Commit graph

12944 commits

Author SHA1 Message Date
Gilles Peskine
84b9f1b039 mbedtls_ecp_write_key_ext(): migrate internally
Stop using mbedtls_ecp_write_key() except to test it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-28 13:19:42 +01:00
Gilles Peskine
e3fb4ccabf mbedtls_ecp_write_key_ext(): new function
Same as mbedtls_ecp_write_key(), but doesn't require the caller to figure out
the length of the output and possibly distinguish between Weierstrass and
Montgomery curves.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-28 13:19:42 +01:00
Manuel Pégourié-Gonnard
7f523bf9eb
Merge pull request #8845 from gilles-peskine-arm/ecp-write-doc-3.6
Document ECP write functions
2024-02-28 11:04:38 +00:00
Dave Rodgman
09e6fb42eb
Merge pull request #8865 from daverodgman/iar-fixes-feb27
Add missing casts to fix IAR warnings
2024-02-27 14:41:53 +00:00
Manuel Pégourié-Gonnard
5b5faf0898
Merge pull request #8844 from davidhorstmann-arm/restore-x509-functions-to-public
Restore some X509 functions to public headers
2024-02-27 10:55:16 +00:00
Dave Rodgman
6a3da2d5ed Add missing casts
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2024-02-27 10:41:53 +00:00
Gilles Peskine
e22f6a9610 Finish cleaning up override that's no longer needed
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-26 16:57:31 +01:00
Gilles Peskine
97c0b2f393 Remove domain parameters from psa_key_attributes_t
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-26 16:57:30 +01:00
David Horstmann
ef950ccb1d Un-unrestore mbedtls_x509_string_to_names()
Re-restore mbedtls_x509_string_to_names() to public as our example
programs use it, and it is the reverse of mbedtls_x509_dn_gets().

Add a docstring, so that it is a properly documented public function.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-02-26 13:59:43 +00:00
Gilles Peskine
ae5eb64705 Remove domain parameters from the public API
Only leave deprecated, minimal non-linkable functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-26 08:50:53 +01:00
Gilles Peskine
bb6f3ff394 Rename variables
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-26 08:50:53 +01:00
Gilles Peskine
4c32b69f37 Ignore domain parameters in RSA key generation
Remove the ability to select a custom public exponent via domain parameters
in RSA key generation. The only way to select a custom public exponent is
now to pass custom production parameters to psa_generate_key_ext().

A subsequent commit will remove domain parameters altogether from the API,
thus this commit does not bother to update the documentation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-26 08:50:38 +01:00
Gilles Peskine
0f63028809
Merge pull request #8815 from gilles-peskine-arm/psa_generate_key_ext-prototype
Introduce psa_generate_key_ext
2024-02-26 07:16:49 +00:00
Paul Elliott
665cf928d9
Merge pull request #8856 from Ryan-Everett-arm/threadsafe-openkey
Make psa_open_key threadsafe
2024-02-24 10:29:57 +00:00
Paul Elliott
5a4a6e44ef
Merge pull request #8833 from Ryan-Everett-arm/threadsafe-multiparts
Make multi-part operations thread-safe
2024-02-24 10:29:20 +00:00
Tom Cosgrove
817772a6ca
Merge pull request #8716 from mschulz-at-hilscher/feature/gcm_largetable
Use large GCM tables
2024-02-23 16:25:38 +00:00
Ryan Everett
e110a4c900 Make psa_open_key threadsafe
This is a simple case of register then unregister

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:43:24 +00:00
Ryan Everett
9af70e51c1 Make multi-part AEAD operations thread-safe
The setup calls are the only calls to use a key ID.
The key is then copied into the operation object,
all future API calls use the copy instead of the key in the slot.

Simultaneous API calls on the same operation object are not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Ryan Everett
bbedfcec2e Make multi-part PAKE operations thread-safe
The only interaction with key IDs here is in the changed function.

Simultaneous API calls on the same operation object are not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Ryan Everett
5ac6fa7aae Make multi-part key derivation operations thread-safe
One can input a key using a key identifier through the two changed functions.
Inputted keys are copied into the operation object.
Any material inputted in byte form is separate to the key slot system.
Outputting a key is threadsafe as per the key loading work.
The verification API is yet to be implemented.

Simultaneous API calls on the same operation object are not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Ryan Everett
c0053cc499 Make multi-part cipher operations thread-safe
Within setup we create a copy of the key and put it in the operation field.
After setup, we only ever use the new copy,
and do not interact with any key slots.
Therefore we need only register as a reader of the key during setup,
then unregister after we stop accessing the key.

Simultaneous API calls on the same operation object are not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Ryan Everett
291267f486 Make restartable signature verifications thread-safe
We copy the key from a slot to the operation object in _start.
_complete and _abort do not access any key slots, instead using
the local copy.

Concurrently using the same operation object is not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Ryan Everett
dcc03d552d Make restartable signature operations thread-safe
We copy the key from a slot to the operation object in _start.
_complete and _abort do not access any key slots, instead using
the local copy.

Concurrently using the same operation object is not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Ryan Everett
fb9857ff9e Make multi-part MAC operations thread-safe
Within setup we create a copy of the key and put it in the operation field.
After setup, we only ever use the new copy - and do not interact with any key slots.
Therefore we need only register as a reader of the key during setup,
then unregister after we stop accessing the key.

Simultaneous API calls on the same operation object are not thread-safe.

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-22 10:27:52 +00:00
Gilles Peskine
0aab69d2eb
Merge pull request #8807 from gilles-peskine-arm/pk_import_into_psa-implement_import
Implement mbedtls_pk_import_into_psa
2024-02-21 15:45:17 +00:00
Paul Elliott
d237190f04
Merge pull request #8773 from Ryan-Everett-arm/threadsafe-key-locking
Make key locking and one-shot operations thread safe
2024-02-21 13:55:12 +00:00
Gilles Peskine
dd49c739f0 Merge remote-tracking branch 'development' into pk_import_into_psa-implement_import
Conflicts:
* tests/suites/test_suite_pk.function: consecutive changes to the
  depends_on line of pk_sign_verify and its argument list.
2024-02-21 12:10:40 +01:00
David Horstmann
946491360b Unrestore mbedtls_x509_string_to_names()
This function should be internal, being exposed only via functions like
mbedtls_x509write_crt_set_subject_name().

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-02-21 10:35:33 +00:00
Manuel Pégourié-Gonnard
0ecb5fd6f5
Merge pull request #8574 from ronald-cron-arm/ssl-tickets
Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3
2024-02-21 09:38:46 +00:00
Ryan Everett
93cea578b9 Clarify which unregister operation needs to be used
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-20 18:01:29 +00:00
Gilles Peskine
092ce51c47 Rename "key generation method" to "key production parameters"
"Key generation method" was misleading since it also applies to key
derivation. Change "key generation" to "key production", which we aren't
using yet and has roughly the right intuition. Change "method" to
"parameters" which there seems to be a slight preference for. Discussion
thread: https://github.com/Mbed-TLS/mbedtls/pull/8815#discussion_r1486524295

Identifiers renamed:
psa_key_generation_method_t → psa_key_production_parameters_t
psa_key_generation_method_s → psa_key_production_parameters_s
PSA_KEY_GENERATION_METHOD_INIT → PSA_KEY_PRODUCTION_PARAMETERS_INIT
method → params
method_data_length → params_data_length
default_method → default_production_parameters
psa_key_generation_method_is_default → psa_key_production_parameters_are_default
setup_key_generation_method → setup_key_production_parameters
key_generation_method_init → key_production_parameters_init

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-20 16:18:13 +01:00
Manuel Pégourié-Gonnard
fc3f980f0f
Merge pull request #8826 from valeriosetti/issue8824
RSA keys set to PSS/OAEP padding perform PKCS1v1.5 when MBEDTLS_USE_PSA_CRYPTO is enabled
2024-02-20 14:08:41 +00:00
Manuel Pégourié-Gonnard
a7f651cf16
Merge pull request #8804 from valeriosetti/issue8799
mbedtls_rsa_parse_key and mbedtls_rsa_parse_pubkey accept trailing garbage
2024-02-20 11:58:52 +00:00
Valerio Setti
7e1596d24c rsa: remove leftovers from mbedtls_rsa_parse_[pub]key()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-20 10:23:49 +01:00
Valerio Setti
02f30230c4 pem: zeroize the entire buffer in case of errors in mbedtls_pem_read_buffer()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-20 10:22:36 +01:00
Valerio Setti
e88a1c5b85 pem: fix return values in pem_check_pkcs_padding()
Return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH instead of
MBEDTLS_ERR_PEM_BAD_INPUT_DATA in case of errors.
This commit also fix related failures in test pkparse and
pem test suites.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-19 15:09:41 +01:00
Gilles Peskine
5bb04e03ac mbedtls_ecp_write_key: no FEATURE_UNAVAILABLE error
When exporting a key, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE should not happen.
This error indicates that the curve is not supported, but that would prevent
the creation of the key.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-19 13:24:41 +01:00
David Horstmann
762f9f9cbb Restore X509 functions erroneously made private
Restore the following functions to public headers:
* mbedtls_x509_dn_get_next()
* mbedtls_x509_serial_gets()
* mbedtls_x509_time_cmp()
* mbedtls_x509_time_gmtime()
* mbedtls_x509_time_is_past()
* mbedtls_x509_time_is_future()
* mbedtls_x509_parse_subject_alt_name()
* mbedtls_x509_free_subject_alt_name()

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-02-19 11:07:50 +00:00
Valerio Setti
4cc6522a85 pem: do not parse ASN1 data after decryption (removes ASN1 dependency)
Now that we have padding verification after decryption and since
this can be used to validate the password as well there is no
need to parse ASN1 content any more, so we can simplify/remove
that dependency.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 15:26:12 +01:00
Valerio Setti
8aff4ef274 test_suite_pem: add more test cases for invalid padding data
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 15:26:08 +01:00
Valerio Setti
0f286d5453 pem: reject empty PEM contents
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 14:30:58 +01:00
Gilles Peskine
83b8baf899 mbedtls_pk_import_into_psa: fix Montgomery keys in the legacy case
Fix the workaround for the weirdness of mbedtls_ecp_write_key(), which
assumed a Weierstrass key.

This fixes the Montgomery private key parse tests in test_suite_pkparse.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 17:26:07 +01:00
Valerio Setti
93ecbef6a8 pk_wrap: set proper PSA algin rsa wrappers based on padding mode set in RSA context
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-15 15:52:05 +01:00
Gilles Peskine
69f11c8dfb generate key ext: skip driver invocation with non-default method
In the driver wrapper for psa_generate_key() and psa_generate_key_ext():

* Invoke the built-in code if using a non-default method, even if there
  might be an accelerator. This is ok because we only support non-default
  methods for RSA and we don't support driver-only RSA, therefore a
  non-default method will always have built-in code behind it.
* Return NOT_SUPPORTED if trying to use a non-default method with an opaque
  driver.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:57:48 +01:00
Gilles Peskine
c81393b2ed generate/derive key ext: pass method_data_length rather than method_length
Instead of passing the size of the whole structure, just pass the data
length and let the implementation worry about adding the size of the
structure. The intent with passing the structure size was to allow
the client code in a client-server implementation to know nothing
about the structure and just copy the bytes to the server. But that was not
really a useful consideration since the application has to know the
structure layout, so it has to be available in the client implementation's
headers. Passing the method data length makes life simpler for everyone by
not having to worry about possible padding at the end of the structure, and
removes a potential error condition
(method_length < sizeof(psa_key_generation_method_t)).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:57:48 +01:00
Gilles Peskine
7a18f9645c psa_generate_key_ext: RSA: support custom public exponent
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:57:46 +01:00
Gilles Peskine
f0765fa06a Implement psa_generate_key_ext, psa_key_derivation_output_key_ext
Implement and unit-test the new functions psa_generate_key_ext() and
psa_key_derivation_output_key_ext(), only for the default method.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:19:27 +01:00
Ryan Everett
73feaf2682 Comment on locking strategy in psa_fail_key_creation
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-14 14:19:54 +00:00
Ryan Everett
3d8118d9dc Revert psa_reserve_free_key_slot changes, lock in start_key_creation instead
This means we can hold the mutex around the call to reserve_free_key_slot
in get_and_lock_key_slot, avoiding inefficient rework.
(Changes to get_and_lock_key_slot are not in scope in this PR)

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-14 14:19:54 +00:00
Ryan Everett
b71014406c Make psa_fail_key_creation thread safe
Hold the mutex for the entirety of the call.
We need the mutex for the wipe, also hold it for aborting driver transactions as this
may have side effects.
We can't use the macros here as this function returns void.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-02-14 14:19:54 +00:00