Commit graph

5063 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
Janos Follath
b795332401 mbedtls_rsa_rsassa_pss_*: improve documentation
Hashes used in RSA-PSS encoding (EMSA-PSS-ENCODE, see §9.1.1 in RFC
8017):

- H1: Hashing the message (step 2)
- H2: Hashing in the salt (step 6)
- H3: Mask generation function (step 9)

According to the standard:

- H1 and H2 MUST be done by the same hash function
- H3 is RECOMMENDED to be the same as the hash used for H1 and H2.

According to the implementation:

- H1 happens outside of the function call. It might or might not happen
and the implementation might or might not be aware of the hash used.
- H2 happens inside the function call, consistency with H1 is not
enforced and might not even be possible to detect.
- H3 is done with the same hash as H2 (with the exception of
mbedtls_rsassa_pss_verify_ext(), which takes a dedicated parameter for
the hash used in the MGF).

Issues with the documentation:

- The comments weren't always clear about the three hashes involved and
often only mentioned two of them (which two varied from function to
function).
- The documentation was giving the impression that the standard
recommends aligning H2 and H1 (which is not a recommendation but a
must).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-21 10:39:04 +01:00
Spencer Burke
6364d32e47 Remove the duplicate code in mbedtls/include/mbedtls/check_config.h
Removing the extra preprocessor directives found within the specified
source file.

Signed-off-by: Spencer Burke <info.spencer.burke@gmail.com>
2021-06-18 14:27:22 -07:00
Hanno Becker
d8f32e72b4 Move export callback and context to the end of SSL context
This saves some code when compiling for Thumb, where access to
fields with offset index > 127 requires intermediate address
computations. Frequently used fields should therefore be located
at the top of the structure, while less frequently used ones --
such as the export callback -- can be moved to the back.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
e0dad720ee Remove return value from key export callback
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
7e6c178b6d Make key export callback and context connection-specific
Fixes #2188

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
22b34f75cd Remote key export identifier used for TLS < 1.2.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
ddc739cac4 Add missing documentation for key export callback parameters
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
457d61602f Define and implement new key export API for Mbed TLS 3.0
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
2d6e6f8fec Remove '_ext' suffix from SSL key exporter API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
78ba2af7c2 Remove old key export API
Seems to be an oversight that this wasn't marked deprecated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Manuel Pégourié-Gonnard
9a32d45819
Merge pull request #4517 from hanno-arm/ticket_api_3_0
Implement 3.0-API for SSL session resumption
2021-06-18 18:34:45 +02:00
Manuel Pégourié-Gonnard
ae35830295
Merge pull request #4661 from mpg/make-blinding-mandatory
Make blinding mandatory
2021-06-18 18:32:13 +02:00
Dave Rodgman
8c8166a7f1
Merge pull request #4640 from TRodziewicz/move_part_of_timing_module_out_of_the_library_and_to_test
Move part of timing module out of the library
2021-06-18 16:35:58 +01:00
TRodziewicz
963bb810f4 Removing global variable and moving variant function comment block
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 13:22:57 +02:00
Hanno Becker
5c5b820352 Fix typo in doc'n of session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 12:21:25 +01:00
Manuel Pégourié-Gonnard
9d4c2c4e42 Clarify how to create custom profiles
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:19:34 +02:00
TRodziewicz
75628d51b3 Code review fixes
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 12:59:38 +02:00
Gilles Peskine
39957503c5 Remove secp256k1 from the default X.509 and TLS profiles
For TLS, secp256k1 is deprecated by RFC 8422 §5.1.1. For X.509,
secp256k1 is not deprecated, but it isn't used in practice, especially
in the context of TLS where there isn't much point in having an X.509
certificate which most peers do not support. So remove it from the
default profile. We can add it back later if there is demand.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:52 +02:00
Gilles Peskine
a03fb29666 Document backward compatibility promises for the default TLS profile
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:05 +02:00
Gilles Peskine
a28f0f5082 Leave the preference order for hashes unspecified
We don't seem to have strong feelings about this, so allow ourselves to
change the order later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b1940a76ad In TLS, order curves by resource usage, not size
TLS used to prefer larger curves, under the idea that a larger curve has a
higher security strength and is therefore harder to attack. However, brute
force attacks are not a practical concern, so this was not particularly
meaningful. If a curve is considered secure enough to be allowed, then we
might as well use it.

So order curves by resource usage. The exact definition of what this means
is purposefully left open. It may include criteria such as performance and
memory usage. Risk of side channels could be a factor as well, although it
didn't affect the current choice.

The current list happens to exactly correspond to the numbers reported by
one run of the benchmark program for "full handshake/s" on my machine.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
377c91e1b7 Remove meaningless clause
We stated that curves were listed "in order of preference", but we never
explained what the preference was, so this was not meaningful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
5752e599b3 Reduce the default ECP window size
MBEDTLS_ECP_WINDOW_SIZE is a compromise between memory usage (growing based
on the value) and performance (faster with larger values). There are
disminishing returns as the value grows larger. Based on Manuel's benchmarks
recorded in https://github.com/ARMmbed/mbedtls/issues/4127, 4 is a good
compromise point, with larger values bringing little advantage. So reduce
the default from 6 to 4.

Document the default value as in optimized for performance mostly, but don't
document the specific value, so we may change it later or make it
platform-dependent.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
ae270bf386 Upgrade the default TLS hash and curve selection, matching X.509
Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.

Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.

Document more precisely what is allowed by default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
ffb92da622 Upgrade the default X.509 profile to the former "next" profile
Upgrade the default X.509 certificate verification profile
mbedtls_x509_crt_profile_default to the former value of
mbedtls_x509_crt_profile_next, which is hashes and curves with at least 255
bits (Curve25519 included), and RSA 2048 and above.

Document more precisely what goes into the default profile.

Keep the "next" profile unchanged for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
e96c5854d0 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:43:58 +02:00
Manuel Pégourié-Gonnard
55a7fb8322 Improve documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:42:03 +02:00
Manuel Pégourié-Gonnard
5314e08e08 Make the fields of mbedtls_x509_crt_profile public
These fields are supposed to be manipulated directly, that's how people
create custom profiles.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:32:01 +02:00
Manuel Pégourié-Gonnard
d51aaad4c9 Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
It was used to remove the code used when mbedtls_ecp_mul() received a
NULL RNG parameter. This code is no longer relevant (as the RNG may no
longer be NULL) and will be unconditionally removed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
84dea01f36 Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
39be1410fd Add RNG parameter to check_pair functions
- mbedtls_ecp_check_pub_priv() because it calls ecp_mul()
- mbedtls_pk_check_pair() because it calls the former

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f8c24bf507 Fix signature of check_pub_priv
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
aa3ed6f987 Make RNG parameters mandatory in ECP functions
Fix trivial faulty calls in ECP test suite and ECP/ECJPAKE self-tests (by
adding a dummy RNG).

Several tests suites are not passing yet, as a couple of library
function do call ecp_mul() with a NULL RNG. The complexity of the fixes
range from "simple refactoring" to "requires API changes", so these will
be addressed in separate commits.

This makes the option MBEDTLS_ECP_NO_INTERNAL_RNG, as well as the whole
"internal RNG" code, obsolete. This will be addressed in a future
commit, after getting the test suites to pass again.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
7861ecf838 Make RNG parameters mandatory in ECDH functions
Again, no check in the code - will be checked by ECP

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
1a87722bb6 Make RNG parameters mandatory in DHM functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
34d3756457 Make RNG parameters mandatory in PK functions
Again, no check here, will be checked by lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
c305b72ed1 Make RNG parameters mandatory in X.509 functions
Not adding a check in the code here, as this will be checked by the
lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
ad5390fc4f Clarify that RNG parameters are mandatory in SSL
No change here, these were already mandatory, it just wasn't explicit in
the documentation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Hanno Becker
ab4ecfcc2c Improve wording of documentation of new session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-17 05:12:16 +01:00
Thomas Daubney
4a7010d1aa Removes MBEDTLS_SSL_TRUNCATED_HMAC config option
Commit removes the
MBEDTLS_SSL_TRUNCATED_HMAC config option from config.h
and places a check that it is unset in check_config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:26:59 +01:00
Thomas Daubney
d7171e9f59 Removes truncated HMAC code from ssl.h
Commit removes conditionally compiled code
relating to MBEDTLS_SSL_TRUNCATED_HMAC from
ssl.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:26:59 +01:00
Mateusz Starzyk
d6f673d710 Remove outdated note about multiple calls to cipher update for
associated data.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
bd513bb53d Enable multiple calls to mbedtls_gcm_update_ad.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
TRodziewicz
15a7b73708 Documentation rewording
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 11:22:53 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Gilles Peskine
17575dcb03
Merge pull request #4629 from TRodziewicz/rename_functions_whose_deprecated_variants_have_been_removd
Rename the _ret() functions
2021-06-15 20:32:07 +02:00
TRodziewicz
90f304ff1a Fixing test_clang_opt (asm not defined)
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:48:01 +02:00
TRodziewicz
d854083773 Move part of timing module out of the library
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:47:44 +02:00
Manuel Pégourié-Gonnard
8cad2e22fc
Merge pull request #4595 from gilles-peskine-arm/alt-dummy-headers-3.0
Lighten and test constraints on context types in alternative implementations
2021-06-15 12:12:46 +02:00
Gilles Peskine
e5702489f5 mbedtls_dhm_get_value parameter order: context first, output last
mbedtls_dhm_get_value can be seen as either a copy function or a getter
function. Given the name and the semantics, it's more of a getter, even if
it "gets" by doing a copy. Therefore, put the context first, and the
selector next, leaving the output for last.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
bf69ea5b8f Make some fields of mbedtls_ecp_group public
The Mbed TLS code relies heavily on reading certain fields of
mbedtls_ecp_group directly. Make these fields public. Require
that MBEDTLS_ECP_ALT alternative implementations have them.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
cd07e22048 New function mbedtls_ecjpake_set_point_format
Use this instead of accessing the field directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
71acc6e8d9 New function mbedtls_dhm_get_value to copy a field of a DHM context
Reduce the need to break the DHM abstraction by accessing the context directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
487bbf6805 DHM: new functions to query the length of the modulus
Add two functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() to
query the length of the modulus in bytes or bits.

Remove the len field: the cost of calling mbedtls_dhm_get_len() each time
it's needed is negligible, and this improves the abstraction of the DHM
module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
601d34396c Update TLS presets when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
6e1387abed Update MBEDTLS_ECP_MAX_BITS when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
d0b16303bb Determine MBEDTLS_ECP_MAX_BITS automatically
MBEDTLS_ECP_MAX_BITS doesn't make sense as a configuration option: it
must not be smaller than the largest supported curve, and it's useless
to set it to a larger value. So unconditionally set it to the size of
the largest supported curve. Remove it from the build configuration.

Alternative implementations must no longer need define this macro.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
9ef1ea7444 Move the definition of derived values out of the settings section
Alternative implementations must no longer define these macros.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
cee21d76f1
Merge pull request #4606 from TRodziewicz/turn__SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt
Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config opt to a runtime opt
2021-06-14 19:03:28 +02:00
Ronald Cron
c4c761e35e Merge remote-tracking branch 'mbedtls/development' into mbedtls_private_with_python
Conflicts:
    include/mbedtls/ssl.h
    include/psa/crypto_struct.h

Conflicts fixed by using the code from development branch
and manually re-applying the MBEDTLS_PRIVATE wrapping.
2021-06-14 16:17:32 +02:00
TRodziewicz
3946f79cab Correction according to code review (function and param. names change
and docs rewording)

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 13:46:21 +02:00
TRodziewicz
8476f2f30a Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config option to a runtime option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:56:20 +02:00
TRodziewicz
1fcd72e93c change log and migr. guide fixes and _DEPRECATED_REMOVED removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:16:06 +02:00
Janos Follath
21f84643f8
Merge pull request #4317 from yanesca/psa-jpake-interface
J-PAKE interface definition for PSA Crypto
2021-06-11 13:47:25 +01:00
Ronald Cron
57864faf84
Merge pull request #4634 from Patater/mbed-can-do-timing
config: Allow Mbed to implement TIMING_C
2021-06-11 09:14:13 +02:00
Gilles Peskine
02b76b7d18
Merge pull request #4619 from TRodziewicz/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options
Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
2021-06-10 17:43:36 +02:00
Jaeden Amero
197496af69 config: Allow Mbed to implement TIMING_C
Mbed OS now provides POSIX-like time functions, although not alarm() nor
signal(). It is possible to implement MBEDTLS_TIMING_ALT on Mbed OS, so
we should not artificially prevent this in check-config. Remove the the
check that prevents implementing MBEDTLS_TIMING_ALT on Mbed OS.

Note that this limitation originally was added in the following commit,
although there isn't much context around why the restriction was
imposed: 63e7ebaaa1 ("Add material for generating yotta module"). In
2015, Mbed OS was quite a different thing: no RTOS, no threads, just an
asynchronous event loop model. I'd suppose the asynchronous event loop
model made it difficult before to implement MBEDTLS_TIMING_C on Mbed OS,
but that is no longer the case.

Fixes #4633

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-06-09 13:47:27 +01:00
TRodziewicz
3ecb92e680 Remove _X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 13:28:16 +02:00
TRodziewicz
26371e4793 Rename the _ret() functions
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-08 16:45:41 +02:00
Janos Follath
1f0131844c Clarify PSA_PAKE_STEP_ZK_PROOF format
Removing reference to RFC 7748 as it is more confusing than helpful. (It
decodes the scalars after masking which is not part of the encoding we
want to specify. Also, it has the explanation what it means by little
endian in a preceding section that is not trivial to find.)

We also explicitly specify constraint on leading zeroes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:30:48 +01:00
Janos Follath
46c02375b7 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:22:51 +01:00
Janos Follath
0dcda95ac0 Make check-names.sh happy
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:52:05 +01:00
Janos Follath
33434a9f60 Fix parenthesis spacing in crypto_struct.h
crypto_struct.h is implementation-specific so it was intended to have
Mbed TLS whitespace style.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:51:40 +01:00
Janos Follath
55dd5dc355 PSA PAKE: Clarify the documentation of NIZKP steps
The expression "the masking is omitted" assumes familiarity with
Montgomery curve private key format and even then can be confusing and
ambiguous or confusing.

Describe directly what format we mean and add some more background
information and reference to the standard as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b384ec19d1 PSA PAKE: fix J-PAKE documentation code rendering
4-space indent is only guaranteed to result in a code block if there's a
blank line just before (details vary depending on the markdown
implementation, and doxygen isn't exactly markdown anyway). In a bullet
list, you need 8 spaces since the list itself is a nested construct
which takes a 4-space indent (even though you don't have to indent
continuation lines inside a bullet point by 4 spaces, 1 is enough).

Using \code...\encode which is rendering as intended.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
3293dae00e psa_pake_setup(): simplify documentation
This level of detail can be confusing and could require even more detail
to clear it up. Simplifying it instead in alignment wiht the
documentation of existing setup functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b4db90fb27 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
38d29db75f Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
a46e28f786 PSA PAKE: use neutral pronouns
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
ec83eb605e Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
52f9efad22 Revert "Rename psa_pake_set_password()"
This reverts commit 03a5fd7780026b2ca0b4728352ded930f5a7cff9.

We're already calling the output of a PAKE a "shared secret". The
password is a shared secret (for PAKE where the verifier knows a
password-equivalent secret), but calling it "shared secret" or even just
"secret" would be confusing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
89ee05a805 Rename psa_pake_set_password()
Technically this function takes a low entropy secret as an input which
might or might not be the password. Using the term "secret" in the
function name is less misleading.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
559f05eefc PSA PAKE: remove psa_pake_set_password_stretch()
The password stretching (using slow and/or memory hard hashes) in PAKEs
usually serves two purposes:

- Defending against server compromise impersonation attacks. J-PAKE is an
augmented PAKE and as such, stores a password-equivalent and defending
against this class of attacks is out of scope.
- Preventing offline dictionary attacks. J-PAKE is proven to be zero
knowledge and leaks no information beyond the fact if the passwords
matched and offline dictionary attack is not possible.

In summary: J-PAKE does not benefit from pasword stretching and is
unlikely to be an input. This part of the API is not necessary at this
point and can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
7d69b3a993 PSA PAKE: add warning about stability
We are not confident about the stability of the PAKE interface (it is
just a proposal, not part of the standard yet).  So we should explicitly
document it as experimental, subject to change.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
702cf09ae9 PSA PAKE: move the API to crypto_extra.h
At this point this is a proposed PAKE interface for the PSA Crypto API
and not part of the official standard. Place the interface in
crypto_extra.h to make this clear.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:34 +01:00
Janos Follath
304766e11e PSA PAKE: make algorithm macro name consistent
The API has PSA_ALG_GCM and not PSA_ALG_AEAD_GCM, PSA_ALG_MD5 and not
PSA_ALG_HASH_MD5, etc., so PSA_ALG_PAKE_JPAKE should be PSA_ALG_JPAKE as
well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
a295918596 PSA PAKE: add input size macros
The caller is likely to receive the inputs on the wire, and having a
known size for which they can confidently reject longer inputs would be
helpful in cases where the application can't just use the input in
place.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
5e1948d2a3 PSA PAKE: define size macros as 0
Define the size macros to 0 rather than empty. That will lead to fewer
weird errors when we start implementing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Ronald Cron
d2cfa3e980 Improve mbedtls_rsa_init/set_padding() descriptions
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Ronald Cron
c1905a1c3d Change mbedtls_rsa_init() signature
Remove padding parameters as mbedtls_rsa_init()
cannot return an error code when padding
parameters are invalid.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Ronald Cron
ea7631be1c Change mbedtls_rsa_set_padding() signature
mbedtls_rsa_set_padding() now returns the error
code MBEDTLS_ERR_RSA_INVALID_PADDING when
padding parameters are invalid.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:10 +02:00
Manuel Pégourié-Gonnard
16fdab79a5
Merge pull request #4382 from hanno-arm/max_record_payload_api
Remove MFL query API and add API for maximum plaintext size of incoming records
2021-06-08 11:07:27 +02:00
TRodziewicz
0730cd5d9e Merge branch 'development' into Remove__CHECK_PARAMS_option 2021-06-07 15:41:49 +02:00
TRodziewicz
442fdc22ea Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-07 13:52:23 +02:00
Mateusz Starzyk
a74295fb52 Remove outdated note about direct manipulation of private members.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:30:55 +02:00
Mateusz Starzyk
8fc95a06a6 Wrap variable missed by the python script.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:28:24 +02:00
Mateusz Starzyk
2abe51cc75 Extend setup_and_run script to cover remaining configurations.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:08:01 +02:00
Mateusz Starzyk
854a25c7a4 Merge branch 'development' into mbedtls_private_with_python
Conflicts:
         include/mbedtls/ecp.h

Conflict resolved by using the code from development branch
and manually applying the MBEDTLS_PRIVATE wrapping.
2021-06-07 09:49:01 +02:00
Manuel Pégourié-Gonnard
9371a40476 Stop referencing private constants in documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:42 +02:00
Manuel Pégourié-Gonnard
cac90a15ed Hide constants for TLS 1.0 and TLS 1.1
ssl_server2 had a check that we never try to use a minor version lower
than 2 with DTLS, but that check is no longer needed, as there's no way
that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer
public.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:33 +02:00
Hanno Becker
d60b6c62d5 Remove per-version ciphersuite configuration API
This commit removes the API

```
    mbedtls_ssl_conf_ciphersuites_for_version()
```

which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.

With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.

This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and

```
   mbedtls_ssl_conf_ciphersuites()
```

can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:20:10 +02:00
Manuel Pégourié-Gonnard
0c1a42a147
Merge pull request #4611 from gilles-peskine-arm/random-range-uniformity-3.0
Fix non-uniform random generation in a range
2021-06-04 10:43:15 +02:00
Manuel Pégourié-Gonnard
f9f9cc217c
Merge pull request #4579 from tom-daubney-arm/rm_ecdh_legacy_context_config_option
Remove `MBEDTLS_ECDH_LEGACY_CONTEXT` config option
2021-06-04 10:02:59 +02:00
Gilles Peskine
7ed7c5a37d mbedtls_mpi_random: document MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
Note that this error has a negligible probability with a "crypto-sized"
bound, but macroscopic probability with a small bound.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
1e918f44c9 mbedtls_mpi_random: check for invalid arguments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
02ac93a1a3 Move mbedtls_mpi_random to the bignum module
Since mbedtls_mpi_random() is not specific to ECC code, move it from
the ECP module to the bignum module.

This increases the code size in builds without short Weierstrass
curves (including builds without ECC at all) that do not optimize out
unused functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Thomas Daubney
537e64305d Corrects documentation issues
Commit corrects incorrect docs in
ecdh.h and config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-03 15:46:33 +01:00
Janos Follath
79e1c47a54 PSA PAKE: explain implicit key confirmation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7c59b7a073 Improve psa_pake_set_peer()/user() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
56a4d7a59f Simplify PAKE input/output format documentation
Make input/output format documentation easier to find:
- Add direct reference to the steps from the input/output functions
- Move the format description directly to the step constants

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ead0e4fc7b PSA PAKE: Clarify J-PAKE algorithm documentation
- Transformed setup description to a more explicit pseudocode based
approach.
- Explained implicit vs explicit key confirmation

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
d416838ffd Rename psa_pake_set_password_mhf()
This step is not necessarily a memory-hard function. Memory-hard
functions are the best of the breed at the moment, but that's due to
current hardware designs, and CPU-hard-but-not-memory-hard functions
like PBKDF2 are acceptable as well. We're using “key stretching” as the
generic term for such functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
3ae6696811 Clarify psa_pake_setup() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
19271ea183 PSA PAKE: Clarify documentation of valid states
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
9a04aeaff5 PSA PAKE: improve and fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7b8910322c PSA PAKE: refine documentation of return values
The key derivation operation passed to psa_pake_set_password_mhf() might
enter an error state before the function returns. If this happens, the
user needs to know about it so that they can properly abort it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
e1a080f1f8 Improve psa_pake_set_password_mhf() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
1062a24152 Fix psa_pake_set_password_mhf() parameter list
The type of the key derivation operation was incorrect.

Also neither the PAKE nor key_derivation algorithm knows how many bytes
to transfer at this stage.

There is no optimal or recommended size, PAKEs don't mandate it either
(with the exception of OPAQUE, but that uses it internally and won't be
using this interface).

Adding an input length parameter to allow the application to control how
many bytes the PAKE takes from the key derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
14ce06afe2 PSA PAKE: fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ef816f37be Fix precedence in psa_pake_cs_set_primitive()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ed82716546 Remove always false comparison PSA_PAKE_PRIMITIVE
Always false comparison triggered compiler warnings. Removing comparison
while preserving semantics to achieve clean build.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
60fa7c59b2 PSA PAKE: document operation parameters
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
b0bcb633ff Link PSA_KEY_TYPE_PASSWORD in the documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
fe0c4493f5 Add psa_pake_set_password_mhf()
Using memory hard functions with PAKEs is the more secure option. It
should be as convenient and efficient to use as less secure options, but
so far it required creating an additional temporary key object.

With psa_pake_set_password_mhf() this eliminates the need for this.

Similarly we could add a convenience function to supply the password
directly from character strings, but that would make the less secure
option more convenient again and therfore we are not doing it now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
56cc9ccc39 PSA PAKE: Align macro names with psa_pake_step_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
3c09c47333 PSA PAKE: remove redundant steps
PAKE constructions that have multiple key shares will always consume and
produce the key shares in numerical order. So using PSA_PAKE_DATA_XXX_X
would demand step-sequence validation, and provides no functional
utility over having only PSA_PAKE_DATA_XXX.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a71811aa4c Fix typo
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
78b9e40662 PSA PAKE: reintroduce psa_pake_primitive_t
If PSA_PAKE_OUTPUT_SIZE takes cipher_suite as a parameter and it is a
structure it can't be a compile-time constant anymore.

Reintroducing psa_pake_primitive_t, because it can be constructed as an
integral type and holds enough information to allow PSA_PAKE_OUTPUT_SIZE
calculating accurate estimates on the output size in compile time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a86c3131a8 PSA PAKE: divide setup into several steps
There are too many parameters to the setup function. This makes it hard
to figure out how to call the function and read code that calls the
function. This also opens the suspicion that there's yet another
parameter that we're missing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
beb78d4d41 Rename psa_pake_data_t
"Data" is too vague, renaming it to psa_pake_step_t. It is still
somewhat vague, but at least consistent with the naming used in key
derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
57cfc407e0 Remove obsolete __DOXYGEN_ONLY__ blocks
__DOXYGEN_ONLY__ blocks were only used to typeset the PSA specification
back when it was extracted from Mbed TLS headers. They are no longer
used and should be removed.

The PSA Crypto Driver API is still under development and might be
extracted from Mbed TLS headers, leaving them there for now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
f53c7af916 PSA PAKE: introduce psa_pake_family_t
It is the size of something that has no a priori reason to consist of 8
bits.  This should be psa_pake_family_t, both for documentation (and
possibly static analysis) and in case 8 bits turn out not to be enough.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
1459aa5656 PSA PAKE: improve documentation
Minor documentation improvement and fixes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
f75be64ef5 PSA PAKE: fix identifier value
Identifier value was not consistent with PSA conventions (last byte is
reserved for hash algorithms or used in algorithms parametrized by
a hash).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
5b44cfd430 PSA PAKE: remove alg parameter from setup
The cipher suite now defines the algorithm itself as well. Passing the
algorithm separately is redundant and error prone.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
684da03532 PSA PAKE: remove obsolete types and macros
Making the cipher suite struct internal made a number of types and
macros in the interface unused.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
cd56ff9c59 PSA PAKE: make cipher suite opaque
Hiding the structure of the cipher suite implementation allows for
greater flexibility.

To preserve maximum flexibility, the constructor is replaced by
individual setter/getter functions.

Convenience macros and or functions can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
82b54b96d3 PSA PAKE: Align macro names
In the key types API, PSA Crypto uses ECC to denote Elliptic curve
cryptography and DH to denote Finite Field Diffie-Hellman.

Change PSA_PAKE_PRIMITIVE_TYPE_XXX macros to be aligned.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
fc3577daae Remove reference to PSA_PAKE_KEY_SHARE_SIZE
The macro PSA_PAKE_KEY_SHARE_SIZE has been removed, we need to remove
references to it from the documentation as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
2ba6079d47 PSA: fix wording for implementation defined types
There were remnants of the PSA specification wording in the
documentation that can be confusing in Mbed TLS.

We need to make it clear what the consequences of being implementation
defined are in Mbed TLS.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
8005e8a167 Shrink psa_pake_side_t to uint8_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
ef1b8c9a76 PSA PAKE: Relate JPAKE documentation to RFC8236
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
7ebcbf34f9 Remove psa_pake_get/set_key_share() functions
The main purpose of psa_pake_get_key_share() is to provide a more
straightforward and convenient call flow for regular PAKEs. Most PAKEs
have a single key share and need a flow like this:

op=PSA_PAKE_OPERATION_INIT;
psa_pake_setup();
psa_pake_get_key_share();
psa_pake_set_key_share();
psa_pake_get_implicit_key();

Adding psa_pake_get/set_key_share() functions cuts out the
psa_pake_data_t constants from the users vision, hiding complexity that
exists only for unrelated PAKEs that aren't relevant for the user.

This comes with the cost of the two additional API functions that we need
to maintain.

Since the current stream of work focuses on enabling J-PAKE, there are
no benefits to these functions for now.

Once algorithms that can benefit from this simplification are added,
adding back these functions can be reconsidered.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
fb4203dcff PSA PAKE: Call the scheme algorithm
The documentation is calling PAKEs protocols but it has an
psa_algorithm_t identifier. To align the terminology, the documentation
should call them algorithms as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
020da462d2 Fix PSA_PAKE_PRIMITIVE macro
Fix the typo in the macro definition and more specific parameter names
allow for future scripts to check validity of arguments.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
1101edb948 PSA PAKE: typo fixes in documentation
Also removes the mention of THREAD as we can't give a publicly available
reference for it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
ca2c167dcb PSA PAKE: fix doxygen warnings
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
7f1e81a98d PSA PAKE: specify key type and usage
The PSA_KEY_TYPE_PASSWORD key type to which this documentation change
refers to is not yet present in the code and will be introduced by a
parallel line of work.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
b378d57840 PSA PAKE: add output size macros
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
9c6b147d98 PSA PAKE: Add J-PAKE to the interface
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
8a09ca9d94 PSA PAKE: Add dummy operation context
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
508afeca67 PSA PAKE: Add cipher suite structure
PAKE protocols make use of a range of cryptographic schemes and
primitives. Standards allow for several options to use for each of them.
They call the combination of specific algorithms cipher suites,
configurations or options.

Cipher suites are represented by a separate data type for several
reasons:
1. To allow for individual PAKE protocols to provide pre-defined cipher
   suites.
2. To organise cipher suites into a unit that can be handled separately
   from the operation context. The PAKE operation flow is already
   complex, will be even more so when key confirmation is added.
   Handling them separately should reduce the surface of the interface
   the application developer needs to pay attention at any given time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
38a5d35646 PSA PAKE: Add type for representing primitives
In most of the PAKEs the primitives are prime order groups, but some of
them might need the ring structure or just are using completely different
algebraic structures (eg. SRP or PQC schemes).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
b86273a6dc PSA PAKE: Add integral types
Add integral types for the draft version of PSA Crypto API PAKE
interface.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
5e5dcaced3 PSA PAKE: Add function declarations
Add function declarations for the draft version of PSA Crypto API PAKE
interface.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Thomas Daubney
4e9fb3985e Corrects documentation in ecdh.h
Commit corrects the documentation for
MBEDTLS_ECDH_LEGACY_CONTEXT in ecdh.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-03 11:51:08 +01:00
Manuel Pégourié-Gonnard
84191eab06
Merge pull request #4315 from Kxuan/feat-pre-compute-tls
Static initialize comb table
2021-06-03 11:41:54 +02:00
kXuan
782c2b9f36
fix comment, ChangeLog & migration-guide for MBEDTLS_ECP_FIXED_POINT_OPTIM
Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-03 15:47:40 +08:00
Manuel Pégourié-Gonnard
1b1327cc0d
Merge pull request #4581 from TRodziewicz/remove_supp_for_extensions_in_pre-v3_X.509_certs
Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
2021-06-02 13:48:03 +02:00
Manuel Pégourié-Gonnard
df77624ab5
Merge pull request #4490 from TRodziewicz/Combine__SSL_<CID-TLS1_3>_PADDING_GRANULARITY_options
Combine _SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
2021-06-02 13:47:48 +02:00
Manuel Pégourié-Gonnard
1b3b27cbb0
Merge pull request #4587 from TRodziewicz/remove_3DES_ciphersuites
Remove 3DES ciphersuites
2021-06-02 11:01:42 +02:00
Ronald Cron
3dafa9bda8
Merge pull request #4555 from ronald-cron-arm/m-ccm-api
Define CCM multi-part API
2021-06-02 09:56:43 +02:00
Paul Elliott
83f09ef056 Proper multipart AEAD GCM Implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-01 17:17:47 +01:00
Paul Elliott
b2ce2ed6d8 Merge remote-tracking branch 'upstream/development' into psa-m-aead
Conflicts:
* None
2021-06-01 17:13:19 +01:00
Thomas Daubney
416c46ffe5 Defines MBEDTLS_ECDH_LEGACY_CONTEXT in ecdh.h
Commit adds the conditional definition of
MBEDTLS_ECDH_LEGACY_CONTEXT to ecdh.h.
MBEDTLS_ECDH_LEGACY_CONTEXT is only defined
if MBEDTLS_ECP_RESTARTABLE is definied.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 15:31:07 +01:00
Thomas Daubney
c8901ed98d Removes MBEDTLS_ECDH_LEGACY_CONTEXT from check_config.h
Commit removes MBEDTLS_ECDH_LEGACY_CONTEXT
checks from check_config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 15:31:07 +01:00
Thomas Daubney
8f4eacaac6 Removes MBEDTLS_ECDH_LEGACY_CONTEXT from config.h
Commit removes the definition of
MBEDTLS_ECDH_LEGACY_CONTEXT from config.h.
Additionally removes the unset calls to
MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-01 15:28:26 +01:00
Ronald Cron
e13d3083ee Add invalid context as a possible reason for _BAD_INPUT error code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 13:35:40 +02:00
Gilles Peskine
fe3069b7f1
Merge pull request #4585 from mpg/cipher-aead-delayed
Clarify multi-part AEAD calling sequence in Cipher module
2021-06-01 12:04:19 +02:00
TRodziewicz
f059e74a22 Re-wording ChangeLog and reverting overzealous removal from config.h
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-01 11:17:07 +02:00
Ronald Cron
542957d6b1 Add some API calling order documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:22:05 +02:00
Ronald Cron
7c41cd2a7a Split operation start and the declaration of data lengths
Split operation start and the declaration of data lengths
to better align with the PSA Cryptography multipart AEAD
APIs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:07:43 +02:00
Ronald Cron
51584c6cdb Prefer ad to add as shorthand for additional/associated data
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:51 +02:00
Ronald Cron
ff92479f71 Wording improvement
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:51 +02:00
Ronald Cron
84cb8e0063 Add invalid mode as mbedtls_ccm_start() possible error
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:49 +02:00
Ronald Cron
b87fe016aa Remove buffer overlap considerations
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:20 +02:00
Ronald Cron
86e6c9f860 Improve expected context state for some APIs
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:02 +02:00
kXuan
ba9cb76e9f
static initialize comb table
MBEDTLS_ECP_FIXED_POINT_OPTIM aims to speed up ecc multiplication performance.

We compute the comb table in runtime now. It is a costly operation.

This patch add a pre-computed table to initialize well-known curves. It speed up ECDSA signature verify process in runtime by using more ROM size.

Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-01 10:02:13 +08:00
TRodziewicz
4e57f4cdfd Adding removed defines to check_config.h and fixing the migration guide entry.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-31 12:58:25 +02:00
Manuel Pégourié-Gonnard
6d84e917bb
Merge pull request #4568 from creiter32/to_upstream/csr_critical_extensions
Expose flag for critical extensions
2021-05-31 12:46:59 +02:00
Manuel Pégourié-Gonnard
42eba1a274 Fix a typo
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-31 12:14:02 +02:00
TRodziewicz
3670e387dc Remove 3DES ciphersuites
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-31 12:11:53 +02:00
Manuel Pégourié-Gonnard
c42a0be00b Clarify calling sequence in the Cipher layer
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-31 11:13:35 +02:00
Ronald Cron
ea62d2f391
Merge pull request #4369 from hanno-arm/relax_psk_config
Implement relaxed semantics for static PSK configuration in Mbed TLS 3.0
2021-05-31 10:03:56 +02:00
TRodziewicz
dee975af7d Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
Remove define

Add ChangeLog file and migration guide entry

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-28 15:27:01 +02:00
Ronald Cron
c44a1d522a
Merge pull request #4507 from Venafi/userid-oid
Add OID for User ID
2021-05-28 10:43:41 +02:00
Hanno Becker
196739b478 Change wording in documentation of PSK configuration
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-28 05:33:14 +01:00
Ronald Cron
7146cb9488
Merge pull request #4559 from gilles-peskine-arm/psa-storage-format-test-algorithms-3.0
PSA storage format test: algorithms
2021-05-27 17:33:57 +02:00
TRodziewicz
cc7074128a Remove MBEDTLS_CHECK_PARAMS option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-27 17:33:32 +02:00
Mateusz Starzyk
e7dce558c9 Merge branch 'development' into mbedtls_private_with_python
Conflicts:
	include/mbedtls/ssl.h

Conflicts resolved by using code from development branch and
manually re-applying MBEDTLS_PRIVATE wrapping.
2021-05-27 16:02:46 +02:00
Christoph Reiter
95273f4b07 Expose flag for critical extensions
Enables creating X.509 CSRs with critical extensions.

Signed-off-by: Christoph Reiter <christoph.reiter@infineon.com>
2021-05-27 14:27:43 +02:00
Manuel Pégourié-Gonnard
e9cac0e277 Fix inconsistent documentation of cipher_setup()
- the \internal note said that calling cipher_init() first would be made
mandatory later, but the documention of the ctx parameter already said
the context had to be initialized...
- the documentation was using the word initialize for two different
meanings (calling setup() vs calling init()), making the documentation
of the ctx parameter quite confusing (you must initialize before you can
initialize...)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-27 12:59:11 +02:00
Ronald Cron
0cc60f9985 Improve some length parameter descriptions
Improve some length parameter descriptions, aligning
them with the descriptions for the one-shot
functions.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-27 09:58:21 +02:00
Ronald Cron
c0cc7ba51e Change from total_input_len to plaintext_len as parameter name
plaintext_len conveys more information.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-27 09:58:12 +02:00
TRodziewicz
1e660edd82 Change the comment wording in config.h
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 17:08:54 +02:00
TRodziewicz
46cccb8f39 _SSL_DTLS_BADMAC_LIMIT config.h option removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 13:36:21 +02:00
TRodziewicz
e8dd7097c3 Combine MBEDTLS_SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 13:19:08 +02:00
Ronald Cron
eabc3afe69 Align length and additional data shorthand in parameter names
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-26 12:28:20 +02:00
Ronald Cron
4c2a379280 State explicitly that multi-part CCM is not implemented in Mbed TLS yet
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-26 12:28:20 +02:00
Ronald Cron
9ca25503ba Fix mbedtls_ccm_finish() error code description
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-26 12:28:20 +02:00
Ronald Cron
2d40b1031f Fix mbedtls_ccm_update() buffered output description
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-26 12:28:10 +02:00
Ronald Cron
d1a29a9687 Align mbedtls_ccm_update_ad() and mbedtls_ccm_update() descriptions
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-26 10:49:59 +02:00
Ronald Cron
5905f91ba1 Improve mbedtls_ccm_starts() description
Change from `body` to `input` to refer to the input data.
Add prefix total_ to the new length parameters
to ease refering to them in the documentation of
the other multi-part APIs.
Add error code documentation.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-26 10:49:53 +02:00
Gilles Peskine
b7abba28e3
Merge pull request #4515 from tom-daubney-arm/remove_rsa_mode_params_2
Remove rsa mode params part 2
2021-05-25 20:36:33 +02:00
Gilles Peskine
8a5304d446
Merge pull request #4553 from gilles-peskine-arm/aria_alt-3.0
Fix ARIA_ALT header and self-test and CAMELLIA_ALT self-test
2021-05-25 20:32:40 +02:00
Gilles Peskine
1231eb5891 Define dependency symbols for hashless signature algorithms
Define the dependency symbols PSA_WANT_ALG_ECDSA_ANY and
PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW as de facto synonyms of
PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_RSA_PKCS1V15_SIGN respectively: if
either one is requested, the other is set.
This makes it easier to systematically determine the dependencies of
an algorithm.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:39:53 +02:00
Ronald Cron
266694ea42 Define CCM multi-part API
Define CCM multi-part API along the lines of the
GCM multi-part API. The two APIs are not exactly
the same as, contrary to GCM, CCM needs the size
of the additional data and plaintext/ciphertext
from the start.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-25 10:08:08 +02:00
Gilles Peskine
59392b0075 Fix misplaced extern "C" affecting MBEDTLS_ARIA_ALT
Reported via Mbed OS:
https://github.com/ARMmbed/mbed-os/issues/14694

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 09:23:10 +02:00
TRodziewicz
9d1ce40898 Additional corrections
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 14:07:17 +02:00
TRodziewicz
4ca18aae38 Corrections after the code review
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 13:38:00 +02:00
TRodziewicz
6370dbeb1d Remove the _SSL_FALLBACK_ parts
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:59 +02:00
TRodziewicz
28126050f2 Removal of constants and functions and a new ChangeLog file
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:48:12 +02:00
TRodziewicz
0f82ec6740 Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:45:20 +02:00
Hanno Becker
88f86f7f37 Remove copy-pasta from record API documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
ebd6ab7f6e Improve documentation of record expansion API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
80d163d496 Remove Doxygen references to now-internal MFL query API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
2d8e99b097 Add API to query maximum plaintext size of incoming records
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
be746949c4 Relax documentation of mbedtls_ssl_get_max_out_record_payload()
The previous documentation could be read as exhaustively listing
the factors that go into computing the maximum outgoing record
plaintext size -- we should give examples, but allow ourselves
to add more factors in the future.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
9752aadd85 Make query API for state of MFL extension internal
This commit makes the API

- mbedtls_ssl_get_output_max_frag_len()
- mbedtls_ssl_get_input_max_frag_len()
- mbedtls_ssl_get__max_frag_len()

for querying the state of the Maximum Fragment Length
extension internal.

Rationale: The value those APIs provide to the user is in
upper bounds for the size of incoming and outgoing records,
which can be used to size application data buffers apporpriately
before passing them to mbedtls_ssl_{read,write}(). However,
there are other factors which influence such upper bounds,
such as the MTU or other extensions (specifically, the
record_size_limit extension which is still to be implemented)
which should be taken into account.

There should be more general APIs for querying the maximum
size of incoming and outgoing records.

For the maximum size of outgoing records, we already have such,
namely mbedtls_ssl_get_max_out_record_payload().

For the maximum size of incoming records, a new API will be
added in a subsequent commit.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
c49d15fded Use 'version-specific' instead of 'implementation-defined' in API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 05:41:21 +01:00
Paul Elliott
e95259f833 Remove some CCM leftovers
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-21 18:05:04 +01:00
Mateusz Starzyk
363eb29d4b Fix MBEDTLS_PRIVATE wrapping in the library's headers.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-21 18:10:44 +02:00
Mateusz Starzyk
846f021de2 Run MBEDTLS_PRIVATE wrapping script on the library.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-21 18:10:44 +02:00
Mateusz Starzyk
2c09c9bca9 Introduce MBEDTLS_PRIVATE macro.
Public structs members are considered private and should not
be used by users application.

MBEDTLS_PRIVATE(member) macro is intended to clearly indicate
which members are private.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-21 18:07:06 +02:00
Thomas Daubney
f54c5c5547 Fixes typo
Commit fixes typo in rsa.h found in review.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-21 17:05:21 +01:00
Thomas Daubney
2c65db9655 Corrects documentation in rsa.h
Some documentation in rsa.h was
still incorrect regarding f_rng
being mandatory. This has now
been corrected.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-21 10:58:28 +01:00
Janos Follath
7fc487c4d6
Merge pull request #4347 from hanno-arm/ssl_session_cache_3_0
Add session ID as an explicit parameter to SSL session cache API
2021-05-21 09:28:55 +01:00
Manuel Pégourié-Gonnard
59c4412767
Merge pull request #4497 from netfoundry/fix-mingw-build-development
Use proper formatting macros when using MinGW provided stdio
2021-05-21 10:03:26 +02:00
Ronald Cron
ca72287583
Merge pull request #4304 from mstarzyk-mobica/convert_NO_SHA384_to_positive
Modify config option for SHA384.
2021-05-21 08:04:33 +02:00
Paul Elliott
60aa203e30 Remove temporary AEAD CCM implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-20 22:44:32 +01:00
Paul Elliott
3dc1c242b4 Move AEAD contexts from primitives to composites
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-20 18:39:58 +01:00
Paul Elliott
1a98acac1c Properly handle GCM's range of nonce sizes
Add comment to the effect that we cannot really check nonce size as the
GCM spec allows almost arbitrarily large nonces. As a result of this,
change the operation nonce over to an allocated buffer to avoid overflow
situations.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-20 18:39:58 +01:00
Paul Elliott
ee4ffe0079 Move AEAD length checks to PSA core
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-20 18:39:58 +01:00
Thomas Daubney
03412787e1 Modifies documentation in rsa.h
Changes to documentation to show that
f_rng is no longer going to be
optional in 3.0.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-20 15:31:17 +01:00
Ronald Cron
49fef37ebf
Merge pull request #4342 from gilles-peskine-arm/gcm-update-any-length
GCM: allow arbitrary lengths for update
Only the ABI-API-checking job failed and this is expected thus good to go.
2021-05-20 15:08:55 +02:00
Mateusz Starzyk
17011a3185 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
	library/version_features.c
	programs/test/query_config.c

Files were removed in development branch and modified by current branch.
Conflicts fixes by removing them.
2021-05-20 14:18:12 +02:00
Mateusz Starzyk
425e23ed64 Fix notes for is384 parameter
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-20 11:15:13 +02:00
Mateusz Starzyk
1af28f9b47 Fix SHA224 documentation in default config.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-20 10:36:15 +02:00
Manuel Pégourié-Gonnard
729fa5be88
Merge pull request #4450 from mstarzyk-mobica/remove_null_entropy
Remove MBEDTLS_TEST_NULL_ENTROPY config option.
2021-05-20 09:19:55 +02:00
Thomas Daubney
41e4ce4884 Removes RSA constants
This commit removes the RSA
constants MBEDTLS_RSA_PUBLIC
and MBEDTLS_RSA_PRIVATE because
they are now superfluous given
that the mode parameter has been
removed.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 15:10:05 +01:00
Manuel Pégourié-Gonnard
2213871654
Merge pull request #4489 from TRodziewicz/Remove__SSL_RECORD_CHECKING
Remove  ssl record checking
2021-05-19 13:57:51 +02:00
Thomas Daubney
10bc18e3b4 Corrects outstanding documentation issues
Commit removes any remaining superfluous
documentation that was not yet removed.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:40:20 +01:00
Thomas Daubney
782a7f5bd6 Removes mode param from mbedtls_rsa_rsassa_pss_verify_ext
Commit removes the mode parameter
from the mbedtls_rsa_rsassa_pss_verify_ext
function. This change is propagated
throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:27:35 +01:00
Thomas Daubney
9e65f791b5 Removes f_rng param from mbedtls_rsa_rsassa_pss_verify_ext
Commit removes the f_rng parameter from
the mbedtls_rsa_rsassa_pss_verify_ext
function. This is in preparation for
the removal of the mode parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:18:58 +01:00
Thomas Daubney
578e9abcbd Removes p_rng param from mbedtls_rsa_rsassa_pss_verify_ext
Commit removes p_rng parameter from the
mbedtls_rsa_rsassa_pss_verify_ext function
in preparation for removal of the mode
parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:14:57 +01:00
Thomas Daubney
5ee4cc031c Removes mode param from mbedtls_rsa_rsassa_pss_verify
Commit removes the mode parameter
from the mbedtls_rsa_rsassa_pss_verify
function and propagates the change
throughout the process.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:07:42 +01:00
Thomas Daubney
718a53db2c Removed f_rng param from mbedtls_rsa_rsassa_pss_verify
Commit removes f_rng parameter from
mbedtls_rsa_rsassa_pss_verify function in
preparation of mode parameter removal.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:01:35 +01:00
Thomas Daubney
08f4c9c571 Removes p_rng param from mbedtls_rsa_rsassa_pss_verify
Commit removes p_rng parameter from
mbedtls_rsa_rsassa_pss_verify function
as preparation for removing the mode
parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:56:02 +01:00
Thomas Daubney
2e1262517c Removes mode parameter from mbedtls_rsa_rsassa_pkcs1_v15_verify
Commit removes mode parameter from
mbedtls_rsa_rsassa_pkcs1_v15_verify and
propagates the change throughout the
codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:48:53 +01:00
Thomas Daubney
475053df2c Removes f_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify
Commit performs removal of f_rng parameter
from mbedtls_rsa_rsassa_pkcs1_v15_verify
function in preparation for removal of mode
parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:44:27 +01:00
Thomas Daubney
cbc088f5d0 Removes p_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify
Commit removes p_rng from
mbedtls_rsa_rsassa_pkcs1_v15_verify function in
preparation of removal of mode parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:39:58 +01:00
Ronald Cron
0e3ec27598
Merge pull request #4506 from gilles-peskine-arm/array-parameters-to-pointers-sha512
Change sha256 and sha512 output type from an array to a pointer
2021-05-19 12:37:17 +02:00
Gilles Peskine
af5b26aeaa Fix parameter names in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 12:24:33 +02:00
Gilles Peskine
fe561fe717 Doxygen: use \p for parameter names
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 12:21:53 +02:00
Mateusz Starzyk
9d2d6c9ea0 Clarfiy SHA224 and SHA256 documentation
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-19 11:48:52 +02:00
Mateusz Starzyk
c722ebb7d9 Update SHA-224 documentation.
Rephrase config.h documentation and add a note to template
configs.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-19 11:38:02 +02:00
Mateusz Starzyk
4228f895c0 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
* configs/config-psa-crypto.h: modified here, removed in development
* tests/suites/test_suite_x509parse.data: all conflicts are in depends_on
  lines where development made a change unrelated to MBEDTLS_SHAxxx and our
  branch either changed `MBEDTLS_SHA256_C` to `MBEDTLS_SHA224_C` or
  `MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384` to ``MBEDTLS_SHA384_C`, with
  no change to what the test does. Pick the other branch's dependency
  changes then apply our SHA dpeendency change.
2021-05-19 11:37:49 +02:00
Gilles Peskine
b7bb0687f7 Rework and reword the guarantees on output_size
To simplify the documentation, and because there are only two realistic
behaviors in practice, only allow two behaviors for multipart output:
immediate output, or buffering of the last partial block.

State some simple rules that applications can follow if they don't care about
the details.

Explicitly state how much output is needed for finish(). Only require the
buffer size to be the size of the actual output, not the size of the potential
output in the worst case. Rename the parameter from output_len to output_size
since it's a buffer size and not necessarily the length of the data.

No longer guarantee that the built-in implementation produces immediate
output.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 23:15:40 +02:00
Thomas Daubney
68d9cbca97 Removes mode param from mbedtls_rsa_pkcs1_verify
Commit removes mode parameter from
mbedtls_rsa_pkcs1_verify and propagates the
change throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:14:32 +01:00
Thomas Daubney
613d1a4fb7 Removes p_rng param from mbedtls_rsa_pkcs1_verify
Commit removes p_rng from mbedtls_rsa_pkcs1_verify
since p_rng has no relevance following the removal
of f_rng from this function.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:13 +01:00
Thomas Daubney
ac1331211e Removes f_rng parameter from mbedtls_rsa_pkcs1_verify
Commit removes f_rng parameter from
mbedtls_rsa_pkcs1_verify as a prerequisite
to removing the mode parameter. f_rng no
longer has relevance in this function if
mode is removed.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:13 +01:00
Thomas Daubney
de9fdc4b12 Removes mode param from mbedtls_rsa_rsassa_pss_sign
Commit removes the mode param from
mbedtls_rsa_rsassa_pss_sign and propagates
the changes throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:13 +01:00
Thomas Daubney
526549854c Removes mode param from mbedtls_rsa_rsassa_pkcs1_v15_sign
Commit removes the mode parameter from
mbedtls_rsa_rsassa_pkcs1_v15_sign and
propagates the change throughout the
codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:05 +01:00
Gilles Peskine
d9380b5270 Document reasons for MBEDTLS_ERR_GCM_BAD_INPUT in update and finish
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 21:02:52 +02:00
Gilles Peskine
8e8cdd150a Add some information about the multipart calling sequence
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 21:02:13 +02:00
Gilles Peskine
518fdb00e8 Fix size/length confusion in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 20:43:31 +02:00
Gilles Peskine
52118189da Fix copypasta in the description of mbedtls_gcm_update_ad
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 20:38:33 +02:00
Gilles Peskine
96d6e08717 Make the formatting of numbers consistent
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 20:06:04 +02:00
Thomas Daubney
140184d029 Removes mode param from mbedtls_rsa_pkcs1_sign
Commit removes the mode parameter from
mbedtls_rsa_pkcs1_sign and progagates the
change to all relevant parts of the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 18:02:24 +01:00
Thomas Daubney
fa1581ea03 Modifies typedef of mbedtls_pk_rsa_alt_sign_func
This commit modifies the typedef of
mbedtls_pk_rsa_alt_sign_func and propagates the
associated changes throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 12:38:33 +01:00
Ronald Cron
fdcde47f36
Merge pull request #4458 from davidhorstmann-arm/remove-max-content-len
Remove MBEDTLS_SSL_MAX_CONTENT_LEN option
2021-05-17 16:36:04 +02:00
Gilles Peskine
864b425156
Merge pull request #4488 from tom-daubney-arm/remove_rsa_mode_params
Remove rsa mode params part 1
2021-05-17 13:49:19 +02:00
Thomas Daubney
141700f057 Removes mode param from mbedtls_rsa_rsaes_oaep_encrypt
Removes mode parameter from
mbedtls_rsa_rsaes_oaep_encrypt and propagates
changes throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 10:11:05 +01:00
Thomas Daubney
53e4ac64b7 Removes mode param from mbedtls_rsa_rsaes_pkcs1_v15_encrypt
Removal of mode parameter from
mbedtls_rsa_rsaes_pkcs1_v15_encrypt. This commit
propagates the change to all relevant function calls
and tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 10:11:05 +01:00
Thomas Daubney
2177277dda Removes mode param from mbedtls_rsa_pkcs1_encrypt
Removal of the mode parameter from
mbedtls_rsa_pkcs1_encrypt function. This change
is propagated throughout the codebase and to
relevant tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 10:11:05 +01:00
Thomas Daubney
0fdd8d297a Adding correction to documentation
As picked up in review, this commit
modifies the documentation by removing some
wording that is now superfluous given the
removal of the mode parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 09:58:05 +01:00
Manuel Pégourié-Gonnard
5605911fd3
Merge pull request #4447 from hanno-arm/ssl_config_cleanup
Avoid and remove some SSL error codes for Mbed TLS 3.0
2021-05-17 10:55:17 +02:00
Paul Elliott
a559b3ce56 Remove key_set and use id instead
In keeping with the other PSA multipart operations.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
cbbde5f28c Split multipart AEAD contexts into two parts
Split to data required for internal implementation and data required for
driver implementation with data left over for the PSA layer.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
5d9fa8d675 Add define to allow multipart ccm to work
Add (internal only) define to config.h which allows the temporary
implementation of CCM to work, by removing the buffer zeroization on tag
fail when decrypting. This will obviously be removed when multipart CCM
is properaly implemented

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
d4e99ed40c Fix mistyped buffer size variable
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
fd3ca24e56 Move CCM ouput to update step.
Move CCM to update all data at update step, as final step can only
output at most a block length, so outputting all data at this step
significantly breaks the tests. Had to add unpleasant workaround for the
validate stage, but this is the only way I can do things without
breaking CCM Alt implementations.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
6504aa6451 First pass addition of driver wrappers
Transparent driver test functions not yet implemented.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
adb8b16b16 Add internal implementation of multipart AEAD
For the time being CCM and GCM are not entirely implemented correctly
due to issues with their underlying implentations, which would be
difficult to fix in 2.x, and thus require all the AD and data to be
passed in in one go.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Paul Elliott
07a30c4c00 Convert oneshot AEAD over to multipart struct
Multipart AEAD operation struct has to be public as it's allocated by
the caller, so to save duplication of code, switch oneshot AEAD over to
using the multipart operation struct.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-05-14 19:03:26 +01:00
Hanno Becker
e810bbc1ac Implement 3.0-semantics for mbedtls_ssl_{get,set}_session()
mbedtls_ssl_{get,set}_session() exhibited idempotent behaviour
in Mbed TLS 2.x. Multiple calls to those functions are not useful
in TLS 1.2, and the idempotent nature is unsuitable for support of
TLS 1.3 which introduces the availabilty to offer multiple tickets
for resumption, as well as receive multiple tickets.

In preparation for TLS 1.3 support, this commit relaxes the semantics
of `mbedtls_ssl_{get,set}_session()` by allowing implementations to
fail gracefully, and leveraging this freedom by modifying the
existing TLS 1.2 implementation to only accept one call to
`mbedtls_ssl_{get,set}_session()` per context, and non-fatally
failing all subsequent invocations.

For TLS 1.3, it will be leveraged by making multiple calls to
`mbedtls_ssl_get_session()` issue one ticket a time until no more
tickets are available, and by using multiple calls to
`mbedtls_ssl_set_session()` to allow the client to offer multiple
tickets to the server.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 16:27:54 +01:00
Hanno Becker
494dc71de8 Remove mbedtls_ssl_get_session_pointer()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 15:15:35 +01:00
Hanno Becker
9caed14a21 Fix typo in ssl session cache documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 14:57:13 +01:00
Hanno Becker
0d05f40222 Clarify that session cache query must return free-able session
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 04:57:43 +01:00
gabor-mezei-arm
4a6fcda031
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:19:01 +02:00
gabor-mezei-arm
12b4f34fff
Fix documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:59 +02:00
gabor-mezei-arm
38cbaf2881
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:57 +02:00
gabor-mezei-arm
36658e46ba
Update PSA_ALG_IS_SIGN_MESSAGE
Add missing algorithm for PSA_ALG_IS_SIGN_MESSAGE and update documentation.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:57 +02:00
gabor-mezei-arm
4a21019653 Implement psa_sign_message and psa_verify_message functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:49 +02:00
Hanno Becker
0248785081 Document session cache callbacks
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-13 07:09:09 +01:00
Micah N Gorrell
21d4bdbb39 Add OID for User ID
Signed-off-by: Micah N Gorrell <micah.gorrell@venafi.com>
2021-05-12 17:46:56 -06:00
Gilles Peskine
d7b3d92476 Change sha256 output type from an array to a pointer
The output parameter of mbedtls_sha256_finish_ret and mbedtls_sha256_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-224 hash into a
28-byte buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 00:46:29 +02:00
Gilles Peskine
e02e02f203 Change sha512 output type from an array to a pointer
The output parameter of mbedtls_sha512_finish_ret and mbedtls_sha512_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-384 hash into a
48-byte buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 00:32:45 +02:00
Thomas Daubney
3473308b5d Remove mode param from mbedtls_rsa_rsaes_pkcs1_v15_decrypt
Remove mode param from mbedtls_rsa_rsaes_pkcs1_v15_decrypt
and also modify and remove relevant tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 18:55:58 +01:00
Thomas Daubney
d21e0b780a Remove mode parameter from mbedtls_rsa_rsaes_oaep_decrypt function
Removing the mode parameter from the mbedtls_rsa_rsaes_oaep_decrypt
function. The change is progagated to all function calls, including in
test suite .function files. Additionally fully removing one test
where the wrong mode was being tested.

Signed-off-by: Tom Daubney <Thomas.Daubney@arm.com>
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 18:49:41 +01:00
Thomas Daubney
c7feaf349c Remove mode param from mbedtls_rsa_pkcs1_decrypt
The mode parameter has been removed from the
mbedtls_rsa_pkcs1_decrypt function. The change
has been progagated to all function calls,
including in test suite .function files.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 18:43:06 +01:00
eugene
e42a50da04 use proper formatting macros when using MinGW provided stdio
add changelog entry

Signed-off-by: eugene <eugene.kobyakov@netfoundry.io>
2021-05-12 12:59:30 -04:00
Ronald Cron
e0f06c624c
Merge pull request #4473 from tniessen/typos-in-header-files
Fix typos in C header files
2021-05-12 18:23:48 +02:00
Gilles Peskine
5d1f747d85
Merge pull request #4377 from mpg/psa-pbkdf2-api
PSA API for PBKDF2-HMAC
2021-05-12 18:00:30 +02:00
Thomas Daubney
99914146a4 Preparatory commit to remove tests
Removed a conditional compilation block
relating to MBEDTLS_PKCS1_V15 in
rsa_pkcs1_verify_raw function that was no
longer relevant.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 15:18:20 +01:00
TRodziewicz
102c89ed65 Remove the MBEDTLS_SSL_RECORD_CHECKING option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-12 13:28:59 +02:00
Manuel Pégourié-Gonnard
4e02f01815 Fix key type that wasn't updated earlier
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-12 10:05:45 +02:00
Ronald Cron
eb3e463380
Merge pull request #4247 from stevew817/dispatch_mac_operations
Dispatch MAC operations through the driver interface
Only API-ABI checking job failing which is expected thus CI OK.
2021-05-11 17:56:50 +02:00
Mateusz Starzyk
72f60dfcc1 Remove MBEDTLS_TEST_NULL_ENTROPY config option.
Building the library without entropy sources negates any and all security
provided by the library.
This option was originally requested a relatively long time ago and it
does not provide any tangible benefit for users any more.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-11 13:15:19 +02:00
Tobias Nießen
1e8ca122f4 Fix typos in C header files
Signed-off-by: Tobias Nießen <tniessen@tnie.de>
2021-05-10 19:54:11 +02:00
David Horstmann
95d516f319 Remove MBEDTLS_SSL_MAX_CONTENT_LEN option
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-05-10 17:02:48 +01:00
Mateusz Starzyk
6326a8dd37 Fix SHA definitions and their dependencies in library and test suites.
Rework SHA224 and SHA283 documentation.
Define MBEDTLS_SHAxxx_C options in alphabetic order.
Fix SHA224 and SHA384 dependencies in test suites.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-10 13:51:53 +02:00
Manuel Pégourié-Gonnard
2c44daf0bc Add restriction on output_key alg for password hash
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-10 12:53:30 +02:00
Steven Cooreman
72f736a191 Move is_sign and mac_size checking back to PSA core scope
It makes sense to do the length checking in the core rather than expect
each driver to deal with it themselves. This puts the onus on the core to
dictate which algorithm/key combinations are valid before calling a driver.

Additionally, this commit also updates the psa_mac_sign_finish function
to better deal with output buffer sanitation, as per the review comments
on #4247.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:13 +02:00
Steven Cooreman
8f37004bd7 Remove unused variable from MAC driver structure
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
a6df6040ee Base the PSA implementation of TLS 1.2 PRF on the MAC API
This means there is no longer a need to have an internal HMAC API, so
it is being removed in this commit as well.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
d1ed1d935f Make HKDF use the generic MAC API
Such that the underlying HMAC can be accelerated if such a driver is present

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
ac8d82a6f8 Use the correct guards on the context structures for MAC/HKDF/PRF
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
dd1a915c0f Rename HMAC operation structure
Prefix with 'mbedtls_psa' as per the other types which implement some
sort of algorithm in software.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
a4638e708e Remove redundant key_set from MAC operation structure
The purpose of key_set was to guard the operation structure from being
used for update/finish before a key was set. Now that the implementation
fully adheres to the PSA API, that function is covered by the `alg`
variable instead. It's set to the algorithm in use when a key is set, and
is zero when the operation is reset/invalid.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
02fc62a6fa Remove unused items from MAC operation context structure
Apparently it was at some point assumed that there would be
support for MAC algorithms with IV, but that hasn't been
implemented yet. Until that time, these context structure
members are superfluous and can be removed.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
939102e7a3 Add CMAC to standard PSA config
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
d1955af5df Rename internal HMAC structure type to match convention
Typedef'ed structures are suffixed _t
Also updated the initialiser macro with content that actually
matches the structure's content.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
4fdf060a81 Complete, document and fully use internal HMAC API
Since HMAC moved into its own compilation unit, the internal API needed
to be documented and finalized. This means no more reaching deep into
the operation structure from within the PSA Crypto core. This will make
future refactoring work easier, since internal HMAC is now opaque to the
core.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
77e2cc5661 Move the MAC operation structure into the driver headers
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
d13a70f2dc Add boilerplate for dispatching MAC operations
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
3c8dd634dd Add include headers for composite operation contexts and move hmac
Modeled after the include chain of the primitive operation contexts.
Also moved the HMAC context structure to the builtin composites file,
since that is where it conceptually belongs. This is a preparatory
step for implementing driver dispatch of MAC multipart operations.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
61398ec5dc Move the cipher operation structure declaration for grouping
Cipher and Hash are grouped, since they are 'primitive' operations.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
f4248f2e1b Remove inclusion of top-level crypto.h from the driver context header
This was probably included by mistake, because the file itself is part
of the inclusion chain starting with crypto.h.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
675501d9db Rename the PSA driver context structure headers to _primitives
This is a preparatory step in order to be able to organize the include
chain from crypto_struct in such a way that the MAC operation structure
for the PSA 'software' driver can make use of the hash operation structure.

Conceptually:
* Primitives:
  * Hash
  * Cipher
* Composites:
  * AEAD (can use cipher)
  * MAC (can use cipher and/or hash)

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Manuel Pégourié-Gonnard
b548cda1cf
Merge pull request #4397 from TRodziewicz/change_config_h_defaults
Four config.h defaults have been changed.
2021-05-07 12:42:39 +02:00
Manuel Pégourié-Gonnard
4feb611a49 Lift a restriction on usage of verify_key()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-07 12:22:21 +02:00
Manuel Pégourié-Gonnard
e88511d7fe Try making one condition more readable
No semantic change intended.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-07 12:19:03 +02:00
Manuel Pégourié-Gonnard
f0c28eff09 Avoid introducing PSA_ALG_NONE for now
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-07 12:13:48 +02:00
Manuel Pégourié-Gonnard
f9a68ad62a Fix typos
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-07 12:11:38 +02:00
Tomasz Rodziewicz
532ca93246
Trailing spaces removed from comments in config.h 2021-05-07 11:01:24 +02:00
Tomasz Rodziewicz
1fc7c4c95e
Update config.h
Correction to the ECJPAKE_C note in config.h
2021-05-07 10:13:31 +02:00
Manuel Pégourié-Gonnard
dd57b2f240
Merge pull request #4445 from TRodziewicz/remove_deprecated_things_-_remainder
Remove deprecated functions and constants.
2021-05-07 10:05:30 +02:00
Tomasz Rodziewicz
6c3fe31f6c
Update config.h
Warning for ECJPAKE_C was removed from config.h.
2021-05-07 09:46:32 +02:00
TRodziewicz
c1c479fbe9 Fllow-up of the review: ChangeLog expansion, mmigration guides added and comments fixed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-06 00:53:22 +02:00
Manuel Pégourié-Gonnard
ece9087b93 Clarify requirement on usage flags
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-05 10:26:29 +02:00
Manuel Pégourié-Gonnard
730f62a80a Clarify the case of direct inputs
Now use the same description for INPUT_SECRET and INPUT_PASSWORD too.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-05 10:05:06 +02:00
Manuel Pégourié-Gonnard
acfde465f0 Mention USAGE_VERIFY_DERIVATION in input_key()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-05 09:54:22 +02:00
Ronald Cron
98d00d06a0
Merge pull request #4426 from ronald-cron-arm/remove-enable-weak-ciphersuites
Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
2021-05-04 17:20:36 +02:00
Manuel Pégourié-Gonnard
5b79ee252e Fix typo in doxygen reference
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-04 10:36:48 +02:00
Manuel Pégourié-Gonnard
71d955a79d Introduce PSA_ALG_NONE
It is required by the standard definition of PSA_ALG_GET_HASH.

Documentation and definition from:
https://armmbed.github.io/mbed-crypto/html/api/ops/algorithms.html#c.PSA_ALG_NONE

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-04 10:36:48 +02:00
Manuel Pégourié-Gonnard
06638ae3e8 Update "key stretching" flag
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-04 10:19:37 +02:00
Manuel Pégourié-Gonnard
40b81bf8f7 Introduce PSA_ALG_GET_HASH()
No need to introduce a specific macro for PBKDF2-HMAC when the PSA spec
already has a generic one.

Documentation from:
https://armmbed.github.io/mbed-crypto/html/api/ops/algorithms.html#c.PSA_ALG_GET_HASH
Implementation from:
https://armmbed.github.io/mbed-crypto/html/appendix/specdef_values.html

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-03 11:53:40 +02:00
Manuel Pégourié-Gonnard
6983b4fffc Add identifier for PBKDF2 with AES-CMAC-PRF-128
This algorithm is used for example by the Thread 1.1.1 specification,
which is not public but can be obtained free of charge at
https://www.threadgroup.org/ThreadSpec

Here it doesn't really make sense to define a parametrised family, as
this really seems to be the only use of PBKDF2 with a CMAC-based PRF (or
with any PRF other than HMAC with SHA1 or SHA2, for that matter).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-03 11:42:22 +02:00
Manuel Pégourié-Gonnard
2171e421c6 Add new key type PASSWORD_HASH
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-03 10:49:54 +02:00
Manuel Pégourié-Gonnard
88658becd4 Clarify algorithm constraint for verification
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-03 10:28:57 +02:00
Manuel Pégourié-Gonnard
9023cacf15 Merge verification policies together
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-03 10:27:27 +02:00
Manuel Pégourié-Gonnard
d307f63597 Rename verify_output_xxx() to verify_xxx()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-03 10:12:06 +02:00
Manuel Pégourié-Gonnard
3d72267db5 Specify the order of PBKDF2 inputs
Might make the implementer's life a bit simpler, and is not a big
constraint on applications.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-30 12:42:36 +02:00
Manuel Pégourié-Gonnard
c16033e0a3 Fix the encodings of the new key types
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-30 12:26:41 +02:00
Manuel Pégourié-Gonnard
ffc86ce8d6 Improve or expand several descriptions.
No change of behaviour, encoding or naming intended in this commit: just
describe the same behaviour, but in a way that's hopefully clearer and
more complete.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-30 12:26:41 +02:00
Manuel Pégourié-Gonnard
dc1b4e42e9 Fix a few typos
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-30 10:41:07 +02:00
Hanno Becker
3268d84313 Remove unused error code MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
After the previous commit, the code is no longer used and can be
removed for Mbed TLS 3.0.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-30 05:41:12 +01:00
Hanno Becker
56ee9e5f14 Remove MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
This commit removes the unused error code

```
MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
```

from the public API for Mbed TLS 3.0.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-30 05:37:19 +01:00
Hanno Becker
91e1cc3bd7 Remove MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE error code
This error is used when the output buffer isn't large enough
to hold our own certificate.

In the interest of cleaning up the error space for 3.0, this commit
removes MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and replaces its single
use by MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-30 05:32:41 +01:00
Hanno Becker
eca840f71d Remove unused MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
The SSL error code MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED is unused.

Remove it for Mbed TLS 3.0.

The code being unused comes as a surprise, at is seems to be
reasonable to report it to the user upon peer CRT verification
failure. However, this study (can potentially re-introduction
of the code) can be left for 3.x, while the error code removal
can only happen in 3.0.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-30 05:19:55 +01:00
Hanno Becker
b86e588911 Remove unused MBEDTLS_ERR_SSL_UNKNOWN_CIPHER
The SSL error code MBEDTLS_ERR_SSL_UNKNOWN_CIPHER is unused.

Remove it for Mbed TLS 3.0 and leave a comment indicating the
gap in the error code space it creates.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-30 05:17:38 +01:00
TRodziewicz
85dfc4de20 Applying current changes
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-30 00:07:04 +02:00
TRodziewicz
18efb73743 Remove deprecated functions and constants.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-29 23:12:19 +02:00
Ronald Cron
1a85d3b122
Merge pull request #4146 from stevew817/allow_skipping_3des_cmac_when_alt
Allow CMAC self-test to skip tests for unsupported primitives (2)
2021-04-29 16:04:39 +02:00
Dave Rodgman
c86f330aed
Merge pull request #3777 from hanno-arm/x509-info-optimization_rebased
Reduce ROM usage due to X.509 info
2021-04-28 17:31:55 +01:00
TRodziewicz
2add5c13ea On second thought changing the way the test is run
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-28 16:50:20 +02:00
Gilles Peskine
e67665ca20
Merge pull request #4006 from chris-jones-arm/development
Add macro to check error code additions/combinations
2021-04-28 16:47:29 +02:00
Tomasz Rodziewicz
e66f49c3ce
Merge branch 'development_3.0' into change_config_h_defaults 2021-04-28 16:37:27 +02:00
TRodziewicz
92b1febbf6 addind check_config.h to the commit
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-28 16:34:13 +02:00
Mateusz Starzyk
e3c48b4a88 Separate SHA224 from SHA256 config options.
These options are still dependant on each other.
This is an intermediate step.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
Mateusz Starzyk
3352a53475 Modify config option for SHA384.
Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.

check_config is the only module which enforces that SHA512 is
enabled together with SHA384.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
Gilles Peskine
2c8041d6df
Merge pull request #4433 from bensze01/psa_aead_output_size
[development] PSA: Update AEAD output buffer macros to PSA API version 1.0
2021-04-28 13:30:40 +02:00
Bence Szépkúti
da95ef9ae0 Remove PSA AEAD output size compatibility macros
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-04-28 10:01:20 +02:00
Chris Jones
2c7458677a Comment out MBEDTLS_X509_REMOVE_INFO in default config.h
Fix an issue where `MBEDTLS_X509_REMOVE_INFO` was defined/enabled by default
in `include/mbedtls/config.h`. This should also fix the `context-info.sh` test
where it ran the default config and expected to see some output from the x509
info functions that were removed.

Also updated relevant comments to more accurately explain how the
configuration option works.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:38:14 +01:00
Hanno Becker
88c2bf311a Minor style improvements
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:20:56 +01:00
Hanno Becker
7ac83f91bf Print X.509 verify info strings even if MBEDTLS_X509_REMOVE_INFO
The new compile-time option MBEDTLS_X509_REMOVE_INFO removes various
X.509 debugging strings and functionality, including

```
  mbedtls_x509_crt_verify_info()
```

which ssl_client2.c and ssl_server2.c use to print human readable
descriptions of X.509 verification failure conditions. Those
conditions are also grepped for in numerous ssl-opt.sh tests.

Instead of disabling those tests if MBEDTLS_X509_REMOVE_INFO is set,
this commit essentially moves mbedtls_x509_crt_verify_info() to
ssl_client2.c and ssl_server2.c. However, instead of just copy-pasting
the code from x509_crt.c, the following approach is used:

A macro MBEDTLS_X509_CRT_ERROR_INFO_LIST is introduced which for each
verification failure condition invokes a user-defined macro X509_CRT_ERROR_INFO
with (a) the numerical error code, (b) the string presentation of the
corresponding error macro, (c) the info string for the error condition.
This macro can thus be used to generate code which somehow iterates over
the verifiation failure conditions, but the list of error conditions and
information strings is nowhere duplicated.

This is then used to re-implement mbedtls_x509_crt_verify_info() in
x509_crt.c and to provide a functionally equivalent (yet slightly different)
version in ssl_client2.c and ssl_server2.c in case MBEDTLS_X509_REMOVE_INFO
is set.

This way, little changes to ssl-opt.sh will be necessary in case
MBEDTLS_X509_REMOVE_INFO is set because the info strings for the
verification failure conditions will be printed regardless of whether
MBEDTLS_X509_REMOVE_INFO is set or not.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-27 17:20:56 +01:00
Hanno Becker
612a2f1504 Rename MBEDTLS_X509_INFO to !MBEDTLS_X509_REMOVE_INFO
The introduction of positive options to control the presence
of pre-existing functionality breaks the build for users of
handwritten configurations.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-27 17:18:52 +01:00
Peter Kolbus
9a969b66c1 Reduce code size when mbedtls_x509_*_info() unused
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:18:52 +01:00
Ronald Cron
cee427002b Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
Fix 4416

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-04-27 09:34:14 +02:00
Bence Szépkúti
bd98df7715 Update documentation of AEAD output size macros
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-04-27 04:37:18 +02:00
Dave Rodgman
12f93f4fc2
Merge pull request #4407 from ARMmbed/dev3_signoffs
Merge development_3.0 into development
2021-04-26 19:48:16 +01:00
TRodziewicz
ede3085563 Add ChangeLog file and fix comment in config.h
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-26 15:44:25 +02:00
Steven Cooreman
c338cef74b Add notes to the documentation about CMAC_ALT algorithm support
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-26 11:24:44 +02:00
TRodziewicz
85aff9f07a Correction fixing the test_depends_curves_psa falure
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-23 10:47:26 +02:00
Chris Jones
456d29c20b Rename mbedtls_error_add_ext to mbedtls_error_add
This function was previously called mbedtls_error_add_ext because there
was a macro called mbedtls_error_add. That later got capitalised which
allows the function to now be named mbedtls_error_add.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-23 09:24:05 +01:00
Steven Cooreman
894b9c4635 Add documentation for change in CMAC self-test behaviour
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-23 08:19:43 +02:00
Chris Jones
e11e81413d Improve documentation for error code checking
Improve comments explaining error code checking, fix incorrect comments
and make a small formatting fix.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-22 15:28:56 +01:00
Tomasz Rodziewicz
b13360514c
Test why the test_depends_curves_psa fails in CI 2021-04-22 15:14:17 +02:00
TRodziewicz
7062796844 Testing the failed ubuntu test
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-22 14:11:10 +02:00
Tomasz Rodziewicz
9a97a13d3e
Merge branch 'development_3.0' into remove_depr_error_codes 2021-04-22 12:53:15 +02:00
Manuel Pégourié-Gonnard
f6b677ea98
Merge pull request #4349 from mpg/apply-4334-3.0
Apply 4334 to development-3.0
2021-04-22 12:42:40 +02:00
Manuel Pégourié-Gonnard
e8e450a394
Merge pull request #4254 from mstarzyk-mobica/remove_libpkcs11-helper
Remove PKCS#11 library wrapper.
2021-04-22 12:39:54 +02:00
TRodziewicz
1818d967fe Four config.h defaults have been changed.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-22 12:06:32 +02:00
Manuel Pégourié-Gonnard
1216233949
Merge pull request #4391 from gilles-peskine-arm/error-on-removed-options-20210421
Error on removed options
2021-04-22 08:55:53 +02:00
Gilles Peskine
cc26e3bf25 Remove extraneous word
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-21 19:01:59 +02:00
Gilles Peskine
fa4e4b8645 Error out if attempting to use a removed feature
If the compile-time configuration enables an option that was removed
in Mbed TLS 3.0, and the effect of removing the option would likely
not be detected at build time, #error out in check_config.h.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-21 18:48:09 +02:00
Tomasz Rodziewicz
bfa03e3bc9
Update psa_util.h
Remove the conditional include after the code review
2021-04-21 17:14:31 +02:00
TRodziewicz
3408d60225 revert the error.h file include in psa_util.c
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-21 13:25:25 +02:00