 Split hash start out of handshake_params_init
This part can fail, so it shouldn't be intermixed with the part that
can't fail and is there to ensure all structures are in a clean state,
should any error happen.

Fortunately, the part that should be split out already had a function
doing it: reset_checksum. Also, handshake_params_init had only one
calling site to update.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
226aa15702 Make handshake hashing functions return int
There are three family of functions: update_checksum, calc_verify,
calc_finished, that perform hashing operations and were returning void
so far. This is not correct, as hashing functions can return errors (for
example, on hardware failure when accelerated). Change them to return
int.

This commit just changes the types: for now the functions always return
0, and their return value is not checked; this will be fixed in the
next few commits.

There is a related function in TLS 1.3,
mbedtls_ssl_reset_transcript_for_hrr, which also handles hashes, and
already returns int but does not correctly check for errors from hashing
functions so far, it will also be handled in the next few commits.

There's a special case with handshake_params_init: _init functions
should return void, so we'll need to split out the part that can return
errors, see the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Gilles Peskine
250a5ac4cb
Merge pull request #7095 from paul-elliott-arm/interruptible_sign_hash_codestyle
Implement PSA interruptible sign/verify hash
2023-02-21 15:13:34 +01:00
Przemek Stekiel
18904acc93 Adapt the code to support SAN types: uniformResourceIdentifier, dNSName and IPAddress
According to documentation OPCUA requires: uniformResourceIdentifier, dNSName and IPAddress
https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-21 13:42:39 +01:00
Hannes Tschofenig
6b108606fa Added ability to include the SubjectAltName extension to a CSR
Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
2023-02-21 13:42:39 +01:00
Dave Rodgman
e42cedf256
Merge pull request #7077 from daverodgman/pkcs7-fixes-dm-rebased
Pkcs7 fixes
2023-02-21 11:53:30 +00:00
Gabor Mezei
aef0f2de9f
Fix limb size calculation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-21 11:35:31 +01:00
Gabor Mezei
e14b5bdba7
Change the ecp_mod_p224_raw to be testable
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-21 11:35:26 +01:00
Gabor Mezei
66f88a9d22
Extract Secp224r1 from the prototype
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-21 11:32:29 +01:00
Jerry Yu
ba4ec24c79 fix code style failure
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-21 15:59:18 +08:00
Jerry Yu
baae4012bf merge setkey_enc* functions
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-21 15:28:03 +08:00
Jerry Yu
c8bcdc8b91 fix various issues
- Improve some function names
- Improve comments
- improve readability

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-21 15:16:20 +08:00
Dave Rodgman
a1b2bfff46 Add clarifying comments
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-20 14:45:09 +00:00
David Horstmann
5b5a0b618c Change error codes to more appropriate codes
The more precise error codes are borrowed from the ASN1 module.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:24:12 +00:00
Przemek Stekiel
82d250d8b0 Use const char for names and adapt style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-20 15:09:50 +01:00
Przemek Stekiel
5b9e4168cf Add rfc822Name support in mbedtls_x509_info_subject_alt_name + adapt test
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-20 15:09:50 +01:00
Przemek Stekiel
ecee12f04f Add parsing of SAN: rfc822Name
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-20 15:09:50 +01:00
Minos Galanakis
a30afe2216 ecp_curves: Minor refactoring.
This patch introduces the following changes:
* Documentation for `mbedtls_ecp_modulus_setup()`
  moved to `ecp_invasive.h`.
* Added invalid modulus selector `MBEDTLS_ECP_MOD_NONE`.
* Adjusted negative tests to use invalid selectors.
* Reworded documentation.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-02-20 13:53:06 +00:00
Minos Galanakis
dd556921c9 ecp_curves: Exposed mbedtls_ecp_modulus_setup() through ecp_invasive.h
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-02-20 13:50:41 +00:00
Minos Galanakis
d2ca802329 ecp_curves: Added mbedtls_ecp_modulus_setup().
This patch introduces a new static method, responsible
for automatically initialising an modulus structure,
based on the curve id and a modulus type selector.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2023-02-20 13:49:46 +00:00
Janos Follath
ec718afb41
Merge pull request #7051 from gabor-mezei-arm/6376_Secp521r1_fast_reduction
Add a raw entry point to Secp521r1 fast reduction
2023-02-20 13:03:12 +00:00
Manuel Pégourié-Gonnard
718eb4f190
Merge pull request #7025 from AndrzejKurek/uri_san
Add the uniformResourceIdentifier subtype for the subjectAltName
2023-02-20 11:29:59 +01:00
Paul Elliott
f8e5b56ad8 Fix get_num_ops internal code.
Previously calling get_num_ops more than once would have ended up with ops
getting double counted, and not calling inbetween completes would have ended up
with ops getting missed. Fix this by moving this to where the work is actually
done, and add tests for double calls to get_num_ops().

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-19 18:55:10 +00:00
Manuel Pégourié-Gonnard
b9b630d628 Define "light" subset of MD
See docs/architecture/psa-migration/md-cipher-dispatch.md

Regarding testing, the no_md component was never very useful, as that's
not something people are likely to want to do: it was mostly useful as
executable documentation of what depends on MD. It's going to be even
less useful when more and more modules auto-enable MD_LIGHT or even
MD_C. So, recycle it to test the build with only MD_LIGHT, which is
something that might happen in practice, and is necessary to ensure that
the division is consistent.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-16 22:30:06 +01:00
Gabor Mezei
ac70ad6576
Fix coding style
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-16 19:31:21 +01:00
Manuel Pégourié-Gonnard
ba2412fd21 Remove internal function md_process()
It was already marked as internal use only, and no longer used
internally. Also, it won't work when we dispatch to PSA.

Remove it before the MD_LIGHT split to avoid a corner case: it's
technically a hashing function, no HMAC or extra metadata, but we still
don't want it in MD_LIGHT really.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-16 18:44:46 +01:00
Dave Rodgman
fc64352253 Adjust position of empty line
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-16 16:23:09 +00:00
Paul Elliott
ba70ad4944 Add safety for keys larger than we currently support.
Prevent buffer overflow with keys whos grp.nbits is greater than
PSA_VENDOR_ECC_MAX_CURVE_BITS.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-16 12:15:39 +00:00
Paul Elliott
93d9ca83ea Move num_ops ECP abstraction fully into internal implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-16 12:15:39 +00:00
Andrzej Kurek
81b0b89a34 Clarify comments on subjectAltName types
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-16 06:55:10 -05:00
Jerry Yu
a135deeece Move clang bug workaround to the head of file
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-16 17:56:33 +08:00
Jerry Yu
383cbf42a0 Add minimum version of sha256 for clang
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-16 15:16:43 +08:00
Jerry Yu
8ae6a0193c Add comments about gcc-5
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-16 15:16:20 +08:00
Jerry Yu
2f2c04956d Add GCC options pop
Reduce the scope of target pragma to meet
behavior of clang.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-16 14:24:46 +08:00
Jerry Yu
92fc538a22 Add attribute popup
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-16 11:17:11 +08:00
Paul Elliott
2c9843f2a4 Make mbedtls_sa_ecp_load_public_part return psa_status_t
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
7ef174b285 Correct insufficient memory return documentation.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
a1c9409d88 Move structure init calls as early as possible
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
ebe225cf7b Move num ops update to only point where work can be done.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
53bb312054 Wipe output buffer even when INCOMPLETE is returned.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
c569fc268f Switch from nbits to pbits
Correct coordinate size is grp.nbits, not grp.pbits.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
6d99f0c265 Fix errors in psa_wipe_output_buffer() doc comment.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
0290a76fc2 Fix buffer overflow with hashes larger than key size.
Truncate input hashes to curve private key size as that is all that is required
for the internal implementation.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
724bd25f4b Fix missing mbedtls_mpi_free() on signing.
After moving the MPIs used to output from the operation into the complete
function, I failed to move the accompanying free as well.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
84329464d5 Replace allocated hash buffer with array
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
e6145dc47f Add documentation comment to internal abort functions
Explain the reasoning behind not clearing some variables.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
de1114c883 Fix {sign|verify}_get_num_ops
Move the obfuscation of the internal library only returning a delta of ops done
into the driver wrapper, thus meaning driver wrapper and API call both return
absolute values of work done. Document the differences at the internal
implementation level.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
939bd9485d Move output buffer wiping code to seperate function.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
1243f93cca Fix build fails with non ECDSA / restartable builds
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
eefe47292c Move loading of public part of ECP into function
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
c9774411d4 Ensure that operation is put into error state if error occurs
If an error occurs, calling any function on the same operation should return
PSA_ERROR_BAD_STATE, and we were not honouring that for all errors. Add extra
failure tests to try and ratify this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
f9c91a7fb5 Store the hash, rather than the pointer
For sign and verify, the pointer passed in to the hash is not guaranteed to
remain valid inbetween calls, thus we need to store the hash in the
operation. Added a test to ensure this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
813f9cdcbb Non ECDSA algorithms should return not supported
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
1bc59df92c Rename curve_bytes to coordinate_bytes
Also remove unneeded instance from verify operation struct.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
096abc4dc0 Remove incorrect copied comment
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
e17a8fd9fd Remove unneeded warning from internal headers
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
4684525ae9 Remove unrequired mpis from sign operation struct
These are only used at the output stage.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
6ee2408d26 Remove deterministic alg restriction on sign hash
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
068fe07740 Improve indentation of hash start functions
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
7cc4e816c1 Ensure max ops gets set regardless of having built-in implementation
Set the psa level global anyway, regardless of having a built in
implementation, to match the set function. Also, ensure that value returned
is the same as value passed in, irregardless of internal implementation
requirements.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
59ad9457b6 Add {sign/verify}_hash_abort_internal
Ensure that num_ops is cleared when manual abort is called, but obviously not
when an operation just completes, and test this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
296ede99c9 Fix issues with get_{sign/verify}_num_ops
Move to accumulate ops in context rather than attempting to read straight out
of structures due to structure ops getting reset per operation, and also
issues with _abort clearing internal data. Fix usage of size_t in structures

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
588f8ed498 Add internal implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
2ba002cc2f Make ECDSA restartable sign and verify functions public
Make public the versions of ECSDA sign and verify which return raw signatures
rather than returning ASN.1 encoded signatures, in order to use them for the
internal implemention of psa_sign/verify_hash_interruptible.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Gabor Mezei
7e6fcc1fbc
Update documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:19:09 +01:00
Gabor Mezei
cf228706cd
Restrict input parameter size for ecp_mod_p521_raw
The imput mpi parameter must have twice as many limbs as the modulus.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:19:08 +01:00
Gabor Mezei
d10d429380
Stack usage optimization for mod_p521
Instead of creating an mpi on the stack, reuse the unused part of the input mpi.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:51 +01:00
Janos Follath
fe24e91a34
mod_p521: document reduction algorithm
Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Janos Follath
666673e83f
modp521: apply naming conventions
Apply the usual parameter name and align the local variables and
comments. This naming diverges from the standard notation, but this is
beneficial as our variable meanings diverge as well and the difference
can help avoiding confusion.

Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Janos Follath
13c3aa13af
Revert changes to mod_p521 flow
It is not necessary to save the middle limb upfront as overwriting it is
the desired result: in the first step we are reducing modulo
2^{512+biL}.

Arguably, the original flow is more intuitive and easier to see the idea
behind it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Gabor Mezei
6bfbd36507
Fix coding style issues
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:49 +01:00
Gabor Mezei
b62ad5d569
Rename function to follow naming convention
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:48 +01:00
Gabor Mezei
b1c62caa1f
Add documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:48 +01:00
Gabor Mezei
2cb630edee
Change the ecp_mod_p521_raw to be testable
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:05:22 +01:00
Gabor Mezei
8450ab9c60
Fix Secp521r1 reduction
The prototype calculated with wrong limb size and not taken into account
the overflow in the shared limb.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:03:03 +01:00
Gabor Mezei
42df16c84b
Extract Secp521r1 from the prototype
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:02:57 +01:00
David Horstmann
f51851dc70 Change += to |= for clearer semantics
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 15:44:24 +00:00
Gilles Peskine
e2a9f86755
Merge pull request #6971 from gabor-mezei-arm/6026_Secp192r1_fast_reduction
Extract Secp192r1 fast reduction from the prototype
2023-02-15 16:22:36 +01:00
David Horstmann
34b3f1b757 Make overflow checks more readable
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 13:46:53 +00:00
Paul Elliott
9fe12f666b PSA level initial implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
Paul Elliott
2d247923e5 Initial empty driver wrapper implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
David Horstmann
9c1887c4c7 Disallow overlong encoding when parsing OIDs
OID subidentifiers are encoded as follow. For every byte:
* The top bit is 1 if there is another byte to come, 0 if this is the
last byte.
* The other 7 bits form 7 bits of the number. These groups of 7 are
concatenated together in big-endian order.

Overlong encodings are explicitly disallowed by the BER/DER/X690
specification. For example, the number 1 cannot be encoded as:

0x80 0x80 0x01

It must be encoded as:

0x01

Enforce this in Mbed TLS' OID DER-to-string parser.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 12:02:27 +00:00
Jerry Yu
64e5d4a2cd Replace error output with target pragma if possible
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-15 11:58:48 +08:00
Jerry Yu
35f2b26fd8 move cpu modifier flags check to source file
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-15 11:58:48 +08:00
Gilles Peskine
edc6ae9578
Merge pull request #7090 from paul-elliott-arm/fix_iar_warnings_dev
Fix IAR Warnings
2023-02-14 20:01:00 +01:00
Gilles Peskine
ed73355d2e Make \retval commands non-empty
Pacify Clang >=15 which complained:
```
include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation]
 * \retval #PSA_SUCCESS
   ~~~~~~~~~~~~~~~~~~~^
```

This commit performs the following systematic replacement:
```
perl -i -0777 -p -e 's/([\\@])(retval +\S+)\n(?! *\*? *([^\n \\*\/]|\\[cp]\b))/$1$2 ${1}emptydescription\n/g' $(git ls-files '*.[hc]' '*.function' '*.jinja')
```
i.e. add an `\emptydescription` argument to `\retval` commands (or
`@retval`, which we don't normally used) that are followed by a single word,
unless the next line looks like it contains text which would be the
description.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-14 19:21:09 +01:00
David Horstmann
c7f700c795 Fix incorrect printing of OIDs
The first 2 components of an OID are combined together into the same
subidentifier via the formula:

subidentifier = (component1 * 40) + component2

The current code extracts component1 and component2 using division and
modulo as one would expect. However, there is a subtlety in the
specification[1]:

>This packing of the first two object identifier components recognizes
>that only three values are allocated from the root node, and at most
>39 subsequent values from nodes reached by X = 0 and X = 1.

If the root node (component1) is 2, the subsequent node (component2)
may be greater than 38. For example, the following are real OIDs:
* 2.40.0.25, UPU standard S25
* 2.49.0.0.826.0, Met Office
* 2.999, Allocated example OID

This has 2 implications that the current parsing code does not take
account of:
1. The second component may be > 39, so (subidentifier % 40) is not
correct in all circumstances.
2. The first subidentifier (containing the first 2 components) may be
more than one byte long. Currently we assume it is just 1 byte.

Improve parsing code to deal with these cases correctly.

[1] Rec. ITU-T X.690 (02/2021), 8.19.4

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-14 17:00:25 +00:00
Gabor Mezei
0b4b8e3c5e
Update documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-14 16:36:38 +01:00
Dave Rodgman
319a5675db
Merge pull request #7084 from daverodgman/sizemax-uintmax
Assume SIZE_MAX >= INT_MAX, UINT_MAX
2023-02-14 10:06:22 +00:00
Ronald Cron
70341c17b7
Merge pull request #6773 from yanrayw/6675-change-early_secrets-to-local
TLS 1.3: Key Generation: Change tls13_early_secrets to local variable
2023-02-14 09:03:32 +01:00
Paul Elliott
1748de160a Fix IAR Warnings
IAR was warning that conditional execution could bypass initialisation of
variables, although those same variables were not used uninitialised.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-13 15:35:35 +00:00
Gabor Mezei
a264831cff
Update documentation and add comments
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-13 16:29:05 +01:00
Andrzej Kurek
7a05fab716 Added the uniformResourceIdentifier subtype for the subjectAltName.
Co-authored-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-13 10:03:07 -05:00
Manuel Pégourié-Gonnard
d3d8c852a0
Merge pull request #6997 from valeriosetti/issue6858
driver-only ECDSA: get testing parity in X.509
2023-02-13 15:30:06 +01:00
Valerio Setti
178b5bdddf pk: move MBEDTLS_PK_CAN_ECDSA_SOME macro to pk.h and fix tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-13 11:15:06 +01:00
Jerry Yu
b2783f66b5 fix typo issue
The error message is wrong

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-13 18:03:25 +08:00
Dave Rodgman
ab1f3c153a
Merge pull request #7081 from tom-cosgrove-arm/dont-use-lstrlenW 2023-02-10 20:50:07 +00:00
Dave Rodgman
4a5c9ee7f2 Remove redundant SIZE_MAX guards
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-10 16:03:44 +00:00
Gilles Peskine
b8531c4b0b
Merge pull request #6882 from AndrzejKurek/x509_san_parsing_testing-dev
X.509: Fix bug in SAN parsing and enhance negative testing
2023-02-10 15:05:32 +01:00
Dave Rodgman
f691268ee9 Add missing initialisers
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
35598adb78 pkcs7: Check that hash algs are in digestAlgorithms
Since only a single hash algorithm is currenlty supported, this avoids
having to perform hashing more than once.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
6cfc469296 pkcs7: reject signatures with internal data
A CMS signature can have internal data, but mbedTLS does not support
verifying such signatures.  Reject them during parsing.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
e373a254c4 pkcs7: do not store content type OIDs
They will always be constant.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
55d9df25ef Simple cleanup
No change in behavior.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
4ec8355795 Check for junk after SignedData
There must not be any.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
aaf3c0028d pkcs7: do not store content type OID
Since only one content type (signed data) is supported, storing the
content type just wastes memory.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-02-10 12:56:10 +00:00
Demi Marie Obenour
512818b1d2 pkcs7: check that content lengths fill whole buffer
Otherwise invalid data could be accepted.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-10 12:56:10 +00:00
Dave Rodgman
a22749e749
Merge pull request #6816 from nick-child-ibm/pkcs7_coverage
Pkcs7 coverage
2023-02-10 12:55:29 +00:00
Tom Cosgrove
b96c309395 Don't use lstrlenW() on Windows
The lstrlenW() function isn't available to UWP apps, and isn't necessary, since
when given -1, WideCharToMultiByte() will process the terminating null character
itself (and the length returned by the function includes this character).

Resolves #2994

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-02-10 12:52:13 +00:00
Ronald Cron
834e65d47f
Merge pull request #6499 from xkqian/tls13_write_end_of_early_data
Tls13 write end of early data
2023-02-10 11:08:22 +01:00
Dave Rodgman
78c6f40736
Fix code-style
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-09 09:21:14 +00:00
Nick Child
14f255f332 pkcs7: Remove unnecessary dependencies
stdio, stdlib and string header files are not
used. Remove them.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-08 15:38:48 +00:00
Valerio Setti
ce0caa3384 oid: fix comment in #endif
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:52:31 +01:00
Valerio Setti
f972ce8d69 oid: replace ECDSA_C with new macros for ECDSA capabilities
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:52:31 +01:00
Valerio Setti
80d0798ae8 pk_wrap: use new macros for ECDSA capabilities
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:49:17 +01:00
Valerio Setti
5c032b5e1b pk_wrap: fix comment in ecdsa_verify_wrap
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:39:10 +01:00
Valerio Setti
b761b15f06 fix code style
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:39:10 +01:00
Valerio Setti
1337a4f334 pk_wrap: use specific lengths for EC's private key and key-pair
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:39:10 +01:00
Valerio Setti
5bc52248ef pk_wrap: fix for DETERMINISTIC_ECDSA case in ecdsa_sign_wrap()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-08 13:39:10 +01:00
Gilles Peskine
8a6022e948 Clean up header inclusions in pk_wrap.c
To better reflect what the code relies on, limit the headers that are
included when MBEDTLS_USE_PSA_CRYPTO is disabled. Also stop including
"pkwrite.h" when it is no longer needed.

Include "mbedlts/platform_util.h" unconditionally. It was only included for
RSA ALT but was also used for MBEDTLS_USE_PSA_CRYPTO (the code worked
because other headers include "mbedtls/platform_util.h").

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-08 13:39:10 +01:00
Gilles Peskine
13caa94746 Don't use pk_write in ecdsa_sign_wrap with USE_PSA_CRYPTO
Under MBEDTLS_USE_PSA_CRYPTO, ecdsa_sign_wrap() was calling
mbedtls_pk_write_key_der() to write a private key in SEC1 format, only to
then extract the part that represents the private value which is what
psa_import_key() actually wants. Instead, call an mpi function to directly
get the private key in the desired format.

This slightly reduces the code size and stack usage, and removes a
dependency on pk_write.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-08 13:39:10 +01:00
Gilles Peskine
b4a87b07f8 Don't use pk_write in ecdsa_verify_wrap with USE_PSA_CRYPTO
Under MBEDTLS_USE_PSA_CRYPTO, ecdsa_verify_wrap() was calling
mbedtls_pk_write_pubkey() to write a public key in the form of a
subjectPublicKey, only to then extract the part that represents the EC
point which psa_import_key() actually wants. Instead, call an ecp
function to directly get the public key in the desired format (just the
point).

This slightly reduces the code size and stack usage, and removes a
dependency on pk_write.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-08 13:39:10 +01:00
Xiaokang Qian
0de0d863b6 Rebase code to restore reco-delay and fix some style issues
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 07:41:42 +00:00
Xiaokang Qian
8dc4ce76c7 Fix various coding style and comment issues
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
6b980011e5 Replace session_negotiate->ciphersuite with handshake->ciphersuite_info->id
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
53c4c27d35 Update the comment of ciphersuite check for early data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
64bc9bc33d Add comments to describe the early data behavior-encrypt/rejected...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
e04afdc44f Refine the condition of whether re-generate early keys
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
eb31cbc791 Share the hash check code between ticket and external psk
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
4ef8ba2938 Assign the ciphersuite in finalize_hrr{server_hello}
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
bb883244aa Remove useless comments of outbound switch
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
02f5e14073 Combine the alert check of selected_id and ciphercuite
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
934ce6f6a9 Rename the finalize_client{server}_hello()
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
ac4c625dea Add hash check of ciphersuite for ticket psk
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
6be8290aba Change to CCS after client hello only if we offer early data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
7179f810f1 Restore the empty lines
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
b58462157e Refine the ciphersuite and select id check for early data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
44051f6376 Refine the state change after write client hello
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
7892b6caad Refine the comment about generating early secrects in post server hello
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
bd0ab06d50 Skip CCS once we proposed early data even it is rejected
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
f6d8fd3d6b Improve the coding style of new lines
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
Xiaokang Qian
79f77528f5 Move state change to finalize client hello
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
3f616c2493 Move selected_identity zero check to post_server_hello
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
1d8e86ce00 Get hash_alg by mbedtls_psa_translate_md
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
ea28a78384 Revert new field and check ciphersuite match when resume by exist info_id
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
4224244883 Improve coding styles and add comments
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
33ff868dca Fix various errors
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
43a83f247c Move the place where call set_outbound_transform to switch handshake key
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
907461319a Fix compile error and warnings
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
f10f474981 Check server selected cipher suite indicating a Hash associated with the PSK
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
592021aceb Add CCS after client hello in case of early data and comp mode
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
303f82c5b9 Skip generating early secrets in some cases
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:47 +00:00
Xiaokang Qian
b46275c7ec Add TLS1_3 guard to finalize_write_client_hello() to fix compile issue
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:43 +00:00
Xiaokang Qian
2a674937dd Pend a illeagal allert when selected_identity isn't 0
Handshake should abort will illeagal parameter allert when
receiving early data extentions but the selected_identity
parsed from pre-share key isn't equal to 0.

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:46:48 +00:00
Xiaokang Qian
126929f825 Move early keys generation into mbedtls_ssl_tls13_finalize_write_client_hello
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:46:45 +00:00
Xiaokang Qian
19d4416a45 Refine code to remove finalize_write_end_of_early_data()
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
7094f66879 Remove useless duplicted mbedtls_ssl_tls13_ticket_get_psk
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
854db28bb7 Set hs_psk,ciphercuit_info and kex mode when writing pre-share key
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
57a138d5c3 Update message log for end of early data test cases
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
742578ca2c Remove end_of_early_data_coordinate() to align with exist style
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
bc75bc0c3a Switch to MBEDTLS_SSL_END_OF_EARLY_DATA as needed
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
c81a15a019 Change the comment format of end_of_early_data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
7ed30e59af Fix the issue that gnutls server doesn't support packet
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:44:00 +00:00
Xiaokang Qian
8804e6d0ac Put kex_exchange_mode in the guard of TLS13
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:59 +00:00
Xiaokang Qian
da8402dde6 Switch outbound back to handshake key after end_of_early_data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:59 +00:00
Xiaokang Qian
bf09376bda Remove useless prepare_write_end_of_early_data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:59 +00:00
Xiaokang Qian
df6f52e2b2 Generate early key and switch outbound key to it after write client hello
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:59 +00:00
Xiaokang Qian
d05ac5dfce Add extern apis mbedtls_ticket_get_psk.
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:59 +00:00
Xiaokang Qian
32af4fbbdb Set ciphersuite info and kex mode in set_session in re-connection
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:59 +00:00
Xiaokang Qian
34aab55aa7 Add prepare function to switch transform to early keys
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:58 +00:00
Xiaokang Qian
125afcb060 Add end-of-early-data write
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:43:58 +00:00
Nick Child
3dafc6c3b3 pkcs7: Drop support for signature in contentInfo of signed data
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.

Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
 - Demi Marie Obenour <demiobenour@gmail.com>
 - Dave Rodgman <dave.rodgman@arm.com>

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-07 20:04:52 +00:00
Valerio Setti
5b16e9eabc pk_wrap: keep ECDSA_C for ECP_RESTARTABLE contexts
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 16:21:36 +01:00
Hanno Becker
dae916b05f X.509: Add length consistency checks to x509_get_other_name()
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:24:32 -05:00
Hanno Becker
2a15a0c868 X.509: Remove red'n bounds checks and zeroiz'n in OtherName parsing
- ASN.1 parsing functions check that length don't exceed buffer bounds,
  so checks `p + len > end` are redundant.
- If `p + len == end`, this is erroneous because we expect further fields,
  which is automatically caught by the next ASN.1 parsing call.

Hence, the two branches handling `p + len >= end` in x509_get_other_name()
can be removed.

Further, zeroization of the `other_name` structure isn't necessary
because it's not confidential (and it's also not performed on other
error conditions in this function).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:15:27 -05:00
Hanno Becker
ae8f8c435c Fix X.509 SAN parsing
Fixes #2838. See the issue description for more information.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:10:27 -05:00
Jerry Yu
2bb3d8101f Add en(de)crypt routine
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:53 +08:00
Jerry Yu
e096da1af6 Add inverse key function
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:52 +08:00
Jerry Yu
3f2fb71072 Add key expansion for encrypt
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:52 +08:00
Jerry Yu
b95c776c43 Add linux runtime detection
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:52 +08:00
Jerry Yu
49231319fd Add empty aesce files
For time being, we only support gcc and clang

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:52 +08:00
Valerio Setti
1cdddacc62 pk_wrap: use proper macros for sign and verify
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
5c593af271 pk_wrap: fix comment on closing #endif
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
24138d9f83 pk_wrap: re-use identical functions for eckey and ecdsa when possible
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
7ca1318256 pk: add new symbol for generic ECDSA capability
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
9e30dd882d removing a leftover printf from debug
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
ab363d9fe1 pk/pk_wrap: replace ECDSA_C with generic ECDSA capabilities' defines
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Gabor Mezei
63aae68b8f
Fix documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-06 16:24:08 +01:00
Gilles Peskine
0cfb08ddf1
Merge pull request #6922 from mprse/csr_v3
Parsing v3 extensions from a CSR - v.2
2023-02-03 16:41:11 +01:00
Gilles Peskine
80c552556a
Merge pull request #6791 from yanrayw/6675-change-some-key-generation-funcs-to-static
TLS 1.3: Key Generation: change some key generation functions to static
2023-02-03 11:56:35 +01:00
Yanray Wang
f206c1493b Remove duplicate mbedtls_platform_zeroize for tls13_early_secrets
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-03 13:55:47 +08:00
Dave Rodgman
6dd757a8ba Fix use of sizeof without brackets
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-02 12:40:50 +00:00
Nick Child
282d50493a pkcs7: Remove duplicate oid condition
MBEDTLS_OID_PKCS7_ENCRYPTED_DATA was listed twice in
the oid conditional. Remove one of them.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-01 18:32:55 +00:00
Gilles Peskine
24c6f49530
Merge pull request #7005 from tom-cosgrove-arm/fix-doxygen-typos-in-new-bignum
Fix typos in doxygen commands in new bignum modules
2023-02-01 19:05:04 +01:00
Gilles Peskine
a193986aab
Merge pull request #6942 from ucko/2023a-bignum
mbedtls_mpi_sub_abs: Skip memcpy when redundant (#6701).
2023-02-01 11:36:25 +01:00
Tom Cosgrove
8a1f784ece Fix typos in doxygen commands in new bignum modules
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-02-01 08:43:54 +00:00
Yanray Wang
a12cecbe47 Modify some comments in ssl_tls13_keys.c
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-01 14:29:51 +08:00
Nick Child
3bd17f2f58 pkcs7: Use end_issuer_and_sn where appropriate
There were some areas where `end_signer` were being
used when it makes more sense to use `end_issuer_and_sn`,
as pointed out by demiobenour@gmail.com.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-01-31 20:42:26 +00:00
Gabor Mezei
2038ce976e
Rename function to follow naming convention
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-31 14:40:05 +01:00
Gabor Mezei
9b290b33e4
Add documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-31 14:40:05 +01:00
Gabor Mezei
deece2bb65
Change the ecp_mod_p192_raw to be testable
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-31 14:40:05 +01:00
Gabor Mezei
b5bba497fe
Extract Secp192r1 from the prototype
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-31 14:40:05 +01:00
Gilles Peskine
f6b9823422
Merge pull request #6979 from daverodgman/const-time-asm-vol
Inhibit compiler from optimising out const-time asm
2023-01-31 11:28:45 +01:00
Gilles Peskine
470f10cfc5
Merge pull request #6941 from gabor-mezei-arm/6375_quasi-reduction_function
Add function to fix quasi-reduction
2023-01-31 11:25:25 +01:00
Nick Child
ec81709516 pkcs7: Ensure all data in asn1 structure is accounted for
Several PKCS7 invalid ASN1 Tests were failing due to extra
data bytes or incorrect content lengths going unnoticed. Make
the parser aware of possible malformed ASN1 data.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-01-30 16:44:58 +00:00
Gabor Mezei
db1607fa69
Remove unneeded include
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-30 16:27:48 +01:00
Manuel Pégourié-Gonnard
aae61257d1
Merge pull request #6883 from valeriosetti/issue6843
Improve X.509 cert writing serial number management
2023-01-30 13:08:57 +01:00
Dave Rodgman
4610d4b7a6 Inhibit compiler from optimising out const-time asm
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-01-30 09:26:48 +00:00
Manuel Pégourié-Gonnard
169d9e6eb4
Merge pull request #6802 from gilles-peskine-arm/test_suite_psa_crypto_metadata-20221215
Add metadata tests for CCM* and TLS1.2-ECJPAKE-to-PMS
2023-01-27 10:05:00 +01:00
Przemek Stekiel
36ad5e7ab5 Fix code style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-26 22:30:45 +01:00
Valerio Setti
af4815c6a4 x509: replace/fix name of new function for setting serial
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-01-26 17:43:09 +01:00
Janos Follath
803638c023
Merge pull request #6939 from minosgalanakis/bignum/6027_hardcode_montgomery_moduli
Bignum: hardcode montgomery moduli
2023-01-25 16:51:11 +00:00
Przemek Stekiel
32e20919ac Remove redundant check and add comment to inform about processing of empty extensions
Netscape Certificate Management System Administrator's Guide: Extension-Specific Policy Modules, Chapter 18: Extension-Specific Policy Modules, Netscape Certificate Type Extension Policy:
> The extension has no default value.

A bitstring with no flags set is still technically valid, as it will mean that the certificate has no designated purpose at the time of creation.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-25 16:20:25 +01:00
Gabor Mezei
9a66ab180c
Fix missing declarration
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-25 13:23:38 +01:00
Przemek Stekiel
94e21e153f Skip unsupported extensions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-25 11:08:32 +01:00
Gilles Peskine
8296eabed6
Merge pull request #6957 from tom-cosgrove-arm/fix-spelling-of-doxygen-return
Fix doxygen return parameter spelling
2023-01-24 21:56:45 +01:00
Gilles Peskine
3b8623fe2c
Merge pull request #6903 from Mihir-Raj-Singh/Bignum_rename_mtoN
Rename modulus input argument from m to N
2023-01-24 21:48:54 +01:00
Gabor Mezei
627e5b1f91
Only enable fix_quasi_reduction when testing
Avoid compiler error due to the fix_quasi_reduction function
is static and has not been used.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-24 18:13:24 +01:00
Przemek Stekiel
a468768000 Dealocate memory for subject alt names
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 15:19:47 +01:00
Przemek Stekiel
86d1946164 Fix error codes returned on failures
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-01-24 11:20:10 +01:00