Commit graph

16250 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
84dea01f36 Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
39be1410fd Add RNG parameter to check_pair functions
- mbedtls_ecp_check_pub_priv() because it calls ecp_mul()
- mbedtls_pk_check_pair() because it calls the former

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f8c24bf507 Fix signature of check_pub_priv
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
75525aec52 Fix mbedtls_ecp_muladd()
It was indirectly calling ecp_mul() without an RNG. That's actually the
rare case where this should be allowed, as ecp_muladd() is typically
used on non-secret data (to verify signatures or ZKPs) and documented as
not being constant-time.

Refactor a bit in order to keep the ability to call ecp_mul() without a
RNG, but not exposed publicly (except though muladd).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
aa3ed6f987 Make RNG parameters mandatory in ECP functions
Fix trivial faulty calls in ECP test suite and ECP/ECJPAKE self-tests (by
adding a dummy RNG).

Several tests suites are not passing yet, as a couple of library
function do call ecp_mul() with a NULL RNG. The complexity of the fixes
range from "simple refactoring" to "requires API changes", so these will
be addressed in separate commits.

This makes the option MBEDTLS_ECP_NO_INTERNAL_RNG, as well as the whole
"internal RNG" code, obsolete. This will be addressed in a future
commit, after getting the test suites to pass again.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
7861ecf838 Make RNG parameters mandatory in ECDH functions
Again, no check in the code - will be checked by ECP

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
1a87722bb6 Make RNG parameters mandatory in DHM functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f035904060 Check for mandatory RNG parameters in RSA private
(This commit is best reviewed using `git show -b` as indentation levels
have changed.)

The documentation already states that the RNG parameter is mandatory,
since PRs #4488 and #4515. There are several families of functions to
consider here:

- private-key operations (sign, decrypt) all call
mbedtls_rsa_private() where this commit adds a non-NULL check;
- encrypt operations need an RNG for masking/padding and already had a
non-NULL check since #4515 (conditional on \p mode before that)
- verify operations no longer take an RNG parameter since #4515

So, after this commit, all RSA functions that accept an RNG will reach a
non-NULL check before the RNG is used.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
34d3756457 Make RNG parameters mandatory in PK functions
Again, no check here, will be checked by lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
c305b72ed1 Make RNG parameters mandatory in X.509 functions
Not adding a check in the code here, as this will be checked by the
lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
ad5390fc4f Clarify that RNG parameters are mandatory in SSL
No change here, these were already mandatory, it just wasn't explicit in
the documentation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Gilles Peskine
17575dcb03
Merge pull request #4629 from TRodziewicz/rename_functions_whose_deprecated_variants_have_been_removd
Rename the _ret() functions
2021-06-15 20:32:07 +02:00
Manuel Pégourié-Gonnard
8cad2e22fc
Merge pull request #4595 from gilles-peskine-arm/alt-dummy-headers-3.0
Lighten and test constraints on context types in alternative implementations
2021-06-15 12:12:46 +02:00
TRodziewicz
28a4a963fc Corrections to the docs wording and changes to aux scripts
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 00:18:32 +02:00
Gilles Peskine
e5702489f5 mbedtls_dhm_get_value parameter order: context first, output last
mbedtls_dhm_get_value can be seen as either a copy function or a getter
function. Given the name and the semantics, it's more of a getter, even if
it "gets" by doing a copy. Therefore, put the context first, and the
selector next, leaving the output for last.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
cadd3d860e Give examples of PLATFORM_XXX_ALT
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
bf26bef157 Discuss the durability of PSA drivers vs ALT when introducing them
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
a71db94c66 Document that contexts must be movable
Fix #4451.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
f35c42bdb9 Document the remaining constraints on ALT context types
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
1628a9c140 MBEDTLS_DEBUG_C is compatible with every whole-module ALT except DHM
It would be possible to make SSL debugging compatible with MBEDTLS_DHM_ALT,
but too much low-priority work right now, so don't require it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
5c3f18d37c MBEDTLS_PK_PARSE_EC_EXTENDED is incompatible with MBEDTLS_ECP_ALT
... unless the alt implementation defines a group structure that's mostly
compatible with the built-in one and supports partially filled group
structures in the same way.

It would be possible to rewrite the SpecifiedECDomain parsing code to avoid
requiring support for partially filled group structures, but that's too
complicated to do now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:13:02 +02:00
Gilles Peskine
ad7f53cdb3 Define public fields of mbedtls_ecp_group in alt test header
And don't define configuration macros that only apply to the built-in
implementation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
bf69ea5b8f Make some fields of mbedtls_ecp_group public
The Mbed TLS code relies heavily on reading certain fields of
mbedtls_ecp_group directly. Make these fields public. Require
that MBEDTLS_ECP_ALT alternative implementations have them.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
cd07e22048 New function mbedtls_ecjpake_set_point_format
Use this instead of accessing the field directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
71acc6e8d9 New function mbedtls_dhm_get_value to copy a field of a DHM context
Reduce the need to break the DHM abstraction by accessing the context directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
487bbf6805 DHM: new functions to query the length of the modulus
Add two functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() to
query the length of the modulus in bytes or bits.

Remove the len field: the cost of calling mbedtls_dhm_get_len() each time
it's needed is negligible, and this improves the abstraction of the DHM
module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
85b1bc65a0 pk_debug: build with RSA_ALT implementations
When MBEDTLS_RSA_ALT is defined, mbedtls_rsa_context does not necessarily
have fields called N and E of type mbedtls_mpi. Don't emit pk_debug
information with MBEDTLS_RSA_ALT. This is not ideal but at least the
library compiles.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
d41d59e900 Timing: support ALT implementations in self-test
Don't assume that the context has a timer field if MBEDTLS_TIMING_ALT
is defined.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
cc73cc55e8 Test the build with whole-module alternative implementations
Use headers defining dummy context types.

The test does not pass yet. I plan to fix this in subsequent commits.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:18 +02:00
Gilles Peskine
8e90cf49ca config.py: new command line commands set-all and unset-all
The new method `Config.change_matching` and the new command-line
commands `set-all` and `unset-all` change a batch of existing boolean
settings to the desired state (active or inactive).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
a0ebaefef9 Create threading_alt.h header for testing
Follow-up to "Create xxx_alt.h headers for testing". The inclusion of
threading_alt.h in include/mbedtls/threading.h does not follow the
same pattern as the others so it was missed by the script.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
c5048db24c Create xxx_alt.h headers for testing
These headers define the context types that alternative implementations must
provide. The context types are dummy types, suitable for building but not
meant to be usable by an implementation.

This is the output of the following script:

```
perl -0777 -ne '
m@^#if !defined\((MBEDTLS_\w+_ALT)\).*\n((?:.*\n)*?)#else.*\n#include "(.*_alt\.h)"\n#endif@m or next;
$symbol = $1; $content = $2; $header = $3;
$header_symbol = $header; $header_symbol =~ y/a-z./A-Z_/;
m@/\*[ *\n]*Copyright .*?\*/@s or die; $copyright = $&;
open OUT, ">tests/include/alt-dummy/$header" or die;
$content =~ s@//.*@@mg;
$content =~ s@/\*.*?\*/@@sg;
$content =~ s@\{.*?\}@{\n    int dummy;\n}@sg;
$content =~ s@ +$@@mg;
$content =~ s@\n{3,}@\n\n@g; $content =~ s@\A\n+@@; $content =~ s@\n*\Z@\n@;
print OUT "/* $header with dummy types for $symbol */\n$copyright\n\n#ifndef $header_symbol\n#define $header_symbol\n\n$content\n\n#endif /* $header */\n" or die;
close OUT or die;
' include/mbedtls/*.h
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
a1b44dd808 Changelog entry for MBEDTLS_ECP_MAX_BITS automatic determination
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
814d0129ec Test calculated MBEDTLS_ECP_MAX_xxx constants in unit tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
601d34396c Update TLS presets when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
6e1387abed Update MBEDTLS_ECP_MAX_BITS when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
d0b16303bb Determine MBEDTLS_ECP_MAX_BITS automatically
MBEDTLS_ECP_MAX_BITS doesn't make sense as a configuration option: it
must not be smaller than the largest supported curve, and it's useless
to set it to a larger value. So unconditionally set it to the size of
the largest supported curve. Remove it from the build configuration.

Alternative implementations must no longer need define this macro.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
9ef1ea7444 Move the definition of derived values out of the settings section
Alternative implementations must no longer define these macros.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
6a2fb61896 Rename library/ecp_alt.h to ecp_internal_alt.h
library/ecp_alt.h (declaring individual functions of the ECP module that can
be substituted, included when building the library with
MBEDTLS_ECP_INTERNAL_ALT enabled) clashes with ecp_alt.h (not provided,
declaring types of the ECP module when the whole implementation is
substituted, included when building the library with MBEDTLS_ECP_ALT enabled).
Depending on the search path during build, this can make MBEDTLS_ECP_ALT
unusable.

Rename library/ecp_alt.h to follow the naming convention of other alt headers:
MBEDTLS_XXX_ALT corresponds to xxx_alt.h.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
b9ccb25f33 Starter-class documentation of alternative implementations
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
cee21d76f1
Merge pull request #4606 from TRodziewicz/turn__SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt
Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config opt to a runtime opt
2021-06-14 19:03:28 +02:00
Ronald Cron
823f594db5
Merge pull request #4511 from mstarzyk-mobica/mbedtls_private_with_python
Introduce scripts automating wrapping structs members with MBEDTLS_PRIVATE macro
2021-06-14 17:36:39 +02:00
Ronald Cron
c4c761e35e Merge remote-tracking branch 'mbedtls/development' into mbedtls_private_with_python
Conflicts:
    include/mbedtls/ssl.h
    include/psa/crypto_struct.h

Conflicts fixed by using the code from development branch
and manually re-applying the MBEDTLS_PRIVATE wrapping.
2021-06-14 16:17:32 +02:00
Ronald Cron
a90e0907c5 Remove scripts automating wrapping structs members with MBEDTLS_PRIVATE.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-14 16:15:26 +02:00
TRodziewicz
3946f79cab Correction according to code review (function and param. names change
and docs rewording)

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 13:46:21 +02:00
TRodziewicz
8b223b6509 Addition of the migration guide entry file.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:56:33 +02:00
TRodziewicz
8476f2f30a Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config option to a runtime option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:56:20 +02:00
TRodziewicz
1fcd72e93c change log and migr. guide fixes and _DEPRECATED_REMOVED removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:16:06 +02:00
Janos Follath
21f84643f8
Merge pull request #4317 from yanesca/psa-jpake-interface
J-PAKE interface definition for PSA Crypto
2021-06-11 13:47:25 +01:00
Ronald Cron
57864faf84
Merge pull request #4634 from Patater/mbed-can-do-timing
config: Allow Mbed to implement TIMING_C
2021-06-11 09:14:13 +02:00