When importing a key, the code that parses the input needs to
determine the key size ("bits" attribute). This is specific to import
since other key creation methods require the caller to supply a size.
Therefore, add an extra output parameter `bits` to the "import_key"
entry point for opaque drivers. Likewise, add a `bits` output
parameter to the "validate_key" entry point for transparent drivers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This reverts commit 9c46a60e6c.
When the library is dynamically linked against Glibc (as is usually
the case with Glibc), it now requires a recent Glibc at runtime if it
was compiled with a recent Glibc. This is a loss of functionality for
no demonstrated benefit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
“Prior to Mbed TLS 2.24” suggests that 2.24 itself didn't use the old
policy anymore, but it did. Change to “Until”, and also give the exact
version number “2.24.0”.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In psa_generate_key_internal() for ECC keys, remove the check that the
bit-size according to Mbed TLS is equal to the requested bit-size.
This check was necessary back when the PSA API encoded curves and key
sizes independently, in order to reject combinations such as SECP256R1
with a 512-bit size. Since the curve encoding changed to specifying a
curve family and a size separately, the Mbed TLS curve id (grp_id) and
the curve data (curve_info) are now determined from the size, and
checking that (curve_info->bit_size == bits) is now only a redundant
sanity check.
This check is actually buggy, because PSA Crypto and Mbed TLS don't
have exactly the same notion of key size. PSA thinks Curve25519 is
255-bit and secp224k1 is 225-bit, but Mbed TLS thinks they're 256-bit
and 224-bit respectively. Removing the check allows key generation to
work for these curves.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
"x25519" and "x448". These curves support ECDH but not ECDSA.
This was meant ever since the introduction of mbedtls_ecdsa_can_do()
in 0082f9df6f, but
2c69d10bac had removed the claim
that Montgomery curves support ECDH except through Everest.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test import and key generation, each followed by a key agreement. Only
good cases in this commit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
... as opposed to PSA_ERROR_BAD_STATE.
The spec on psa_cipher_finish() states that PSA_ERROR_INVALID_ARGUMENT
should be returned when:
"The total input size passed to this operation is not valid for this
particular algorithm. For example, the algorithm is a based on block
cipher and requires a whole number of blocks, but the total input size
is not a multiple of the block size."
Currently, there is a distinction between encryption and decryption
on whether INVALID_ARGUMENT or BAD_STATE is returned, but this is not
a part of the spec.
This fix ensures that PSA_ERROR_INVALID_ARGUMENT is returned
consistently on invalid cipher input sizes.
Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
With the new feature MBEDTLS_PSA_CRYPTO_CONFIG, needed to
add support that when the feature is disabled, if there
are defines like MBEDTLS_ECDSA_C defined, then the PSA_WANT_
equivalent define is also enabled. This ensures the guards in
the library psa_crypto will work properly.
Also fixed an error return code in the driver wrapper for cipher
encrypt setup so it will properly pass unit tests.
Ensured config.py full works properly with the new
MBEDTLS_PSA_CRYPTO_CONFIG, it should not be set when the full
option is used.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
From now on, external contributions are no longer acknowledged in the
changelog file. They of course remain acknowledged in the Git history.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Starting with commit 49e94e3, the do/while loop in
`rsa_prepare_blinding()` was changed to a `do...while(0)`, which
prevents retry from being effective and leaves dead code.
Restore the while condition to retry, and lift the calls to finish the
computation out of the while loop by by observing that they are
performed only when `mbedtls_mpi_inv_mod()` returns zero.
Signed-off-by: Peter Kolbus <peter.kolbus@garmin.com>
The new header files to support PSA crypto config needed to be
added to the VS project file.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
The version features library needed updating to support the new
MBEDTLS_PSA_CRYPTO_CONFIG definition.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Since the recent changes required the addition of a new definition
in mbedtls/config.h, we also need to update query_config.c to account
for the new MBEDTLS_PSA_CRYPTO_CONFIG setting.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Python should not be required for the build when the no_test target is
used. This commit adds the generated file to the source tree and the
check-generated-files script, and removes the generation from (c)make.
Fixes#3524
Signed-off-by: Cameron Nemo <cnemo@tutanota.com>
The toplevel directory is actually just ../..: the makefile commands
are executed in the subdirectory. $(PWD) earlier was wrong because it
comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is
wrong because it indicates where the makefile is (make -f), not which
directory to work in (make -C).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Originally, MBEDTLS_PSA_CRYPTO_CONFIG was being used to allow
inclusion of mbedlts/config_psa.h, but that needed to be updated
so that mbedtls/config_psa.h is always included and the definitions
specific to PSA configuration are now guarded by
MBEDTLS_PSA_CRYPTO_CONFIG. This will allow for the standard setup
to continue working while new PSA configuration items to also work.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Initial changes to PSA crypto core to support configuration
of ECDSA algorithm using PSA crypto configuration mechanism.
Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have
been changed to be based off PSA_WANT_ALG_ECDSA and
PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to
confirm new settings are working properly. Current code does not
pass the tests since built in signature verification is not in place.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
In order to test various PSA crypto settings the Requires section
needed updating to require MBEDTLS_PSA_CRYPTO_C or
MBEDTLS_PSA_CRYPTO_CONFIG.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
In order to prepare for PSA cryptographic mechanism for conditional
inclusion of various modules, there needs to be some updates to
the mbedtls configuration to enable that feature to work. This initial
set of changes just lays the ground work and future changes will
implement the functional features.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
According to https://www.bearssl.org/ctmul.html even single-precision
multiplication is not constant-time on some older platforms.
An added benefit of the new code is that it removes the somewhat mysterious
constant 0x1ff - which was selected because at that point the maximum value of
padlen was 256. The new code is perhaps a bit more readable for that reason.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The previous code used comparison operators >= and == that are quite likely to
be compiled to branches by some compilers on some architectures (with some
optimisation levels).
For example, take the following function:
void old_update( size_t data_len, size_t *padlen )
{
*padlen *= ( data_len >= *padlen + 1 );
}
With Clang 3.8, let's compile it for the Arm v6-M architecture:
% clang --target=arm-none-eabi -march=armv6-m -Os foo.c -S -o - |
sed -n '/^old_update:$/,/\.size/p'
old_update:
.fnstart
@ BB#0:
.save {r4, lr}
push {r4, lr}
ldr r2, [r1]
adds r4, r2, #1
movs r3, #0
cmp r4, r0
bls .LBB0_2
@ BB#1:
mov r2, r3
.LBB0_2:
str r2, [r1]
pop {r4, pc}
.Lfunc_end0:
.size old_update, .Lfunc_end0-old_update
We can see an unbalanced secret-dependant branch, resulting in a total
execution time depends on the value of the secret (here padlen) in a
straightforward way.
The new version, based on bit operations, doesn't have this issue:
new_update:
.fnstart
@ BB#0:
ldr r2, [r1]
subs r0, r0, #1
subs r0, r0, r2
asrs r0, r0, #31
bics r2, r0
str r2, [r1]
bx lr
.Lfunc_end1:
.size new_update, .Lfunc_end1-new_update
(As a bonus, it's smaller and uses less stack.)
While there's no formal guarantee that the version based on bit operations in
C won't be translated using branches by the compiler, experiments tend to show
that's the case [1], and it is commonly accepted knowledge in the practical
crypto community that if we want to sick to C, bit operations are the safest
bet [2].
[1] https://github.com/mpg/ct/blob/master/results
[2] https://github.com/veorq/cryptocoding
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
