Commit graph

5332 commits

Author SHA1 Message Date
Gilles Peskine
f7d6acd475 mbedtls_asn1_get_int: allow leading zeros properly
Allow any number of leading zeros, not just based on sizeof(int).
2019-09-11 15:46:44 +02:00
Jaeden Amero
cc5aeee278
Merge pull request #248 from RonEld/stack_overflow_in_hmac_fix
Fix a buffer overflow in hmac_setup_internal
2019-09-11 13:55:18 +01:00
Jaeden Amero
18c7b9fdaa
Merge pull request #210 from tempesta-tech/extra-mbedtls_ecp_group_free
Remove extra mbedtls_ecp_group_free()
2019-09-10 18:51:43 +01:00
Jaeden Amero
9298dca14d
Merge pull request #185 from gilles-peskine-arm/harvard-md
Remove method dispatch from md
2019-09-10 18:38:39 +01:00
Alexander K
56a74cdcc9 Replace 0 by MBEDTLS_ECP_DP_NONE to avoid IAR compiler complains 2019-09-10 17:58:20 +03:00
Ron Eldor
296eca6e76 Fix a buffer overflow in hmac_setup_internal
At the end of `psa_hmac_setup_internal()`, the ipad is cleared.
However, the size that was given to clear was `key_len` which is larger
than the size of `ipad`.
2019-09-10 15:21:37 +03:00
Jaeden Amero
92348d1c49 Merge remote-tracking branch 'crypto/development' into development-restricted
* crypto/development: (77 commits)
  all.sh: disable MEMORY_BUFFER_ALLOC in cmake asan build
  Unify gcc and clang cmake flags to test with UBsan
  Add an input check in psa_its_set
  Remove storage errors from psa_generate_random
  Update getting_started.md
  Update based on Jaeden's comments.
  Update getting_started.md
  Fix return code warnings
  Update getting_started.md
  Fix warnings
  Add PSA_ERROR_STORAGE_FAILURE to psa_cipher_generate_iv
  Remove errorneous insert
  Add STORAGE_FAILURE everywhere + add missing codes
  Add storage failure to psa_mac_verify_finish
  Add storage failure to psa_mac_sign_finish
  Add PSA_ERROR_STORAGE_FAILURE to psa_aead_*_setup functions
  Added PSA_ERROR_BAD_STATE to functions with operations
  Added extra bad state case to psa_hash_setup
  Add missing return codes to psa_generate_key
  Add PSA_ERROR_BUFFER_TOO_SMALL to psa_mac_compute
  ...
2019-09-06 08:56:21 +01:00
Alexander K
77233ec411 Fix misprint 2019-09-05 21:37:39 +03:00
Jaeden Amero
595643c514
Merge pull request #222 from jainvikas8/zeroize-check
Check for zero length and NULL buffer pointer.
2019-09-05 17:35:40 +01:00
Jaeden Amero
c12cb5236b
Merge pull request #239 from AndrzejKurek/psa-its-file-fixes
Remove a potential call to fwrite with null buffer. Add UBsan testing
2019-09-05 16:40:08 +01:00
Jaeden Amero
826907736f Merge remote-tracking branch 'origin/pr/2623' into development
* origin/pr/2623:
  Adapt ChangeLog
  Fix mpi_bigendian_to_host() on bigendian systems
2019-09-05 14:43:46 +01:00
Andrzej Kurek
dc22d8d022 Add an input check in psa_its_set 2019-09-05 09:34:34 -04:00
Darryl Green
5e843fa133 Use safer deterministic function in psa_ecdsa_sign 2019-09-05 14:06:34 +01:00
Janos Follath
896a294211 Correct deterministic ECDSA behavior
We were still reusing the internal HMAC-DRBG of the deterministic ECDSA
for blinding. This meant that with cryptographically low likelyhood the
result was not the same signature as the one the deterministic ECDSA
algorithm has to produce (however it is still a valid ECDSA signature).

To correct this we seed a second HMAC-DRBG with the same seed to restore
correct behavior. We also apply a label to avoid reusing the bits of the
ephemeral key for a different purpose and reduce the chance that they
leak.

This workaround can't be implemented in the restartable case without
penalising the case where external RNG is available or completely
defeating the purpose of the restartable feature, therefore in this case
the small chance of incorrect behavior remains.
2019-09-05 11:18:58 +01:00
Janos Follath
e65e0597a8 Deprecate the old deterministic ECDSA function
The current interface does not allow passing an RNG, which is needed for
blinding. Using the scheme's internal HMAC-DRBG results the same
blinding values for the same key and message, diminishing the
effectiveness of the countermeasure. A new function
`mbedtls_ecdsa_det_ext` is available to address this problem.
2019-09-05 11:18:58 +01:00
Janos Follath
dca667ac80 Add a safer deterministic ECDSA function
`mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to
implement blinding. The advantage of this is that the algorithm is
deterministic too, not just the resulting signature. The drawback is
that the blinding is always the same for the same key and message.
This diminishes the efficiency of blinding and leaks information about
the private key.

A function that takes external randomness fixes this weakness.
2019-09-05 11:18:58 +01:00
Jaeden Amero
c04305f036 Merge remote-tracking branch 'crypto/development' into development-restricted
* crypto/development: (863 commits)
  crypto_platform: Fix typo
  des: Reduce number of self-test iterations
  Fix -O0 build for Aarch64 bignum multiplication.
  Make GNUC-compatible compilers use the right mbedtls_t_udbl again on Aarch64 builds.
  Add optimized bignum multiplication for Aarch64.
  Enable 64-bit limbs for all Aarch64 builds.
  HMAC DRBG: Split entropy-gathering requests to reduce request sizes
  psa: Use application key ID where necessary
  psa: Adapt set_key_id() for when owner is included
  psa: Add PSA_KEY_ID_INIT
  psa: Don't duplicate policy initializer
  crypto_extra: Use const seed for entropy injection
  getting_started: Update for PSA Crypto API 1.0b3
  Editorial fixes.
  Cross reference 'key handles' from INVALID_HANDLE
  Update documentation for psa_destroy_key
  Update documentation for psa_close_key
  Update psa_open_key documentation
  Remove duplicated information in psa_open_key
  Initialize key bits to max size + 1 in psa_import_key
  ...
2019-09-05 11:11:38 +01:00
Jaeden Amero
8096969905
Merge pull request #139 from Patater/des-faster-and-typo-fix
Make DES self-test faster, and fix a typo
2019-09-04 12:18:39 +01:00
Vikas Katariya
52fa174a5a Check for zero length and NULL buffer pointer.
In reference to issue https://github.com/ARMmbed/mbed-crypto/issues/49
2019-09-04 11:31:35 +01:00
Jaeden Amero
f66e7ea7f3
Merge pull request #178 from mpg/sha512-smaller
New config.h option to make SHA-512 smaller
2019-09-04 10:19:28 +01:00
Jaeden Amero
355b4b0c25 des: Reduce number of self-test iterations
Tiny slow processors take a long time to go through 10,000 iterations.
Try with 100 iterations instead.

Fixes https://github.com/ARMmbed/mbedtls/issues/807
2019-09-04 10:11:45 +01:00
Jaeden Amero
3d7005f851 Merge remote-tracking branch 'tls/pr/2363' into development
* origin/pr/2363:
  Add ChangeLog entry
  fix memory leak in mpi_miller_rabin()
2019-09-03 19:32:45 +01:00
Jaeden Amero
822b8f65bd
Merge pull request #238 from hanno-arm/hmac_drbg_entropy_incompatibility_fix-crypto
HMAC DRBG: Split entropy-gathering requests to reduce request sizes
2019-08-30 12:15:16 +01:00
Hanno Becker
a823d4c7f0 HMAC DRBG: Split entropy-gathering requests to reduce request sizes
According to SP800-90A, the DRBG seeding process should use a nonce
of length `security_strength / 2` bits as part of the DRBG seed. It
further notes that this nonce may be drawn from the same source of
entropy that is used for the first `security_strength` bits of the
DRBG seed. The present HMAC DRBG implementation does that, requesting
`security_strength * 3 / 2` bits of entropy from the configured entropy
source in total to form the initial part of the DRBG seed.

However, some entropy sources may have thresholds in terms of how much
entropy they can provide in a single call to their entropy gathering
function which may be exceeded by the present HMAC DRBG implementation
even if the threshold is not smaller than `security_strength` bits.
Specifically, this is the case for our own entropy module implementation
which only allows requesting at most 32 Bytes of entropy at a time
in configurations disabling SHA-512, and this leads to runtime failure
of HMAC DRBG when used with Mbed Crypto' own entropy callbacks in such
configurations.

This commit fixes this by splitting the seed entropy acquisition into
two calls, one requesting `security_strength` bits first, and another
one requesting `security_strength / 2` bits for the nonce.

Fixes #237.
2019-08-30 11:16:24 +01:00
Jaeden Amero
f0716542c4
Merge pull request #140 from yanesca/everest_integration
Everest integration
2019-08-29 16:02:49 +01:00
Jaeden Amero
98d5685b70
Merge pull request #232 from Patater/psa-crypto-api-1.0b3
Make fixes related to using Mbed Crypto as a service
2019-08-29 13:50:10 +01:00
Jaeden Amero
21db2a94a4
Merge pull request #229 from k-stachowiak/IOTCRYPT-791-remove-legacy-psa-key-derivation
Remove legacy psa key derivation
2019-08-29 11:31:23 +01:00
Jaeden Amero
6fa62a5b8f psa: Use application key ID where necessary
Avoid compiler errors when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
is set by using the application ID type.

    [Error] psa_crypto_slot_management.c@175,9: used type 'psa_key_id_t' (aka 'psa_key_file_id_t') where arithmetic or pointer type is required
2019-08-28 17:24:27 +01:00
Jaeden Amero
932e496ef5
Merge pull request #224 from tempesta-tech/development
Remove unused TG variable in mbedtls_mpi_gcd()
2019-08-27 12:05:21 +01:00
Jaeden Amero
85c78b48a9
Merge pull request #225 from RonEld/iotssl_2739
Remove a redundant function call
2019-08-23 17:43:58 +01:00
Darryl Green
0892d0fbbf Initialize key bits to max size + 1 in psa_import_key
In psa_import_key, the key bits value was uninitialized before
calling the secure element driver import function. There is a
potential issue if the driver returns PSA_SUCCESS without setting
the key bits. This shouldn't happen, but shouldn't be discounted
either, so we initialize the key bits to an invalid issue.
2019-08-21 16:56:16 +01:00
Darryl Green
572a16e694 Merge branch 'psa-api-1.0-beta' into api-to-development 2019-08-21 10:31:12 +01:00
Christoph M. Wintersteiger
c25df6848b Fix code style 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
2c69d10bac 3rdparty: Adjust use of Everest in ecp_supported_curves 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
bfc8eb2b78 Revert "ECDH: Fix memory leaks due to context re-initialization"
This reverts commit 2340f03c597b923c0f427c76b4c3d2cd11638410.
2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
d8c45d5550 Revert "ECDH: Fix context initialization"
This reverts commit 4a43d14146220e8550d6ad87cb798f74ce9ee209.
2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
30bc9cebda ECDH: Fix context initialization 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
2f563e3482 ECDH: Fix memory leaks due to context re-initialization 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
2be66d44a5 ECDH: Remove duplicate lines of code 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
cb31073e1c ECP: add Curve448 to ecp_supported_curves 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
4061f04acd ECDH: Remove unnecessary #include 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
2d4725f204 3rdparty: Rename THIRDPARTY_OBJECTS 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
3ff60bcf1a ECDH/ECDSA: Fix indentation 2019-08-19 13:37:46 +01:00
Gilles Peskine
20b3ef3cad Add mbedtls_ecdh_can_do
All curves can currently do ECDH, but to make the API symmetric and
future-proof, add mbedtls_ecdh_can_do() to go with mbedtls_ecdsa_can_do().
2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
6ea2dea1c5 3rdparty: Add additional build facilities for 3rd-party code 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
ea24394c03 ECDH: Fix whitespace and permission problems 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
0082f9df6f ECDSA: Add mbedtls_ecdsa_can_do 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
62dddd08fd Add new 3rdparty build scripts 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
2e724a18a1 ECDH: Fix Everest ECDH side type 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
24fbceff50 ECDH: Everest: Remove unnecessary file 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
34811a8db2 ECDH: Use LOCAL_CFLAGS instead of CFLAGS 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
c3cbddecb5 ECDH: Fix whitespace, permissions 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
4936beb513 ECDH: Clean up the interface to Everest code 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
86e36c4c2b ECDH: Replace hex literal with decimal in ecp.c 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
fba94e9726 ECDH: Fix error code in mbedtls_ecdsa_sign 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
78c9c461cf ECDH: Fix typo in ecdh.c 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
c9f737b4ba ECDH: Enable Everest Curve25519 in ECDH/ECDSA/ECP 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
d5fd766c49 ECDH: Include Everest Curve25519 in build scripts 2019-08-19 13:36:44 +01:00
Ron Eldor
c95d9eedbf Remove a redundant function call
Remove a call to `mbedtls_mpi_bitlen()` since the returned value is
overwritten in the line after. This is redundant since da31fa137a.
Fixes #2377.
2019-08-18 17:24:09 +03:00
Alexander K
e8ad49f069 Remove unused TG variable in mbedtls_mpi_gcd() 2019-08-16 16:16:07 +03:00
Alexander K
79a11fa0d6 Explicitly nullify grp->id instead of freeing. 2019-08-16 16:10:34 +03:00
Jaeden Amero
89e7655691 Merge remote-tracking branch 'crypto/pr/212' into development
* crypto/pr/212: (337 commits)
  Make TODO comments consistent
  Fix PSA tests
  Fix psa_generate_random for >1024 bytes
  Add tests to generate more random than MBEDTLS_CTR_DRBG_MAX_REQUEST
  Fix double free in psa_generate_key when psa_generate_random fails
  Fix copypasta in test data
  Avoid a lowercase letter in a macro name
  Correct some comments
  Fix PSA init/deinit in mbedtls_xxx tests when using PSA
  Make psa_calculate_key_bits return psa_key_bits_t
  Adjust secure element code to the new ITS interface
  More refactoring: consolidate attribute validation
  Fix policy validity check on key creation.
  Add test function for import with a bad policy
  Test key creation with an invalid type (0 and nonzero)
  Remove "allocated" flag from key slots
  Take advantage of psa_core_key_attributes_t internally #2
  Store the key size in the slot in memory
  Take advantage of psa_core_key_attributes_t internally: key loading
  Switch storage functions over to psa_core_key_attributes_t
  ...
2019-08-16 11:02:31 +01:00
Jaeden Amero
9d20e1f2c4 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following actions:
- Reject changes to ChangeLog, as Mbed Crypto doesn't have one
- Reject changes to tests/compat.sh, as Mbed Crypto doesn't have it
- Reject changes to programs/fuzz/onefile.c, as Mbed Crypto doesn't have
  it
- Resolve minor whitespace differences in library/ecdsa.c by taking the
  version from Mbed TLS upstream.

* origin/development:
  Honor MBEDTLS_CONFIG_FILE in fuzz tests
  Test that a shared library build produces a dynamically linked executable
  Test that the shared library build with CMake works
  Add a test of MBEDTLS_CONFIG_FILE
  Exclude DTLS 1.2 only with older OpenSSL
  Document the rationale for the armel build
  Switch armel build to -Os
  Add a build on ARMv5TE in ARM mode
  Add changelog entry for ARM assembly fix
  bn_mul.h: require at least ARMv6 to enable the ARM DSP code
  Adapt ChangeLog
  ECP restart: Don't calculate address of sub ctx if ctx is NULL
2019-08-15 15:49:46 +01:00
Gilles Peskine
1435767d2a Merge remote-tracking branch 'upstream-public/pr/2753' into development 2019-08-14 16:00:11 +02:00
Gilles Peskine
0ed1df6206
Merge pull request #184 from hanno-arm/ecp_restartable_offset
Fix fragile method for passing from ECDSA to ECP restart contexts
2019-08-14 15:40:08 +02:00
k-stachowiak
012dcc4b87 Remove PSA_PRE_1_0_KEY_DERIVATION and the corresponding code 2019-08-13 18:42:40 +02:00
k-stachowiak
0b74cf85ea Remove psa_key_derivation() and associated static functions 2019-08-13 18:42:27 +02:00
Gilles Peskine
c9d7f94a65 Add issue numbers for some missing parts of secure element support 2019-08-13 16:17:16 +02:00
Gilles Peskine
4b7f340fbf Clean up status code handling inside psa_destroy_key
Adopt a simple method for tracking whether there was a failure: each
fallible operation sets overall_status, unless overall_status is
already non-successful. Thus in case of multiple failures, the
function always reports whatever failed first. This may not always be
the right thing, but it's simple.

This revealed a bug whereby if the only failure was the call to
psa_destroy_se_key(), i.e. if the driver reported a failure or if the
driver lacked support for destroying keys, psa_destroy_key() would
ignore that failure.

For a key in a secure element, if creating a transaction file fails,
don't touch storage, but close the key in memory. This may not be
right, but it's no wronger than it was before. Tracked in
https://github.com/ARMmbed/mbed-crypto/issues/215
2019-08-13 15:58:36 +02:00
Gilles Peskine
9ce31c466d Note about destroying a key with other open handles
https://github.com/ARMmbed/mbed-crypto/issues/214
2019-08-13 15:14:20 +02:00
Gilles Peskine
caec27821f SE keys: make psa_destroy_key remove the key from storage 2019-08-13 15:11:49 +02:00
Gilles Peskine
3f7cd62ff5 Document better what wiping a key slot does not do
When a key slot is wiped, a copy of the key material may remain in
operations. This is undesirable, but does not violate the safety of
the code. Tracked in https://github.com/ARMmbed/mbed-crypto/issues/86
2019-08-13 15:01:08 +02:00
Janos Follath
1d57a20cbe Make TODO comments consistent 2019-08-13 12:15:34 +01:00
Gilles Peskine
edc6424d77 SE driver support: Implement sign and verify hooks 2019-08-09 16:43:35 +02:00
Gilles Peskine
11792086cc SE keys: implement and smoke-test p_generate 2019-08-09 16:43:35 +02:00
Gilles Peskine
f3801fff77 Update import_key and generate_key SE methods to the current API
The methods to import and generate a key in a secure element drivers
were written for an earlier version of the application-side interface.
Now that there is a psa_key_attributes_t structure that combines all
key metadata including its lifetime (location), type, size, policy and
extra type-specific data (domain parameters), pass that to drivers
instead of separate arguments for each piece of metadata. This makes
the interface less cluttered.

Update parameter names and descriptions to follow general conventions.

Document the public-key output on key generation more precisely.
Explain that it is optional in a driver, and when a driver would
implement it. Declare that it is optional in the core, too (which
means that a crypto core might not support drivers for secure elements
that do need this feature).

Update the implementation and the tests accordingly.
2019-08-09 16:43:35 +02:00
Gilles Peskine
a5f8749812 SE key registration: call p_validate_slot_number
When registering a key in a secure element, if the driver has a
p_validate_slot_number method, call it.
2019-08-09 15:05:32 +02:00
Gilles Peskine
d772958ffc New function mbedtls_psa_register_se_key
Register an existing key in a secure element.

Minimal implementation that doesn't call any driver method and just
lets the application declare whatever it wants.
2019-08-09 15:05:21 +02:00
Gilles Peskine
e88c2c1338 Pass the key creation method to drivers
Pass the key creation method (import/generate/derive/copy) to the
driver methods to allocate or validate a slot number. This allows
drivers to enforce policies such as "this key slot can only be used
for keys generated inside the secure element".
2019-08-09 14:59:31 +02:00
Gilles Peskine
df17914e01 psa_start_key_creation: take the method as a parameter
Let psa_start_key_creation know what type of key creation this is. This
will be used at least for key registration in a secure element, which
is a peculiar kind of creation since it uses existing key material.
2019-08-09 14:54:03 +02:00
Gilles Peskine
059d9d3fc5
Merge pull request #182 from gilles-peskine-arm/ecp-factorize-reduction
Replace some macros by functions in ecp
2019-08-08 19:16:27 +02:00
Janos Follath
8aa7e9bc56 Merge branch 'psa-api-1.0-beta' into merge-psa-api-branch-into-development 2019-08-08 14:40:23 +01:00
Gilles Peskine
46d9439a5e Support slot_number attribute when creating a key
Allow the application to choose the slot number in a secure element,
rather than always letting the driver choose.

With this commit, any application may request any slot. In an
implementation with isolation, it's up to the service to filter key
creation requests and apply policies to limit which applications can
request which slot.
2019-08-08 11:02:30 +02:00
Gilles Peskine
edbed5670a Rename psa_internal_allocate_key_slot to psa_get_empty_key_slot
This function no longer modifies anything, so it doesn't actually
allocate the slot. Now, it just returns the empty key slot, and it's
up to the caller to cause the slot to be in use (or not).
2019-08-08 10:58:09 +02:00
Gilles Peskine
094dac1d12 Fix copypasta 2019-08-08 10:58:09 +02:00
Gilles Peskine
013f5474cf Fix erasure of external flags
This didn't break anything now, but would have broken things once we
start to add internal flags.
2019-08-08 10:58:09 +02:00
Gilles Peskine
5a68056755 Rename internal macro to pass check-names.sh
check-names.sh rejects MBEDTLS_XXX identifiers that are not defined in
a public header.
2019-08-08 10:58:09 +02:00
Gilles Peskine
c8000c005a Add slot_number attribute
Add a slot_number field to psa_key_attributes_t and getter/setter
functions. Since slot numbers can have the value 0, indicate the
presence of the field via a separate flag.

In psa_get_key_attributes(), report the slot number if the key is in a
secure element.

When creating a key, for now, applications cannot choose a slot
number. A subsequent commit will add this capability in the secure
element HAL.
2019-08-08 10:58:09 +02:00
Gilles Peskine
74f3352b05 Add missing guard around a union field 2019-08-08 10:58:09 +02:00
Gilles Peskine
91e8c33f48 Add infrastructure for key attribute flags
Add infrastructure for internal, external and dual-use flags, with a
compile-time check (if static_assert is available) to ensure that the
same numerical value doesn't get declared for two different purposes
in crypto_struct.h (external or dual-use) and
psa_crypto_core.h (internal).
2019-08-08 10:58:09 +02:00
Gilles Peskine
0c77b0e2f9
Merge pull request #198 from gilles-peskine-arm/psa-api-1.0-beta-merge_development_20190801
Merge mbed-crypto/development into psa-api-1.0-beta
2019-08-08 10:24:53 +02:00
Alexander K
1f5e6abfb9 Remove extra mbedtls_ecp_group_free() call since the grp is free
at the top of the function.
2019-08-07 20:40:46 +03:00
Gilles Peskine
f181eca350 Fix psa_generate_random for >1024 bytes
mbedtls_ctr_drbg_random can only return up to
MBEDTLS_CTR_DRBG_MAX_REQUEST (normally 1024) bytes at a time. So if
more than that is requested, call mbedtls_ctr_drbg_random in a loop.
2019-08-07 13:49:00 +02:00
Gilles Peskine
a6b2f60b4c Fix double free in psa_generate_key when psa_generate_random fails
When psa_generate_random fails, psa_generate_key_internal frees the
key buffer but a the pointer to the now-freed buffer in the slot. Then
psa_generate_key calls psa_fail_key_creation which sees the pointer
and calls free() again.

This bug was introduced by ff5f0e7221
"Implement atomic-creation psa_{generate,generator_import}_key" which
changed how psa_generate_key() cleans up on errors. I went through the
code and could not find a similar bug in cleanup on an error during
key creation.

Fix #207
2019-08-07 13:43:09 +02:00
Gilles Peskine
1b9505c451 Correct some comments 2019-08-07 10:59:45 +02:00
Gilles Peskine
01655daeee
Merge pull request #2417 from RonEld/2734
Update soon to be expired crl
2019-08-03 13:38:14 +02:00
Vikas Katariya
21599b6622 Return right error code.
Issue : 126
https://github.com/ARMmbed/mbed-crypto/issues/126

PSA_ERROR_BUFFER_TOO_SMALL error returned when we check for output_size.
2019-08-02 13:01:58 +01:00
Gilles Peskine
8908c5e81c Make psa_calculate_key_bits return psa_key_bits_t
This is cleaner and solves a complaint from MSVC about truncation from
size_t to psa_key_bits_t.
2019-07-31 18:55:00 +02:00
Gilles Peskine
8b66389d0d Adjust secure element code to the new ITS interface 2019-07-31 17:57:57 +02:00
Gilles Peskine
72c8c5b352 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190801
Conflict resolution:
* `scripts/config.pl`:
  Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch.
  Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from
  the development branch.
* `tests/scripts/all.sh`:
  Multiple instances of factoring a sequence of `config.pl` calls into
  a mere `config.pl baremetal` in the development branch, and a change in
  the composition of `baremetal` in the API branch. In each case, take the
  version from development.
* `tests/suites/test_suite_psa_crypto_slot_management.function`:
  A function became non-static in development and disappeared in the API
  branch. Keep the version from the API branch. Functions need to be
  non-static if they're defined but unused in some configurations,
  which is not the case for any function in this file at the moment.
* `tests/suites/test_suite_psa_crypto.function`:
  Consecutive changes in the two branches, reconciled.
2019-07-31 17:47:49 +02:00