Commit graph

15983 commits

Author SHA1 Message Date
Gilles Peskine
7888073147 mbedtls_ecp_gen_privkey_sw: range and coverage tests
Add unit tests for private key generation on short Weierstrass curves.
These tests validate that the result is within the desired range.
Additionally, they validate that after performing many iterations, the
range is covered to an acceptable extent: for tiny ranges, all values
must be reached; for larger ranges, all value bits must reach both 0
and 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
61f1f5febf mbedtls_ecp_gen_privkey_mx: simplify the size calculation logic
mbedtls_ecp_gen_privkey_mx generates a random number with a certain
top bit set. Depending on the size, it would either generate a number
with that top bit being random, then forcibly set the top bit to
1 (when high_bit is not a multiple of 8); or generate a number with
that top bit being 0, then set the top bit to 1 (when high_bit is a
multiple of 8). Change it to always generate the top bit randomly
first.

This doesn't make any difference in practice: the probability
distribution is the same either way, and no supported or plausible
curve has a size of the form 8n+1 anyway. But it slightly simplifies
reasoning about the behavior of this function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
67986d0613 mbedtls_ecp_gen_privkey_mx: make bit manipulations unconditional
Don't calculate the bit-size of the initially generated random number.
This is not necessary to reach the desired distribution of private
keys, and creates a (tiny) side channel opportunity.

This changes the way the result is derived from the random number, but
does not affect the resulting distribution.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
96449ceebe mbedtls_ecp_gen_privkey_mx: remove the exception for all-zero
The library rejected an RNG input of all-bits-zero, which led to the
key 2^{254} (for Curve25519) having a 31/32 chance of being generated
compared to other keys. This had no practical impact because the
probability of non-compliance was 2^{-256}, but needlessly
complicated the code.

The exception was added in 98e28a74e3 to
avoid the case where b - 1 wraps because b is 0. Instead, change the
comparison code to avoid calculating b - 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
6ff8a01a57 Add unit tests for mbedtls_ecp_gen_privkey_mx
Test the exact output from known RNG input. This is overly
constraining, but ensures that the code has good properties.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
ecacc3c9d2 Make the fallback behavior of mbedtls_test_rnd_buffer_rand optional
If a fallback is not explicitly configured in the
mbedtls_test_rnd_buf_info structure, fail after the buffer is
exhausted.

There is no intended behavior change in this commit: all existing uses
of mbedtls_test_rnd_buffer_rand() have been updated to set
mbedtls_test_rnd_std_rand as the fallback.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
0b1b0abe33 Update references in some test function documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
55c46040f6 mbedtls_ecp_gen_privkey_mx: rename n_bits to high_bit
For Montgomery keys, n_bits is actually the position of the highest
bit and not the number of bits, which would be 1 more (fence vs
posts). Rename the variable accordingly to lessen the confusion.

No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:03 +02:00
Gilles Peskine
72fcc98d23 mbedtls_ecp_gen_privkey: create subfunctions for each curve type
Put the Montgomery and short Weierstrass implementations of
mbedtls_ecp_gen_privkey into their own function which can be tested
independently, but will not be part of the public ABI/API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:03 +02:00
Gilles Peskine
cce0601485 mbedtls_ecp_gen_privkey: minor refactoring
Prepare to isolate the Montgomery and short Weierstrass
implementations of mbedtls_ecp_gen_privkey into their own function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:03 +02:00
Manuel Pégourié-Gonnard
84191eab06
Merge pull request #4315 from Kxuan/feat-pre-compute-tls
Static initialize comb table
2021-06-03 11:41:54 +02:00
kXuan
782c2b9f36
fix comment, ChangeLog & migration-guide for MBEDTLS_ECP_FIXED_POINT_OPTIM
Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-03 15:47:40 +08:00
Manuel Pégourié-Gonnard
1b1327cc0d
Merge pull request #4581 from TRodziewicz/remove_supp_for_extensions_in_pre-v3_X.509_certs
Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
2021-06-02 13:48:03 +02:00
Manuel Pégourié-Gonnard
df77624ab5
Merge pull request #4490 from TRodziewicz/Combine__SSL_<CID-TLS1_3>_PADDING_GRANULARITY_options
Combine _SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
2021-06-02 13:47:48 +02:00
Manuel Pégourié-Gonnard
1b3b27cbb0
Merge pull request #4587 from TRodziewicz/remove_3DES_ciphersuites
Remove 3DES ciphersuites
2021-06-02 11:01:42 +02:00
Ronald Cron
3dafa9bda8
Merge pull request #4555 from ronald-cron-arm/m-ccm-api
Define CCM multi-part API
2021-06-02 09:56:43 +02:00
Gilles Peskine
9f5c34cc88
Merge pull request #4596 from gilles-peskine-arm/nist_kw-null_dereference-3.0
Fix null pointer arithmetic in NIST_KW
2021-06-01 16:40:19 +02:00
Ronald Cron
e13d3083ee Add invalid context as a possible reason for _BAD_INPUT error code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 13:35:40 +02:00
Gilles Peskine
fe3069b7f1
Merge pull request #4585 from mpg/cipher-aead-delayed
Clarify multi-part AEAD calling sequence in Cipher module
2021-06-01 12:04:19 +02:00
Gilles Peskine
89ee599092 Fix null pointer arithmetic in error case
When mbedtls_nist_kw_wrap was called with output=NULL and out_size=0, it
performed arithmetic on the null pointer before detecting that the output
buffer is too small and returning an error code. This was unlikely to have
consequences on real-world hardware today, but it is undefined behavior and
UBSan with Clang 10 flagged it. So fix it (fix #4025).

Fix a similar-looking pattern in unwrap, though I haven't verified that it's
reachable there.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-01 11:22:56 +02:00
TRodziewicz
f059e74a22 Re-wording ChangeLog and reverting overzealous removal from config.h
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-01 11:17:07 +02:00
Manuel Pégourié-Gonnard
c01b87b820 Fix some typos
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-01 09:40:53 +02:00
Ronald Cron
542957d6b1 Add some API calling order documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:22:05 +02:00
Ronald Cron
f668bd18df Add migration guide for developers of CCM alternative implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:07:46 +02:00
Ronald Cron
7c41cd2a7a Split operation start and the declaration of data lengths
Split operation start and the declaration of data lengths
to better align with the PSA Cryptography multipart AEAD
APIs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:07:43 +02:00
Ronald Cron
b740a617ec Remove change log
Remove the change log as the changes in this PR only
affect CCM alternative implementation developers.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:51 +02:00
Ronald Cron
51584c6cdb Prefer ad to add as shorthand for additional/associated data
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:51 +02:00
Ronald Cron
ff92479f71 Wording improvement
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:51 +02:00
Ronald Cron
84cb8e0063 Add invalid mode as mbedtls_ccm_start() possible error
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:49 +02:00
Ronald Cron
b87fe016aa Remove buffer overlap considerations
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:20 +02:00
Ronald Cron
86e6c9f860 Improve expected context state for some APIs
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-01 09:05:02 +02:00
kXuan
22fc906d57
Add ChangeLog and migration guide for MBEDTLS_ECP_FIXED_POINT_OPTIM
Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-01 14:01:59 +08:00
kXuan
b2b3ec4f7a
add ecp_comb_table.py
ecp_comb_table.py generates comb table

Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-01 10:02:14 +08:00
kXuan
ba9cb76e9f
static initialize comb table
MBEDTLS_ECP_FIXED_POINT_OPTIM aims to speed up ecc multiplication performance.

We compute the comb table in runtime now. It is a costly operation.

This patch add a pre-computed table to initialize well-known curves. It speed up ECDSA signature verify process in runtime by using more ROM size.

Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-01 10:02:13 +08:00
Gilles Peskine
bbd617be5f Remove duplicated definition of ASSERT_ALLOC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-31 20:33:17 +02:00
Gilles Peskine
b2827693b5 Remove spurious dependencies on PEM
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-31 20:33:15 +02:00
TRodziewicz
231649a020 Changing the migration guide entry wording.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-31 13:12:16 +02:00
TRodziewicz
4e57f4cdfd Adding removed defines to check_config.h and fixing the migration guide entry.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-31 12:58:25 +02:00
Manuel Pégourié-Gonnard
6d84e917bb
Merge pull request #4568 from creiter32/to_upstream/csr_critical_extensions
Expose flag for critical extensions
2021-05-31 12:46:59 +02:00
Manuel Pégourié-Gonnard
ee57ebe553 Add ChangeLog and migration guide entries
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-31 12:25:01 +02:00
Manuel Pégourié-Gonnard
42eba1a274 Fix a typo
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-31 12:14:02 +02:00
TRodziewicz
3670e387dc Remove 3DES ciphersuites
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-31 12:11:53 +02:00
Manuel Pégourié-Gonnard
daae68d9b2
Merge pull request #4565 from mpg/fixup-changelog-4495-4286
Fix the "rm (D)TLS 1.0 1.1" ChangeLog entry
2021-05-31 11:37:04 +02:00
Manuel Pégourié-Gonnard
c42a0be00b Clarify calling sequence in the Cipher layer
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-31 11:13:35 +02:00
Ronald Cron
ea62d2f391
Merge pull request #4369 from hanno-arm/relax_psk_config
Implement relaxed semantics for static PSK configuration in Mbed TLS 3.0
2021-05-31 10:03:56 +02:00
TRodziewicz
dee975af7d Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
Remove define

Add ChangeLog file and migration guide entry

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-28 15:27:01 +02:00
Ronald Cron
f1eb425782
Merge pull request #4469 from xiaoxiang781216/padlock
aes: Check aes_padlock_ace > 0 before calling padlock
2021-05-28 11:06:40 +02:00
Hanno Becker
2bec09c113 Fix typo in migration guide
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-28 09:54:31 +01:00
Hanno Becker
934ab00f77 Minor improvement of ChangeLog wording
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-28 09:52:54 +01:00
Ronald Cron
c44a1d522a
Merge pull request #4507 from Venafi/userid-oid
Add OID for User ID
2021-05-28 10:43:41 +02:00