Commit graph

19492 commits

Author SHA1 Message Date
Hanno Becker
25bb732ea7 Simplify x25519 reduction using internal bignum MLA helper
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-11 07:03:48 +01:00
Hanno Becker
aef9cc4f96 Rename mpi_mul_hlp -> mbedtls_mpi_core_mla and expose internally
This paves the way for the helper to be used from the ECP module

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-11 07:03:43 +01:00
Gilles Peskine
e1730e492d
Merge pull request #5708 from AndrzejKurek/timeless-struggles
Remove the dependency on MBEDTLS_TIME_H from the timing module
2022-04-08 18:43:16 +02:00
Adam Wolf
039080fba7 Fix spelling of 'reasonable' in comments
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-04-08 16:49:04 +01:00
Paul Elliott
ed334d2e2f
Merge pull request #5623 from gstrauss/inline-cert_cb
Introduce mbedtls_ssl_hs_cb_t typedef
2022-04-08 16:04:31 +01:00
Neil Armstrong
cb87403560 Use 1024 bits RSA key size for RSA PK Opaque tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-08 15:14:40 +02:00
Neil Armstrong
95a892311d Comment decrypt & encrypt callback entries of mbedtls_pk_ecdsa_opaque_info as not relevant
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-08 15:13:51 +02:00
Neil Armstrong
7df6677c34 Remove now invalid comment in pk_opaque_ecdsa_can_do()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-08 15:13:06 +02:00
Neil Armstrong
56e71d4d1a Update documentation of mbedtls_pk_setup_opaque()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-08 15:12:42 +02:00
Neil Armstrong
eccf88fa48 Only accept RSA key pair in mbedtls_pk_setup_opaque()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-08 15:11:50 +02:00
Dave Rodgman
f945e0a475 Update ChangeLog.d/alert_reentrant.txt
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:59:30 +01:00
Dave Rodgman
e2e7e9400b Fail for types not of size 2, 4 or 8
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:46:30 +01:00
Hanno Becker
baae59cd49 Improve documentation of absence-of-padding check
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:46:29 +01:00
Hanno Becker
0d7dd3cd43 Check that size_t and ptrdiff_t don't have padding
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:46:26 +01:00
Hanno Becker
4ab3850605 Check that integer types don't use padding bits in selftest
This commit modifies programs/test/selftest to include a check that
none of the standard integer types (unsigned) [short, int, long, long]
uses padding bits, which we currently don't support.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:45:05 +01:00
Hanno Becker
8813c03cb0 Add ChangeLog entry
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:16:55 +01:00
Hanno Becker
5e18f74abb Make alert sending function re-entrant
Fixes #1916

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:16:43 +01:00
Jacob Schloss
d8a573b9d9 Fix spelling of 'features' in comment
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-04-08 10:23:14 +01:00
Gilles Peskine
e756f642cd Seed the PRNG even if time() isn't available
time() is only needed to seed the PRNG non-deterministically. If it isn't
available, do seed it, but pick a static seed.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 04:46:41 -04:00
Andrzej Kurek
5735369f4a Remove the dependency on MBEDTLS_HAVE_TIME from MBEDTLS_TIMING_C
The timing module might include time.h on its own when on 
a suitable platform, even if MBEDTLS_HAVE_TIME is disabled. 


Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 04:41:42 -04:00
Glenn Strauss
236e17ec26 Introduce mbedtls_ssl_hs_cb_t typedef
Inline func for mbedtls_ssl_conf_cert_cb()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-07 14:18:30 -04:00
Gilles Peskine
a91b68564c
Merge pull request #5429 from yuhaoth/pr/fix-parallel-build-fail-of-cmake_out_source
fix parallel build fail of cmake out source
2022-04-07 16:21:43 +02:00
Gilles Peskine
8e5e8d73db
Merge pull request #5686 from AndrzejKurek/off-by-one-ssl-opt
Fix an off-by-one error in ssl-opt.sh
2022-04-07 16:20:55 +02:00
Neil Armstrong
c1152e4a0f Handle and return translated PSA errors in mbedtls_pk_wrap_as_opaque()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 15:01:24 +02:00
Neil Armstrong
7e1b4a45fa Use PSA_BITS_TO_BYTES instead of open-coded calculation in mbedtls_pk_wrap_as_opaque()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 15:01:24 +02:00
Neil Armstrong
b354742371 Update documentation of mbedtls_pk_setup_opaque()
The function now accepts a RSA key pair in addition to an ECC
key pair.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 15:01:24 +02:00
Neil Armstrong
295aeb17e6 Add support for RSA Opaque PK key in mbedtls_pk_write_pubkey_der()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 15:01:24 +02:00
Neil Armstrong
b980c9b48c Add support for RSA in pk_opaque_sign_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 15:01:24 +02:00
Neil Armstrong
ca5b55f0d1 Add support for RSA in mbedtls_pk_wrap_as_opaque()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 15:01:24 +02:00
Neil Armstrong
67fc036976 Add support for RSA wrap in pk_psa_sign() test
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 14:51:47 +02:00
Neil Armstrong
5b87ebb601 Prepare pk_psa_sign() test to accept RSA parameters
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 14:51:47 +02:00
Neil Armstrong
0cd78ddd71 Update test for Opaque PK key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 14:51:47 +02:00
Neil Armstrong
eabbf9d907 Add support for RSA PK Opaque key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-07 14:51:47 +02:00
Andrzej Kurek
714b6603e4 Remove dummy timing implementation
Having such implementation might cause issues for those that
expect to have a working implementation.
Having a compile-time error is better in such case.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-07 07:44:04 -04:00
Manuel Pégourié-Gonnard
1b05aff3ad
Merge pull request #5624 from superna9999/5312-tls-server-ecdh
TLS ECDH 3b: server-side static ECDH (1.2)
2022-04-07 11:46:25 +02:00
Manuel Pégourié-Gonnard
fff641a273
Merge pull request #5695 from mprse/tls_1_3_remove_redundant_check
ssl_tls13_generate_and_write_ecdh_key_exchange(): remove redundant check
2022-04-06 09:27:18 +02:00
Hanno Becker
e141702551 Adjust mpi_montmul() to new signature of mpi_mul_hlp()
A previous commit has changed the signature of mpi_mul_hlp, making the length
of the output explicit. This commit adjusts mpi_montmul() accordingly.

It also fixes a comment on the required size of the temporary value
passed to mpi_montmul() (but does not change the call-sites).

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-06 06:59:34 +01:00
Hanno Becker
74a11a31cb Adjust mbedtls_mpi_mul_int() to changed signature of mpi_mul_hlp()
A previous commit has changed the signature of mpi_mul_hlp(), making
the length of the output explicit.

This commit adjusts mbedtls_mpi_mul_int() to this change.

Along the way, we make the code simpler and more secure by not calculating
the minimal limb-size of A. A previous comment indicated that this was
functionally necessary because of the implementation of mpi_mul_hlp() --
if it ever was, it isn't anymore.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-06 06:59:34 +01:00
Hanno Becker
fee261a505 Adjust mbedtls_mpi_mul_mpi() to new signature of mpi_mul_hlp()
The previous commit has changed the signature of mpi_mul_hlp(),
making the length of the output explicit.

This commit adjusts the call-site in mbedtls_mpi_mul_mpi() to
this new signature.

A notable change to the multiplication strategy had to be made:
mbedtls_mpi_mul_mpi() performs a simple row-wise schoolbook
multiplication, which however was so far computed iterating
rows from top to bottom. This leads to the undesirable consequence
that as lower rows are calculated and added to the temporary
result, carry chains can grow. It is simpler and faster to
iterate from bottom to top instead, as it is guaranteed that
there will be no carry when adding the next row to the previous
temporary result: The length of the output in each iteration
can be fixed to len(B)+1.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-06 06:59:34 +01:00
Hanno Becker
defe56928e Make length of output explicit in mpi_mul_hlp()
The helper `mpi_mul_hlp()` performs a multiply-accumulate
operation `d += s * b`, where `d,b` are MPIs and `b` is a scalar.

Previously, only the length of `s` was specified, while `d` was
assumed to be 0-terminated of unspecified length.

This was leveraged at the end of the core multiplication steps
computingg the first `limb(s)` limbs of `d + s*b`: Namely, the
routine would keep on adding the current carry to `d` until none
was left. This can, in theory, run for an arbitrarily long time
if `d` has a tail of `0xFF`s, and hence the assumption of
`0`-termination.

This solution is both fragile and insecure -- the latter because
the carry-loop depends on the result of the multiplication.

This commit changes the signature of `mpi_mul_hlp()` to receive
the length of the output buffer, which must be greater or equal
to the length of the input buffer.

It is _not_ assumed that the output buffer is strictly larger
than the input buffer -- instead, the routine will simply return
any carry that's left. This will be useful in some applications
of this function. It is the responsibility of the caller to either
size the output appropriately so that no carry will be left, or
to handle the carry.

NOTE: The commit leaves the library in a state where it cannot
      be compiled since the call-sites of mpi_mul_hlp() have
      not yet been adjusted. This will be done in the subsequent
      commits.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-06 06:59:29 +01:00
Hanno Becker
e7f14a3090 Remove unused variable in mpi_mul_hlp()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-06 06:11:26 +01:00
Ronald Cron
cccbe0eb88
Merge pull request #5516 from tom-daubney-arm/M-AEAD_dispatch_tests
M-AEAD driver dispatch tests
2022-04-05 16:35:37 +02:00
Gilles Peskine
ebfee6e315 check-generated-files.sh -u: don't update file timestamps
When running check-generated-files in update mode, all generated files were
regenerated. As a consequence,
```
tests/scripts/check-generated-files.sh -u && make
```
always caused most of the code to be rebuilt. Now, if a file hasn't changed,
preserve its original modification time (and other metadata), so the command
above doesn't rebuild anything that has actually not changed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:29:38 +02:00
Gilles Peskine
7a2e83b839 Add missing logic for accelerated ECB under MBEDTLS_PSA_CRYPTO_CONFIG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:03:39 +02:00
Gilles Peskine
a9b6c8074a Fix psa_mac_verify() returning BUFFER_TOO_SMALL
It doesn't make sense for psa_mac_verify() to return
PSA_ERROR_BUFFER_TOO_SMALL since it doesn't have an output buffer. But this
was happening when requesting the verification of an unsupported algorithm
whose output size is larger than the maximum supported MAC size, e.g.
HMAC-SHA-512 when building with only SHA-256 support. Arrange to return
PSA_ERROR_NOT_SUPPORTED instead.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:03:39 +02:00
Gilles Peskine
695c4cb7ea If a cipher algorithm is not supported, fail during setup
In some cases, a cipher operation for an unsupported algorithm could succeed
in psa_cipher_{encrypt,decrypt}_setup() and fail only when input is actually
fed. This is not a major bug, but it has several minor downsides: fail-late
is harder to diagnose for users than fail-early; some code size can be
gained; tests that expect failure for not-supported parameters would have to
be accommodated to also accept success.

This commit at least partially addresses the issue. The only completeness
goal in this commit is to pass our full CI, which discovered that disabling
only PSA_WANT_ALG_STREAM_CIPHER or PSA_WANT_ALG_ECB_NO_PADDING (but keeping
the relevant key type) allowed cipher setup to succeed, which caused
failures in test_suite_psa_crypto_op_fail.generated in
component_test_psa_crypto_config_accel_xxx.

Changes in this commit:
* mbedtls_cipher_info_from_psa() now returns NULL for unsupported cipher
  algorithms. (No change related to key types.)
* Some code that is only relevant for ECB is no longer built if
  PSA_WANT_ALG_ECB_NO_PADDING is disabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:03:39 +02:00
Gilles Peskine
b24ed5261e Use a plausible input size with asymmetric verification
Otherwise the error status can be PSA_ERROR_INVALID_SIGNATURE instead of the
expected PSA_ERROR_NOT_SUPPORTED in some configurations. For example, the
RSA verification code currently checks the signature size first whenever
PSA_KEY_TYPE_RSA_PUBLIC_KEY is enabled, and only gets into
algorithm-specific code if this passes, so it returns INVALID_SIGNATURE even
if the specific algorithm is not supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:03:39 +02:00
Gilles Peskine
e6300959df Test attempts to use a public key for a private-key operation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:02:44 +02:00
Gilles Peskine
0c3a071300 Make psa_key_derivation_setup return early if the key agreement is not supported
Otherwise the systematically generated algorithm-not-supported tests
complain when they try to start an operation and succeed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:00:01 +02:00
Gilles Peskine
0cc417d34b Make psa_key_derivation_setup return early if the hash is not supported
Otherwise the systematically generated algorithm-not-supported tests
complain when they try to start an operation and succeed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 14:58:39 +02:00