Commit graph

5106 commits

Author SHA1 Message Date
Jerry Yu
1bc2c1f1a3 fix various issues
fix comments, format and name conversion issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:20 +08:00
Jerry Yu
a2cf7bd243 fix comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:20 +08:00
Jerry Yu
995ecd396f fix wrong iana values and comments
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:20 +08:00
Jerry Yu
b3317e1a01 Add extension types in rfc8446
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:19 +08:00
Jerry Yu
7984d9931e Add tls1.3 extension IANA values
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:19 +08:00
Jerry Yu
a13c7e739c add dummy client hello process
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:19 +08:00
Gilles Peskine
1984800f70 Add check_config checks for AEAD
CCM requires one of the 128-bit-block block ciphers to be useful, just like GCM.

GCM and CCM need the cipher module.

ChaChaPoly needs ChaCha20 and Poly1305.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-02 10:33:57 +02:00
Mateusz Starzyk
7251eda6ff Replace BAD_SEQUENCE error with BAD_INPUT
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-01 13:26:44 +02:00
Mateusz Starzyk
e40ae6bbed Fix typo
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-01 12:47:49 +02:00
Gilles Peskine
ca939959e4 Allow read-only access to lists of certificates, CRL, CRL entries
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 23:18:07 +02:00
Gilles Peskine
2e9d65f928 Note that custom info structures are not supported
This was already documented for mbedtls_md_info_t. Also document it for
mbedtls_pk_info_t (where it's fairly obvious since the structure is not
defined in a public header) and for mbedtls_cipher_info_t (where it's not
obvious since the structure is defined in a public header).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 23:08:55 +02:00
Gilles Peskine
44ffc79d29 Copyediting in comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 23:08:55 +02:00
Gilles Peskine
842edf474c Make many fields of X.509 structures public
The structures mbedtls_x509_time, mbedtls_x509_crl_entry, mbedtls_x509_crl,
mbedtls_x509_crt, mbedtls_x509_san_other_name,
mbedtls_x509_subject_alternative_name, mbedtls_x509_csr are designed to
expose the result of parsing X.509 data. Document many of their fields as
being publicly readable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:54:27 +02:00
Gilles Peskine
b89d9c0599 Make fields of ASN.1 data structures public
The structures mbedtls_asn1_buf, mbedtls_asn1_bitstring,
mbedtls_asn1_sequence and mbedtls_asn1_named_data are designed to allow
access to data after parsing. Make their fields public.

Document that chaining fields are essentially read-only.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:54:27 +02:00
Gilles Peskine
b11d61e095 mbedtls_net_context: make fd public on Unix/POSIX platforms
On platforms with BSD-like sockets, it is useful for applications to have
access to the underlying file descriptor so that they can use functions like
select() and poll().

Do not promise that the field will exist on other platforms such as
Windows (where the type and name of the field are technically wrong because
Windows socket handles are actually not file descriptors).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:54:27 +02:00
Gilles Peskine
0be02bd823 Add accessor functions for cipher_info fields
Add functions to read the type, mode, name and key_bitlen fields from
mbedtls_cipher_info_t. These are the fields that applications are most
likely to care about.

TLS code also uses iv_size and block_size, which it might make sense to
expose, but most applications shouldn't need those, so I'm not exposing them
for now.

Call the new functions in unit tests, so they're at least smoke-tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:52:41 +02:00
Gilles Peskine
a73b577744 Make the fields of mbedtls_ecp_curve_info public
The whole point of this structure is to provide information, both for the
library's own sake and to applications.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:52:41 +02:00
Manuel Pégourié-Gonnard
e45ee40f7e
Merge pull request #4811 from hanno-arm/tls13_ciphersuite_api
Add TLS 1.3 ciphersuite and key exchange identifiers and API
2021-08-30 09:47:46 +02:00
Jerry Yu
cadebe5343 fix several format and comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-25 18:13:42 +08:00
Mateusz Starzyk
cbefb6ba4d Merge branch 'development' into ccm_chunked
Conflicts:
	library/ccm.c

Conflict resolved by re-applying the MBEDTLS_BYTE_0 macro.
Conflict resolved by ignoring the MBEDTLS_PUT_UINT16_BE macro
used in development branch on the 'b' buffer, because the 'b'
buffer is removed in current branch.
2021-08-24 15:14:23 +02:00
Andrey Starodubtsev
90cc33aad6 Misprint was fixed
Signed-off-by: Andrey Starodubtsev <andrey.starodubtsev@gmail.com>
2021-08-23 12:20:41 +03:00
Manuel Pégourié-Gonnard
01a78599b0
Merge pull request #4864 from hanno-arm/upstream_sig_alg_identifers
TLS 1.3 MVP: Upstream TLS 1.3 SignatureAlgorithm identifiers and configuration API
2021-08-19 09:12:59 +02:00
Jerry Yu
447a3bee17 fix wrong typo and format issues
Change-Id: I99a4c7d28c26bfcc43bc8947485d1dfafb6974dc
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-18 09:55:36 +08:00
Manuel Pégourié-Gonnard
684543a3a8
Merge pull request #4807 from hanno-arm/bio_recv_ret_0_eof
Document that returning 0 from the recv callback means EOF
2021-08-17 10:30:46 +02:00
Jerry Yu
7899de839c fix comments and format issues
Change-Id: I927d97f9d788389d6abb9edbda0f7c3e2f8e9b63
CustomizedGitHooks: yes
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-17 13:26:59 +08:00
Manuel Pégourié-Gonnard
93a3ca6caf
Merge pull request #4413 from gilles-peskine-arm/tls_ext_cid-config
Allow configuring MBEDTLS_TLS_EXT_CID at compile time
2021-08-13 10:49:50 +02:00
Gilles Peskine
7dd2f504b3 Allow configuring MBEDTLS_TLS_EXT_CID at compile time
The numerical identifier of the CID extension hasn't been settled yet
and different implementations use values from different drafts. Allow
configuring the value at compile time.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-12 10:31:01 +02:00
Hanno Becker
5d045a8b89 Stick to 'ephemeral' instead of ECDHE for TLS 1.3 key exchanges
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
674f9480cf Fix typo: algorithmc -> algorithms
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
d4fa9bc710 Remove outdated mentioning of version-specific ciphersuite config
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
a2535931ac Add Doxygen documentation for TLS 1.3 key exchange macros
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
71f1ed66c2 Add identifiers and API for configuration of TLS 1.3 key exchanges
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Hanno Becker
e486b2d7bb Document use of mbedtls_ssl_conf_ciphersuites() for TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Hanno Becker
8ca26923eb Add TLS 1.3 ciphersuites
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Hanno Becker
e043d15d75 Turn comments of 1.3 record transforms into Doxygen documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:22:52 +01:00
Hanno Becker
1cd6e0021f Add experimental API for configuration of TLS 1.3 sig algs
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 13:55:43 +01:00
Hanno Becker
551265f879 Add TLS 1.3 IANA signature-algorithm values
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 13:03:48 +01:00
Mateusz Starzyk
a42f9537b5 Improve documentation for CCM's processed variable.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 14:00:14 +02:00
Mateusz Starzyk
4f2dd8aada Fix errors returned by CCM functions.
Add new error code for calling functions in wrong order.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 14:00:14 +02:00
Mateusz Starzyk
f337850738 Use const size buffer for local output in CCM decryption.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:59:36 +02:00
Mateusz Starzyk
22f7a35ca4 Do not use output buffer for internal XOR during decryption.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
4df9ac4882 Reorganize ccm context structure.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
663055f784 Remove UPDATE_CBC macro and working b buffer.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
eb2ca96d69 Store set lenghts in ccm context.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
793692cbcb Split ccm_auth function.
Move logic to ccm_starts, ccm_set_lengths, ccm_update_ad,
ccm_update and ccm_finish
Use separate variable to track context state.
Encode first block only if both mbedtls_ccm_starts() and
mbedtls_ccm_set_lengths() were called.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
89d469cdb4 Move working variables to ccm context structure
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Yuto Takano
7828ca2ea4 Fix typos pointed out by check_names
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-08-10 11:26:15 +01:00
Hanno Becker
3aa186f946 Add transforms to be used for TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:24:19 +01:00
Hanno Becker
0e719ff341 Improve the documentation of legacy msg layer transforms
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:24:08 +01:00
Hanno Becker
b6bbbb174d Fix typo in documentation of ssl->transform_out
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:00:14 +01:00
Gilles Peskine
3fbc5d3cf2
Merge pull request #4815 from gilles-peskine-arm/generate_errors-multiline-3.0
Move MBEDTLS_ERR_xxx Doxygen comments before the definition
2021-08-03 13:46:21 +02:00
Gilles Peskine
cfb5d393ed
Merge pull request #4659 from spencer-burke/fixing_4222
Remove duplicated check in `check_config.h`
2021-08-03 12:53:34 +02:00
Gilles Peskine
d297157fe8 Move MBEDTLS_ERR_xxx Doxygen comments before the definition
Now that descriptions of error codes no longer have to be on the same line
for the sake of generate_errors.pl, move them to their own line before the
definition. This aligns them with what we do for other definitions, and
means that we no longer need to have very long lines containing both the C
definition and the comment.

```
perl -i -pe 's~^(#define +MBEDTLS_ERR_\w+ +-\w+) */\*[*!]<(.*)\*/~/**$2*/\n$1~' include/mbedtls/*.h
```

This commit does not change the output of generate_errors.pl.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-02 22:51:03 +02:00
Gilles Peskine
8bb9b80d18
Merge pull request #4806 from hanno-arm/ssl_session_serialization_version
Store TLS version in SSL session structure
2021-08-02 12:45:55 +02:00
Hanno Becker
57723135b3 Document temporary overlap of TLS version in SSL context and session
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-01 19:40:44 +01:00
Gilles Peskine
69813477b0
Merge pull request #4758 from paul-elliott-arm/fix_cipher_output_size
Fix divide by zero if macro used with wrong key type
2021-07-30 18:56:18 +02:00
Dave Rodgman
677c6c4cac
Merge pull request #4801 from hanno-arm/ssl_session_exported_private
Explicitly mark fields as private via MBEDTLS_PRIVATE(...)
2021-07-30 14:39:07 +01:00
Manuel Pégourié-Gonnard
b637150dfe
Merge pull request #4730 from TRodziewicz/finish_removing_tls_1.0_and_1.1
Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
2021-07-27 09:42:53 +02:00
Hanno Becker
218dec824e Document that returning 0 from the recv callback means EOF
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:24:25 +01:00
Hanno Becker
fadbdbb576 Store TLS version in SSL session structure
Instances of `mbedtls_ssl_session` represent data enabling session resumption.

With the introduction of TLS 1.3, the format of this data changes. We therefore
need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish
1.2 and 1.3 sessions.

This commit introduces such a TLS-version field to mbedtls_ssl_session.

The change has a few ramifications:

- Session serialization/deserialization routines need to be adjusted.

  This is achieved by adding the TLS-version after the header of
  Mbed TLS version+config, and by having the subsequent structure
  of the serialized data depend on the value of this field.

  The details are described in terms of the RFC 8446 presentation language.

  The 1.2 session (de)serialization are moved into static helper functions,
  while the top-level session (de)serialization only parses the Mbed TLS
  version+config header and the TLS-version field, and dispatches according
  to the found version.

  This way, it will be easy to add support for TLS 1.3 sessions in the future.

- Tests for session serialization need to be adjusted

- Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3,
  we will need to have some logic comparing the TLS version of the proposed session
  to the negotiated TLS version. For now, however, we only support TLS 1.2,
  and no such logic is needed. Instead, we just store the TLS version in the
  session structure at the same point when we populate mbedtls_ssl_context.minor_ver.

The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and
`mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved.
However, with both fields being private and explicitly marked so, this can happen
in a later change.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 06:25:48 +01:00
Gilles Peskine
3b9bea0757
Merge pull request #4750 from yutotakano/fix-reserved-identifier-clash
Replace reserved identifier clashes with suitable replacements
2021-07-22 16:20:56 +02:00
Hanno Becker
0379942744 Explicitly mark mbedtls_ssl_config.respect_cli_pref as private
This was always intended to be explicitly marked private.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-22 11:37:05 +01:00
Hanno Becker
95832d8872 Explicitly mark mbedtls_ssl_session.exported as private
This was an oversight during concurrent merging
in the run-up to Mbed TLS 3.0.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-22 11:37:01 +01:00
Paul Elliott
6603e2b81c Add fix to update output size macro as well.
Same issue with zero block length applies here.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-14 12:39:54 +01:00
Paul Elliott
c22950c9d0 Change PSA Cipher macro safety to use block length
Although checking if the key was symmetric was correct, its easier to
read if we just check the block length is not zero before we use it in a
division.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-14 12:39:54 +01:00
Yuto Takano
538a0cbcf4 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 10:20:09 +01:00
Archana
ef6aa5c46d Support Curve448 via the PSA API
Enable Curve448 support
Add test vectors to evaluate
* RFC 7748
* a known-answer public key export test.
* a known-answer ECDH (X448) test.

Signed-off-by: Archana <archana.madhavan@silabs.com>
2021-07-12 08:07:14 +05:30
Paul Elliott
a02003babe Fix divide by zero if macro used with wrong key
If PSA_CIPHER_ENCRYPT_OUTPUT_SIZE was called on a non symmetric key,
then a divide by zero could happen, as PSA_CIPHER_BLOCK_LENGTH will
return 0 for such a key, and PSA_ROUND_UP_TO_MULTIPLE will divide by the
block length.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-07 17:24:46 +01:00
Dave Rodgman
1bc9e934e2 Manual updates to version information
This covers a few files that were missed by scripts/bump_version.sh

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-07-01 09:26:12 +01:00
Dave Rodgman
9f5774f56d
Merge pull request #4739 from gabor-mezei-arm/3258_fp30_implement_one-shot_MAC_and_cipher
Implement one-shot cipher
2021-06-30 17:04:23 +01:00
Dave Rodgman
0a7ff4a4e2
Merge pull request #4741 from gabor-mezei-arm/3267_fp30_sign_verify_key_policies
Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:50:57 +01:00
gabor-mezei-arm
47060db199 Give a better name for struct member
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:45:58 +02:00
Dave Rodgman
dc1a3b2d70
Merge pull request #4724 from hanno-arm/ssl_hs_parse_error_3_0
Cleanup SSL error code space
2021-06-30 09:02:55 +01:00
gabor-mezei-arm
42cdb2a90b
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
43110b6b2c Do key usage policy extension when loading keys
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:49 +02:00
gabor-mezei-arm
86bf008782 Extend PSA_USAGE_SIGN/VERIFY_HASH key policies
According to the PSA specification the PSA_USAGE_SIGN_HASH has the
permission to sign a message as PSA_USAGE_SIGN_MESSAGE. Similarly the
PSA_USAGE_VERIFY_HASH has the permission to verify a message as
PSA_USAGE_VERIFY_MESSAGE. These permission will also be present when
the application queries the usage flags of the key.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:01:48 +02:00
Dave Rodgman
c628fc980f Correct and clarify the SSL error code documentation
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 14:36:19 +01:00
Dave Rodgman
03edc8614f Fix docs in error.h
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 11:06:18 +01:00
Dave Rodgman
bb05cd09b7 Remove MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 10:41:06 +01:00
Dave Rodgman
53c8689e88 Introduce new TLS error codes
Introduce new codes:
* MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION
* MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL

These are returned when the corresponding alert is raised.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 10:02:06 +01:00
Dave Rodgman
096c41111e Remove MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 09:52:06 +01:00
Ronald Cron
8682faeb09
Merge pull request #4694 from gilles-peskine-arm/out_size-3.0
Add output size parameter to signature functions
2021-06-29 09:43:17 +02:00
Dave Rodgman
55a4d938d0
Merge pull request #4589 from bensze01/split_config
Add a level of indirection to config file inclusion
2021-06-28 17:54:51 +01:00
Bence Szépkúti
e55a821f0e Remove explicit link to MBEDTLS_CONFIG_FILE
This symbol is not declared in our code, so trying to explicitly
link to it causes a doxygen error.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 15:15:56 +01:00
Bence Szépkúti
5e2743f284 Mention MBEDTLS_CONFIG_FILE in build_info.h docs
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 14:32:01 +01:00
Bence Szépkúti
9cd7065307 No other headers are included by mbedtls_config.h
These have been moved to build_info.h. Update the documentation to
reflect this.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 14:29:42 +01:00
TRodziewicz
2abf03c551 Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-28 14:36:37 +02:00
Hanno Becker
b561bedadd Make MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE more generic
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
90d59dddf5 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
c3411d4041 Remove MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
9ed1ba5926 Rename MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
New name MBEDTLS_ERR_SSL_BAD_CERTIFICATE

Also, replace some instances of MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
by MBEDTLS_ERR_SSL_DECODE_ERROR and MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
as fit.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
5697af0d3d Remove MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
cbc8f6fd5d Remove MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
a0ca87eb68 Remove MBEDTLS_ERR_SSL_BAD_HS_FINISHED
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
d200296f17 Remove MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
d934a2aafc Remove MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
d3eec78258 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
666b5b45f7 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
029cc2f97b Remove MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
b24e74bff7 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP error code
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
d01fc5f583 Introduce MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE error code
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
241c19707b Remove MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
bc00044279 Rename MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
New name is MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
93636cce4a Add MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
2fe5f61e1a Add generic codes for syntactic and semantic message parsing errors
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Bence Szépkúti
1b2a8836c4 Correct documentation references to Mbed TLS
Use the correct formatting of the product name in the documentation.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 10:37:19 +01:00
Bence Szépkúti
a1d1f5b84f Fix typo
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:49:04 +01:00
Janos Follath
8a88f6274c
Merge pull request #4726 from athoelke/at-pbkdf2-doc-fixes
Fixes for PBKDF2 documentation
2021-06-28 09:47:57 +01:00
Bence Szépkúti
5c70c140b7 Remove def directive for version symbol
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:49 +01:00
Bence Szépkúti
1cafe5ce20 Base config compat check on MBETLS_VERSION_NUMBER
Any config with a version older than 3.0.0 or newer than
MBETLS_VERSION_NUMBER will be rejected.

This does mean that the current development version doesn'T accept *any*
value of MBETLS_CONFIG_VERSION, but this will be fixed when we bump the
version during our normal release process.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:48 +01:00
Bence Szépkúti
fc04aa2be5 Remove MBEDTLS_USER_CONFIG_VERSION handling
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:48 +01:00
Bence Szépkúti
2bb7456334 Base the config version on MBEDTLS_VERSION_NUMBER
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:48 +01:00
Bence Szépkúti
b2e23de0f3 Make config version symbols optional
Also remove them from the example configs, but keep the one in
mbedtls_config.h.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:48 +01:00
Bence Szépkúti
04982f7b6b Move version defines to build_info.h
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:48 +01:00
Bence Szépkúti
d3da503c29 Move comment closer to relevant code
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:47 +01:00
Bence Szépkúti
ba7248abc4 Introduce versioning in the config files
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:47 +01:00
Bence Szépkúti
bb0cfeb2d4 Rename config.h to mbedtls_config.h
This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^ChangeLog' | xargs sed -b -E -i '
s/((check|crypto|full|mbedtls|query)_config)\.h/\1\nh/g
s/config\.h/mbedtls_config.h/g
y/\n/./
'
mv include/mbedtls/config.h include/mbedtls/mbedtls_config.h
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:33 +01:00
Bence Szépkúti
c5c9eb4741 Move preprocessor logic to build_info.h
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:24:42 +01:00
Bence Szépkúti
c662b36af2 Replace all inclusions of config.h
Also remove preprocessor logic for MBEDTLS_CONFIG_FILE, since
build_info.h alreadyy handles it.

This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^include/mbedtls/build_info\.h$' | xargs sed -b -E -i '
/^#if !?defined\(MBEDTLS_CONFIG_FILE\)/i#include "mbedtls/build_info.h"
//,/^#endif/d
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:24:07 +01:00
Bence Szépkúti
5ab7303409 Introduce a level of indirection in config header
Create a separate header file (mbedtls/build_info.h) to use when
depending on the config options defined in config.h.

Also copy the handling of the MBEDTLS_CONFIG_FILE macro into the new
header, so that the next commit can remove this code from every other
place where config.h used to be included.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:14:17 +01:00
Andrew Thoelke
52d18cd9a4
Remove trailing space
Signed-off-by: Andrew Thoelke <andrew.thoelke@arm.com>
2021-06-25 11:03:57 +01:00
Ronald Cron
3698fa1043
Merge pull request #4673 from gilles-peskine-arm/psa_crypto_spm-from_platform_h
Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
2021-06-25 09:01:08 +02:00
Gilles Peskine
f00f152444 Add output size parameter to signature functions
The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
mbedtls_ecdsa_write_signature() and mbedtls_ecdsa_write_signature_restartable()
now take an extra parameter indicating the size of the output buffer for the
signature.

No change to RSA because for RSA, the output size is trivial to calculate.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-25 00:46:22 +02:00
Gilles Peskine
1fed4b8324
Merge pull request #4720 from gilles-peskine-arm/gcm-finish-outlen
Add output_length parameter to mbedtls_gcm_finish
2021-06-24 20:02:40 +02:00
Andrew Thoelke
a0f4b595c5
Fixes for PBKDF2 documentation
Fix typos in the PBKDF2 documentation

Correct the constraints on PSA_KEY_USAGE_DERIVE and PSA_KEY_USAGE_VERIFY_DERIVATION, aligning them with the note against psa_key_derivation_input_key(). All key inputs must have the required usage flag to permit output or verification.

Correct the constraints on PSA_KEY_DERIVATION_INPUT_SECRET and PSA_KEY_DERIVATION_INPUT_PASSWORD, aligning them with 4feb611. psa_key_derivation_verify_key() does not require the secret/password input to be a key.

Signed-off-by: Andrew Thoelke <andrew.thoelke@arm.com>
2021-06-24 16:47:14 +01:00
Gilles Peskine
fedd52ca19
Merge pull request #4707 from gilles-peskine-arm/require-matching-hashlen-rsa-implementation
Require matching hashlen in RSA functions: implementation
2021-06-24 10:28:20 +02:00
Gilles Peskine
5a7be10419 Add output_length parameter to mbedtls_gcm_finish
Without this parameter, it would be hard for callers to know how many bytes
of output the function wrote into the output buffer. It would be possible,
since the cumulated output must have the same length as the cumulated input,
but it would be cumbersome for the caller to keep track.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 21:51:32 +02:00
Gilles Peskine
f06b92d724
Merge pull request #4567 from mstarzyk-mobica/gcm_ad
Enable multiple calls to mbedtls_gcm_update_ad
2021-06-23 19:36:23 +02:00
Dave Rodgman
cb17fc34cf
Merge pull request #4671 from mpg/x509-crt-profile-public
Make the fields of mbedtls_x509_crt_profile public
2021-06-23 16:06:12 +01:00
Ronald Cron
4f7cc1bb63
Merge pull request #4713 from gilles-peskine-arm/psa-storage-format-test-lifetimes-3.0
PSA storage format: test lifetimes
Almost straightforward of #4392 thus merging with only one approval.
2021-06-23 15:22:03 +02:00
Ronald Cron
44a0ae920c
Merge pull request #4710 from mstarzyk-mobica/ccm_taglen
Add missing tag_len in ccm api.
PR-4710-merge TLS Testing  run successfully and the failure in PR-4710-head TLS Testing are CI problems thus merging.
2021-06-23 14:20:26 +02:00
Gilles Peskine
91466c8d3f Hopefully clarify the example
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
52bb83e6ad Fix mbedtls_svc_key_id_is_null when KEY_ID_ENCODES_OWNER
A null key id is a null key id even when it has an owner attached to it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
d133bb2909 New macro PSA_KEY_LIFETIME_IS_READ_ONLY
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:43:08 +02:00
Mateusz Starzyk
82c48c992c Adjust tag_len documentation for the mbedtls_ccm_finish().
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-23 12:39:40 +02:00
Gilles Peskine
c9d86a05ce
Merge pull request #4665 from yanesca/issue-3990-fix_psa_verify_with_alt
Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:38 +02:00
Mateusz Starzyk
98d45b90b0 Add missing tag_len in ccm api.
Function ccm_set_lengths requires tag_len argument for
the B[0] calculation.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-23 10:49:22 +02:00
Paul Elliott
7220cae93c Ensure generate nonce unavailable in decrypt
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:47 +01:00
Gilles Peskine
e9bc857327
Merge pull request #4552 from hanno-arm/mbedtls_3_0_key_export
Implement modified key export API for Mbed TLS 3.0
2021-06-22 18:52:37 +02:00
Gilles Peskine
9dbbc297a3 PK signature function: require exact hash length
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 18:39:41 +02:00
Manuel Pégourié-Gonnard
e7885e5441 RSA: Require hashlen to match md_alg when applicable
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-22 12:29:27 +02:00
Manuel Pégourié-Gonnard
3e7ddb2bb6
Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0
Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00
Manuel Pégourié-Gonnard
508d3a5824
Merge pull request #4664 from tom-daubney-arm/rm_truncated_HMAC_ext
Remove truncated HMAC extension
2021-06-22 11:53:10 +02:00
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
Janos Follath
b795332401 mbedtls_rsa_rsassa_pss_*: improve documentation
Hashes used in RSA-PSS encoding (EMSA-PSS-ENCODE, see §9.1.1 in RFC
8017):

- H1: Hashing the message (step 2)
- H2: Hashing in the salt (step 6)
- H3: Mask generation function (step 9)

According to the standard:

- H1 and H2 MUST be done by the same hash function
- H3 is RECOMMENDED to be the same as the hash used for H1 and H2.

According to the implementation:

- H1 happens outside of the function call. It might or might not happen
and the implementation might or might not be aware of the hash used.
- H2 happens inside the function call, consistency with H1 is not
enforced and might not even be possible to detect.
- H3 is done with the same hash as H2 (with the exception of
mbedtls_rsassa_pss_verify_ext(), which takes a dedicated parameter for
the hash used in the MGF).

Issues with the documentation:

- The comments weren't always clear about the three hashes involved and
often only mentioned two of them (which two varied from function to
function).
- The documentation was giving the impression that the standard
recommends aligning H2 and H1 (which is not a recommendation but a
must).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-21 10:39:04 +01:00
Spencer Burke
6364d32e47 Remove the duplicate code in mbedtls/include/mbedtls/check_config.h
Removing the extra preprocessor directives found within the specified
source file.

Signed-off-by: Spencer Burke <info.spencer.burke@gmail.com>
2021-06-18 14:27:22 -07:00
Hanno Becker
d8f32e72b4 Move export callback and context to the end of SSL context
This saves some code when compiling for Thumb, where access to
fields with offset index > 127 requires intermediate address
computations. Frequently used fields should therefore be located
at the top of the structure, while less frequently used ones --
such as the export callback -- can be moved to the back.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
e0dad720ee Remove return value from key export callback
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
7e6c178b6d Make key export callback and context connection-specific
Fixes #2188

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
22b34f75cd Remote key export identifier used for TLS < 1.2.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
ddc739cac4 Add missing documentation for key export callback parameters
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
457d61602f Define and implement new key export API for Mbed TLS 3.0
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
2d6e6f8fec Remove '_ext' suffix from SSL key exporter API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
78ba2af7c2 Remove old key export API
Seems to be an oversight that this wasn't marked deprecated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Manuel Pégourié-Gonnard
9a32d45819
Merge pull request #4517 from hanno-arm/ticket_api_3_0
Implement 3.0-API for SSL session resumption
2021-06-18 18:34:45 +02:00
Manuel Pégourié-Gonnard
ae35830295
Merge pull request #4661 from mpg/make-blinding-mandatory
Make blinding mandatory
2021-06-18 18:32:13 +02:00
Dave Rodgman
8c8166a7f1
Merge pull request #4640 from TRodziewicz/move_part_of_timing_module_out_of_the_library_and_to_test
Move part of timing module out of the library
2021-06-18 16:35:58 +01:00
TRodziewicz
963bb810f4 Removing global variable and moving variant function comment block
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 13:22:57 +02:00
Hanno Becker
5c5b820352 Fix typo in doc'n of session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 12:21:25 +01:00
Manuel Pégourié-Gonnard
9d4c2c4e42 Clarify how to create custom profiles
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:19:34 +02:00
TRodziewicz
75628d51b3 Code review fixes
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 12:59:38 +02:00
Gilles Peskine
39957503c5 Remove secp256k1 from the default X.509 and TLS profiles
For TLS, secp256k1 is deprecated by RFC 8422 §5.1.1. For X.509,
secp256k1 is not deprecated, but it isn't used in practice, especially
in the context of TLS where there isn't much point in having an X.509
certificate which most peers do not support. So remove it from the
default profile. We can add it back later if there is demand.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:52 +02:00
Gilles Peskine
a03fb29666 Document backward compatibility promises for the default TLS profile
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:05 +02:00
Gilles Peskine
a28f0f5082 Leave the preference order for hashes unspecified
We don't seem to have strong feelings about this, so allow ourselves to
change the order later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b1940a76ad In TLS, order curves by resource usage, not size
TLS used to prefer larger curves, under the idea that a larger curve has a
higher security strength and is therefore harder to attack. However, brute
force attacks are not a practical concern, so this was not particularly
meaningful. If a curve is considered secure enough to be allowed, then we
might as well use it.

So order curves by resource usage. The exact definition of what this means
is purposefully left open. It may include criteria such as performance and
memory usage. Risk of side channels could be a factor as well, although it
didn't affect the current choice.

The current list happens to exactly correspond to the numbers reported by
one run of the benchmark program for "full handshake/s" on my machine.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
377c91e1b7 Remove meaningless clause
We stated that curves were listed "in order of preference", but we never
explained what the preference was, so this was not meaningful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
5752e599b3 Reduce the default ECP window size
MBEDTLS_ECP_WINDOW_SIZE is a compromise between memory usage (growing based
on the value) and performance (faster with larger values). There are
disminishing returns as the value grows larger. Based on Manuel's benchmarks
recorded in https://github.com/ARMmbed/mbedtls/issues/4127, 4 is a good
compromise point, with larger values bringing little advantage. So reduce
the default from 6 to 4.

Document the default value as in optimized for performance mostly, but don't
document the specific value, so we may change it later or make it
platform-dependent.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
ae270bf386 Upgrade the default TLS hash and curve selection, matching X.509
Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.

Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.

Document more precisely what is allowed by default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
ffb92da622 Upgrade the default X.509 profile to the former "next" profile
Upgrade the default X.509 certificate verification profile
mbedtls_x509_crt_profile_default to the former value of
mbedtls_x509_crt_profile_next, which is hashes and curves with at least 255
bits (Curve25519 included), and RSA 2048 and above.

Document more precisely what goes into the default profile.

Keep the "next" profile unchanged for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
e96c5854d0 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:43:58 +02:00
Manuel Pégourié-Gonnard
55a7fb8322 Improve documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:42:03 +02:00
Manuel Pégourié-Gonnard
5314e08e08 Make the fields of mbedtls_x509_crt_profile public
These fields are supposed to be manipulated directly, that's how people
create custom profiles.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 10:32:01 +02:00
Manuel Pégourié-Gonnard
d51aaad4c9 Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
It was used to remove the code used when mbedtls_ecp_mul() received a
NULL RNG parameter. This code is no longer relevant (as the RNG may no
longer be NULL) and will be unconditionally removed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
84dea01f36 Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
39be1410fd Add RNG parameter to check_pair functions
- mbedtls_ecp_check_pub_priv() because it calls ecp_mul()
- mbedtls_pk_check_pair() because it calls the former

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f8c24bf507 Fix signature of check_pub_priv
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
aa3ed6f987 Make RNG parameters mandatory in ECP functions
Fix trivial faulty calls in ECP test suite and ECP/ECJPAKE self-tests (by
adding a dummy RNG).

Several tests suites are not passing yet, as a couple of library
function do call ecp_mul() with a NULL RNG. The complexity of the fixes
range from "simple refactoring" to "requires API changes", so these will
be addressed in separate commits.

This makes the option MBEDTLS_ECP_NO_INTERNAL_RNG, as well as the whole
"internal RNG" code, obsolete. This will be addressed in a future
commit, after getting the test suites to pass again.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
7861ecf838 Make RNG parameters mandatory in ECDH functions
Again, no check in the code - will be checked by ECP

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
1a87722bb6 Make RNG parameters mandatory in DHM functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
34d3756457 Make RNG parameters mandatory in PK functions
Again, no check here, will be checked by lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
c305b72ed1 Make RNG parameters mandatory in X.509 functions
Not adding a check in the code here, as this will be checked by the
lower-level modules.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Manuel Pégourié-Gonnard
ad5390fc4f Clarify that RNG parameters are mandatory in SSL
No change here, these were already mandatory, it just wasn't explicit in
the documentation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Hanno Becker
ab4ecfcc2c Improve wording of documentation of new session resumption API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-17 05:12:16 +01:00
Thomas Daubney
4a7010d1aa Removes MBEDTLS_SSL_TRUNCATED_HMAC config option
Commit removes the
MBEDTLS_SSL_TRUNCATED_HMAC config option from config.h
and places a check that it is unset in check_config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:26:59 +01:00
Thomas Daubney
d7171e9f59 Removes truncated HMAC code from ssl.h
Commit removes conditionally compiled code
relating to MBEDTLS_SSL_TRUNCATED_HMAC from
ssl.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:26:59 +01:00
Mateusz Starzyk
d6f673d710 Remove outdated note about multiple calls to cipher update for
associated data.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
bd513bb53d Enable multiple calls to mbedtls_gcm_update_ad.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
TRodziewicz
15a7b73708 Documentation rewording
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 11:22:53 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Gilles Peskine
17575dcb03
Merge pull request #4629 from TRodziewicz/rename_functions_whose_deprecated_variants_have_been_removd
Rename the _ret() functions
2021-06-15 20:32:07 +02:00
TRodziewicz
90f304ff1a Fixing test_clang_opt (asm not defined)
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:48:01 +02:00
TRodziewicz
d854083773 Move part of timing module out of the library
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:47:44 +02:00
Manuel Pégourié-Gonnard
8cad2e22fc
Merge pull request #4595 from gilles-peskine-arm/alt-dummy-headers-3.0
Lighten and test constraints on context types in alternative implementations
2021-06-15 12:12:46 +02:00
Gilles Peskine
e5702489f5 mbedtls_dhm_get_value parameter order: context first, output last
mbedtls_dhm_get_value can be seen as either a copy function or a getter
function. Given the name and the semantics, it's more of a getter, even if
it "gets" by doing a copy. Therefore, put the context first, and the
selector next, leaving the output for last.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:14:28 +02:00
Gilles Peskine
bf69ea5b8f Make some fields of mbedtls_ecp_group public
The Mbed TLS code relies heavily on reading certain fields of
mbedtls_ecp_group directly. Make these fields public. Require
that MBEDTLS_ECP_ALT alternative implementations have them.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
cd07e22048 New function mbedtls_ecjpake_set_point_format
Use this instead of accessing the field directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
71acc6e8d9 New function mbedtls_dhm_get_value to copy a field of a DHM context
Reduce the need to break the DHM abstraction by accessing the context directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
487bbf6805 DHM: new functions to query the length of the modulus
Add two functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() to
query the length of the modulus in bytes or bits.

Remove the len field: the cost of calling mbedtls_dhm_get_len() each time
it's needed is negligible, and this improves the abstraction of the DHM
module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:12:37 +02:00
Gilles Peskine
601d34396c Update TLS presets when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
6e1387abed Update MBEDTLS_ECP_MAX_BITS when adding a curve
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
d0b16303bb Determine MBEDTLS_ECP_MAX_BITS automatically
MBEDTLS_ECP_MAX_BITS doesn't make sense as a configuration option: it
must not be smaller than the largest supported curve, and it's useless
to set it to a larger value. So unconditionally set it to the size of
the largest supported curve. Remove it from the build configuration.

Alternative implementations must no longer need define this macro.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
9ef1ea7444 Move the definition of derived values out of the settings section
Alternative implementations must no longer define these macros.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-15 00:10:37 +02:00
Gilles Peskine
cee21d76f1
Merge pull request #4606 from TRodziewicz/turn__SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt
Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config opt to a runtime opt
2021-06-14 19:03:28 +02:00
Ronald Cron
c4c761e35e Merge remote-tracking branch 'mbedtls/development' into mbedtls_private_with_python
Conflicts:
    include/mbedtls/ssl.h
    include/psa/crypto_struct.h

Conflicts fixed by using the code from development branch
and manually re-applying the MBEDTLS_PRIVATE wrapping.
2021-06-14 16:17:32 +02:00
TRodziewicz
3946f79cab Correction according to code review (function and param. names change
and docs rewording)

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 13:46:21 +02:00
TRodziewicz
8476f2f30a Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config option to a runtime option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:56:20 +02:00
TRodziewicz
1fcd72e93c change log and migr. guide fixes and _DEPRECATED_REMOVED removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:16:06 +02:00
Janos Follath
21f84643f8
Merge pull request #4317 from yanesca/psa-jpake-interface
J-PAKE interface definition for PSA Crypto
2021-06-11 13:47:25 +01:00
Ronald Cron
57864faf84
Merge pull request #4634 from Patater/mbed-can-do-timing
config: Allow Mbed to implement TIMING_C
2021-06-11 09:14:13 +02:00
Gilles Peskine
02b76b7d18
Merge pull request #4619 from TRodziewicz/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options
Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
2021-06-10 17:43:36 +02:00
Jaeden Amero
197496af69 config: Allow Mbed to implement TIMING_C
Mbed OS now provides POSIX-like time functions, although not alarm() nor
signal(). It is possible to implement MBEDTLS_TIMING_ALT on Mbed OS, so
we should not artificially prevent this in check-config. Remove the the
check that prevents implementing MBEDTLS_TIMING_ALT on Mbed OS.

Note that this limitation originally was added in the following commit,
although there isn't much context around why the restriction was
imposed: 63e7ebaaa1 ("Add material for generating yotta module"). In
2015, Mbed OS was quite a different thing: no RTOS, no threads, just an
asynchronous event loop model. I'd suppose the asynchronous event loop
model made it difficult before to implement MBEDTLS_TIMING_C on Mbed OS,
but that is no longer the case.

Fixes #4633

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-06-09 13:47:27 +01:00
TRodziewicz
3ecb92e680 Remove _X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 13:28:16 +02:00
TRodziewicz
26371e4793 Rename the _ret() functions
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-08 16:45:41 +02:00
Janos Follath
1f0131844c Clarify PSA_PAKE_STEP_ZK_PROOF format
Removing reference to RFC 7748 as it is more confusing than helpful. (It
decodes the scalars after masking which is not part of the encoding we
want to specify. Also, it has the explanation what it means by little
endian in a preceding section that is not trivial to find.)

We also explicitly specify constraint on leading zeroes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:30:48 +01:00
Janos Follath
46c02375b7 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:22:51 +01:00
Janos Follath
0dcda95ac0 Make check-names.sh happy
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:52:05 +01:00
Janos Follath
33434a9f60 Fix parenthesis spacing in crypto_struct.h
crypto_struct.h is implementation-specific so it was intended to have
Mbed TLS whitespace style.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:51:40 +01:00
Janos Follath
55dd5dc355 PSA PAKE: Clarify the documentation of NIZKP steps
The expression "the masking is omitted" assumes familiarity with
Montgomery curve private key format and even then can be confusing and
ambiguous or confusing.

Describe directly what format we mean and add some more background
information and reference to the standard as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b384ec19d1 PSA PAKE: fix J-PAKE documentation code rendering
4-space indent is only guaranteed to result in a code block if there's a
blank line just before (details vary depending on the markdown
implementation, and doxygen isn't exactly markdown anyway). In a bullet
list, you need 8 spaces since the list itself is a nested construct
which takes a 4-space indent (even though you don't have to indent
continuation lines inside a bullet point by 4 spaces, 1 is enough).

Using \code...\encode which is rendering as intended.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
3293dae00e psa_pake_setup(): simplify documentation
This level of detail can be confusing and could require even more detail
to clear it up. Simplifying it instead in alignment wiht the
documentation of existing setup functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b4db90fb27 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
38d29db75f Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
a46e28f786 PSA PAKE: use neutral pronouns
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
ec83eb605e Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
52f9efad22 Revert "Rename psa_pake_set_password()"
This reverts commit 03a5fd7780026b2ca0b4728352ded930f5a7cff9.

We're already calling the output of a PAKE a "shared secret". The
password is a shared secret (for PAKE where the verifier knows a
password-equivalent secret), but calling it "shared secret" or even just
"secret" would be confusing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
89ee05a805 Rename psa_pake_set_password()
Technically this function takes a low entropy secret as an input which
might or might not be the password. Using the term "secret" in the
function name is less misleading.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
559f05eefc PSA PAKE: remove psa_pake_set_password_stretch()
The password stretching (using slow and/or memory hard hashes) in PAKEs
usually serves two purposes:

- Defending against server compromise impersonation attacks. J-PAKE is an
augmented PAKE and as such, stores a password-equivalent and defending
against this class of attacks is out of scope.
- Preventing offline dictionary attacks. J-PAKE is proven to be zero
knowledge and leaks no information beyond the fact if the passwords
matched and offline dictionary attack is not possible.

In summary: J-PAKE does not benefit from pasword stretching and is
unlikely to be an input. This part of the API is not necessary at this
point and can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
7d69b3a993 PSA PAKE: add warning about stability
We are not confident about the stability of the PAKE interface (it is
just a proposal, not part of the standard yet).  So we should explicitly
document it as experimental, subject to change.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
702cf09ae9 PSA PAKE: move the API to crypto_extra.h
At this point this is a proposed PAKE interface for the PSA Crypto API
and not part of the official standard. Place the interface in
crypto_extra.h to make this clear.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:34 +01:00
Janos Follath
304766e11e PSA PAKE: make algorithm macro name consistent
The API has PSA_ALG_GCM and not PSA_ALG_AEAD_GCM, PSA_ALG_MD5 and not
PSA_ALG_HASH_MD5, etc., so PSA_ALG_PAKE_JPAKE should be PSA_ALG_JPAKE as
well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
a295918596 PSA PAKE: add input size macros
The caller is likely to receive the inputs on the wire, and having a
known size for which they can confidently reject longer inputs would be
helpful in cases where the application can't just use the input in
place.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
5e1948d2a3 PSA PAKE: define size macros as 0
Define the size macros to 0 rather than empty. That will lead to fewer
weird errors when we start implementing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Ronald Cron
d2cfa3e980 Improve mbedtls_rsa_init/set_padding() descriptions
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Ronald Cron
c1905a1c3d Change mbedtls_rsa_init() signature
Remove padding parameters as mbedtls_rsa_init()
cannot return an error code when padding
parameters are invalid.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Ronald Cron
ea7631be1c Change mbedtls_rsa_set_padding() signature
mbedtls_rsa_set_padding() now returns the error
code MBEDTLS_ERR_RSA_INVALID_PADDING when
padding parameters are invalid.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:10 +02:00
Manuel Pégourié-Gonnard
16fdab79a5
Merge pull request #4382 from hanno-arm/max_record_payload_api
Remove MFL query API and add API for maximum plaintext size of incoming records
2021-06-08 11:07:27 +02:00
TRodziewicz
0730cd5d9e Merge branch 'development' into Remove__CHECK_PARAMS_option 2021-06-07 15:41:49 +02:00
TRodziewicz
442fdc22ea Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-07 13:52:23 +02:00
Mateusz Starzyk
a74295fb52 Remove outdated note about direct manipulation of private members.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:30:55 +02:00
Mateusz Starzyk
8fc95a06a6 Wrap variable missed by the python script.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:28:24 +02:00
Mateusz Starzyk
2abe51cc75 Extend setup_and_run script to cover remaining configurations.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:08:01 +02:00
Mateusz Starzyk
854a25c7a4 Merge branch 'development' into mbedtls_private_with_python
Conflicts:
         include/mbedtls/ecp.h

Conflict resolved by using the code from development branch
and manually applying the MBEDTLS_PRIVATE wrapping.
2021-06-07 09:49:01 +02:00
Manuel Pégourié-Gonnard
9371a40476 Stop referencing private constants in documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:42 +02:00
Manuel Pégourié-Gonnard
cac90a15ed Hide constants for TLS 1.0 and TLS 1.1
ssl_server2 had a check that we never try to use a minor version lower
than 2 with DTLS, but that check is no longer needed, as there's no way
that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer
public.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:33 +02:00
Hanno Becker
d60b6c62d5 Remove per-version ciphersuite configuration API
This commit removes the API

```
    mbedtls_ssl_conf_ciphersuites_for_version()
```

which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.

With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.

This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and

```
   mbedtls_ssl_conf_ciphersuites()
```

can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:20:10 +02:00
Manuel Pégourié-Gonnard
0c1a42a147
Merge pull request #4611 from gilles-peskine-arm/random-range-uniformity-3.0
Fix non-uniform random generation in a range
2021-06-04 10:43:15 +02:00
Manuel Pégourié-Gonnard
f9f9cc217c
Merge pull request #4579 from tom-daubney-arm/rm_ecdh_legacy_context_config_option
Remove `MBEDTLS_ECDH_LEGACY_CONTEXT` config option
2021-06-04 10:02:59 +02:00
Gilles Peskine
7ed7c5a37d mbedtls_mpi_random: document MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
Note that this error has a negligible probability with a "crypto-sized"
bound, but macroscopic probability with a small bound.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
1e918f44c9 mbedtls_mpi_random: check for invalid arguments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
02ac93a1a3 Move mbedtls_mpi_random to the bignum module
Since mbedtls_mpi_random() is not specific to ECC code, move it from
the ECP module to the bignum module.

This increases the code size in builds without short Weierstrass
curves (including builds without ECC at all) that do not optimize out
unused functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Thomas Daubney
537e64305d Corrects documentation issues
Commit corrects incorrect docs in
ecdh.h and config.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-03 15:46:33 +01:00
Janos Follath
79e1c47a54 PSA PAKE: explain implicit key confirmation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7c59b7a073 Improve psa_pake_set_peer()/user() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
56a4d7a59f Simplify PAKE input/output format documentation
Make input/output format documentation easier to find:
- Add direct reference to the steps from the input/output functions
- Move the format description directly to the step constants

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ead0e4fc7b PSA PAKE: Clarify J-PAKE algorithm documentation
- Transformed setup description to a more explicit pseudocode based
approach.
- Explained implicit vs explicit key confirmation

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
d416838ffd Rename psa_pake_set_password_mhf()
This step is not necessarily a memory-hard function. Memory-hard
functions are the best of the breed at the moment, but that's due to
current hardware designs, and CPU-hard-but-not-memory-hard functions
like PBKDF2 are acceptable as well. We're using “key stretching” as the
generic term for such functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
3ae6696811 Clarify psa_pake_setup() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
19271ea183 PSA PAKE: Clarify documentation of valid states
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
9a04aeaff5 PSA PAKE: improve and fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7b8910322c PSA PAKE: refine documentation of return values
The key derivation operation passed to psa_pake_set_password_mhf() might
enter an error state before the function returns. If this happens, the
user needs to know about it so that they can properly abort it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
e1a080f1f8 Improve psa_pake_set_password_mhf() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
1062a24152 Fix psa_pake_set_password_mhf() parameter list
The type of the key derivation operation was incorrect.

Also neither the PAKE nor key_derivation algorithm knows how many bytes
to transfer at this stage.

There is no optimal or recommended size, PAKEs don't mandate it either
(with the exception of OPAQUE, but that uses it internally and won't be
using this interface).

Adding an input length parameter to allow the application to control how
many bytes the PAKE takes from the key derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
14ce06afe2 PSA PAKE: fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ef816f37be Fix precedence in psa_pake_cs_set_primitive()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ed82716546 Remove always false comparison PSA_PAKE_PRIMITIVE
Always false comparison triggered compiler warnings. Removing comparison
while preserving semantics to achieve clean build.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
60fa7c59b2 PSA PAKE: document operation parameters
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
b0bcb633ff Link PSA_KEY_TYPE_PASSWORD in the documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
fe0c4493f5 Add psa_pake_set_password_mhf()
Using memory hard functions with PAKEs is the more secure option. It
should be as convenient and efficient to use as less secure options, but
so far it required creating an additional temporary key object.

With psa_pake_set_password_mhf() this eliminates the need for this.

Similarly we could add a convenience function to supply the password
directly from character strings, but that would make the less secure
option more convenient again and therfore we are not doing it now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
56cc9ccc39 PSA PAKE: Align macro names with psa_pake_step_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
3c09c47333 PSA PAKE: remove redundant steps
PAKE constructions that have multiple key shares will always consume and
produce the key shares in numerical order. So using PSA_PAKE_DATA_XXX_X
would demand step-sequence validation, and provides no functional
utility over having only PSA_PAKE_DATA_XXX.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a71811aa4c Fix typo
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
78b9e40662 PSA PAKE: reintroduce psa_pake_primitive_t
If PSA_PAKE_OUTPUT_SIZE takes cipher_suite as a parameter and it is a
structure it can't be a compile-time constant anymore.

Reintroducing psa_pake_primitive_t, because it can be constructed as an
integral type and holds enough information to allow PSA_PAKE_OUTPUT_SIZE
calculating accurate estimates on the output size in compile time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a86c3131a8 PSA PAKE: divide setup into several steps
There are too many parameters to the setup function. This makes it hard
to figure out how to call the function and read code that calls the
function. This also opens the suspicion that there's yet another
parameter that we're missing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
beb78d4d41 Rename psa_pake_data_t
"Data" is too vague, renaming it to psa_pake_step_t. It is still
somewhat vague, but at least consistent with the naming used in key
derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
57cfc407e0 Remove obsolete __DOXYGEN_ONLY__ blocks
__DOXYGEN_ONLY__ blocks were only used to typeset the PSA specification
back when it was extracted from Mbed TLS headers. They are no longer
used and should be removed.

The PSA Crypto Driver API is still under development and might be
extracted from Mbed TLS headers, leaving them there for now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
f53c7af916 PSA PAKE: introduce psa_pake_family_t
It is the size of something that has no a priori reason to consist of 8
bits.  This should be psa_pake_family_t, both for documentation (and
possibly static analysis) and in case 8 bits turn out not to be enough.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
1459aa5656 PSA PAKE: improve documentation
Minor documentation improvement and fixes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
f75be64ef5 PSA PAKE: fix identifier value
Identifier value was not consistent with PSA conventions (last byte is
reserved for hash algorithms or used in algorithms parametrized by
a hash).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
5b44cfd430 PSA PAKE: remove alg parameter from setup
The cipher suite now defines the algorithm itself as well. Passing the
algorithm separately is redundant and error prone.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
684da03532 PSA PAKE: remove obsolete types and macros
Making the cipher suite struct internal made a number of types and
macros in the interface unused.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
cd56ff9c59 PSA PAKE: make cipher suite opaque
Hiding the structure of the cipher suite implementation allows for
greater flexibility.

To preserve maximum flexibility, the constructor is replaced by
individual setter/getter functions.

Convenience macros and or functions can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
82b54b96d3 PSA PAKE: Align macro names
In the key types API, PSA Crypto uses ECC to denote Elliptic curve
cryptography and DH to denote Finite Field Diffie-Hellman.

Change PSA_PAKE_PRIMITIVE_TYPE_XXX macros to be aligned.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
fc3577daae Remove reference to PSA_PAKE_KEY_SHARE_SIZE
The macro PSA_PAKE_KEY_SHARE_SIZE has been removed, we need to remove
references to it from the documentation as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
2ba6079d47 PSA: fix wording for implementation defined types
There were remnants of the PSA specification wording in the
documentation that can be confusing in Mbed TLS.

We need to make it clear what the consequences of being implementation
defined are in Mbed TLS.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:30 +01:00
Janos Follath
8005e8a167 Shrink psa_pake_side_t to uint8_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
ef1b8c9a76 PSA PAKE: Relate JPAKE documentation to RFC8236
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
7ebcbf34f9 Remove psa_pake_get/set_key_share() functions
The main purpose of psa_pake_get_key_share() is to provide a more
straightforward and convenient call flow for regular PAKEs. Most PAKEs
have a single key share and need a flow like this:

op=PSA_PAKE_OPERATION_INIT;
psa_pake_setup();
psa_pake_get_key_share();
psa_pake_set_key_share();
psa_pake_get_implicit_key();

Adding psa_pake_get/set_key_share() functions cuts out the
psa_pake_data_t constants from the users vision, hiding complexity that
exists only for unrelated PAKEs that aren't relevant for the user.

This comes with the cost of the two additional API functions that we need
to maintain.

Since the current stream of work focuses on enabling J-PAKE, there are
no benefits to these functions for now.

Once algorithms that can benefit from this simplification are added,
adding back these functions can be reconsidered.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
fb4203dcff PSA PAKE: Call the scheme algorithm
The documentation is calling PAKEs protocols but it has an
psa_algorithm_t identifier. To align the terminology, the documentation
should call them algorithms as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
020da462d2 Fix PSA_PAKE_PRIMITIVE macro
Fix the typo in the macro definition and more specific parameter names
allow for future scripts to check validity of arguments.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
1101edb948 PSA PAKE: typo fixes in documentation
Also removes the mention of THREAD as we can't give a publicly available
reference for it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:12:08 +01:00
Janos Follath
ca2c167dcb PSA PAKE: fix doxygen warnings
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
7f1e81a98d PSA PAKE: specify key type and usage
The PSA_KEY_TYPE_PASSWORD key type to which this documentation change
refers to is not yet present in the code and will be introduced by a
parallel line of work.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
b378d57840 PSA PAKE: add output size macros
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
9c6b147d98 PSA PAKE: Add J-PAKE to the interface
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
8a09ca9d94 PSA PAKE: Add dummy operation context
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
508afeca67 PSA PAKE: Add cipher suite structure
PAKE protocols make use of a range of cryptographic schemes and
primitives. Standards allow for several options to use for each of them.
They call the combination of specific algorithms cipher suites,
configurations or options.

Cipher suites are represented by a separate data type for several
reasons:
1. To allow for individual PAKE protocols to provide pre-defined cipher
   suites.
2. To organise cipher suites into a unit that can be handled separately
   from the operation context. The PAKE operation flow is already
   complex, will be even more so when key confirmation is added.
   Handling them separately should reduce the surface of the interface
   the application developer needs to pay attention at any given time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
38a5d35646 PSA PAKE: Add type for representing primitives
In most of the PAKEs the primitives are prime order groups, but some of
them might need the ring structure or just are using completely different
algebraic structures (eg. SRP or PQC schemes).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
b86273a6dc PSA PAKE: Add integral types
Add integral types for the draft version of PSA Crypto API PAKE
interface.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Janos Follath
5e5dcaced3 PSA PAKE: Add function declarations
Add function declarations for the draft version of PSA Crypto API PAKE
interface.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:07:47 +01:00
Thomas Daubney
4e9fb3985e Corrects documentation in ecdh.h
Commit corrects the documentation for
MBEDTLS_ECDH_LEGACY_CONTEXT in ecdh.h.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-03 11:51:08 +01:00