Commit graph

7108 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
cac90a15ed Hide constants for TLS 1.0 and TLS 1.1
ssl_server2 had a check that we never try to use a minor version lower
than 2 with DTLS, but that check is no longer needed, as there's no way
that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer
public.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:29:33 +02:00
Hanno Becker
d60b6c62d5 Remove per-version ciphersuite configuration API
This commit removes the API

```
    mbedtls_ssl_conf_ciphersuites_for_version()
```

which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.

With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.

This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and

```
   mbedtls_ssl_conf_ciphersuites()
```

can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:20:10 +02:00
Gilles Peskine
afb2bd2f22 Note that the byte order in mpi_fill_random_internal() is deliberate
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
405b091d9e Use MBEDTLS_MPI_CHK where warranted
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
ed32b576a4 New internal function mbedtls_mpi_resize_clear
The idiom "resize an mpi to a given size" appeared 4 times. Unify it
in a single function. Guarantee that the value is set to 0, which is
required by some of the callers and not a significant expense where
not required.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
87823d7913 Use ternary operator with the most common case first
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
e842e58f61 Correct some comments about ECC in mbedtls_mpi_random
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
03299dcf5b DHM: add notes about leading zeros
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
ebe9b6a51d mpi_fill_random_internal: remove spurious grow() call
Since the internal function mpi_fill_random_internal() assumes that X
has the right size, there is no need to call grow().

To further simplify the function, set the sign outside, and zero out
the non-randomized part directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
e5381686ef MPI random test: use more iterations for small numbers
In real life, min << N and the probability that mbedtls_mpi_random()
fails to find a suitable value after 30 iterations is less than one in
a billion. But at least for testing purposes, it's useful to not
outright reject "silly" small values of N, and for such values, 30
iterations is not enough to have a good probability of success.

Pick 250 iterations, which is enough for cases like (min=3, N=4), but
not for cases like (min=255, N=256).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
ee966c4ae4 Contextualize comment about mbedtls_mpi_random retries
This comment is no longer in the specific context of generating a
random point on an elliptic curve.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
1a7df4eda0 Fix mbedtls_mpi_random when N has leading zeros
mbedtls_mpi_random() uses mbedtls_mpi_cmp_mpi_ct(), which requires its
two arguments to have the same storage size. This was not the case
when the upper bound passed to mbedtls_mpi_random() had leading zero
limbs.

Fix this by forcing the result MPI to the desired size. Since this is
not what mbedtls_mpi_fill_random() does, don't call it from
mbedtls_mpi_random(), but instead call a new auxiliary function.

Add tests to cover this and other conditions with varying sizes for
the two arguments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
da7ee01589 DHM: use mbedtls_mpi_random for blinding and key generation
Instead of generating blinding values and keys in a not-quite-uniform way
(https://github.com/ARMmbed/mbedtls/issues/4245) with copy-pasted code,
use mbedtls_mpi_random().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
8e38acc9a5 dhm_check_range: microoptimization
No need to build a bignum for the value 2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
17f1a26593 DHM refactoring: use dhm_random_below in dhm_make_common
dhm_make_common includes a piece of code that is identical to
dhm_random_below except for returning a different error code in one
case. Call dhm_random_below instead of repeating the code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
7b2b66e3f3 DHM blinding: don't accept P-1 as a blinding value
P-1 is as bad as 1 as a blinding value. Don't accept it.

The chance that P-1 would be randomly generated is infinitesimal, so
this is not a practical issue, but it makes the code cleaner. It was
inconsistent to accept P-1 as a blinding value but not as a private key.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
cb660f2bda DHM refactoring: unify mbedtls_dhm_make_{params,public}
Unify the common parts of mbedtls_dhm_make_params and mbedtls_dhm_make_public.

No intended behavior change, except that the exact error code may
change in some corner cases which are too exotic for the existing unit
tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
5921517126 ECP: use mbedtls_mpi_random for blinding
Instead of generating blinding values in a not-quite-uniform way
(https://github.com/ARMmbed/mbedtls/issues/4245) with copy-pasted
code, use mbedtls_mpi_random().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
60d8b98d48 Preserve MBEDTLS_ERR_ECP_RANDOM_FAILED in case of a hostile RNG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
1e918f44c9 mbedtls_mpi_random: check for invalid arguments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
02ac93a1a3 Move mbedtls_mpi_random to the bignum module
Since mbedtls_mpi_random() is not specific to ECC code, move it from
the ECP module to the bignum module.

This increases the code size in builds without short Weierstrass
curves (including builds without ECC at all) that do not optimize out
unused functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
8cfffb30b3 mbedtls_ecp_gen_privkey_sw: generalize to mbedtls_mpi_random
Rename mbedtls_ecp_gen_privkey_sw to mbedtls_mpi_random since it has
no particular connection to elliptic curves beyond the fact that its
operation is defined by the deterministic ECDSA specification. This is
a generic function that generates a random MPI between 1 inclusive and
N exclusive.

Slightly generalize the function to accept a different lower bound,
which adds a negligible amount of complexity.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
61f1f5febf mbedtls_ecp_gen_privkey_mx: simplify the size calculation logic
mbedtls_ecp_gen_privkey_mx generates a random number with a certain
top bit set. Depending on the size, it would either generate a number
with that top bit being random, then forcibly set the top bit to
1 (when high_bit is not a multiple of 8); or generate a number with
that top bit being 0, then set the top bit to 1 (when high_bit is a
multiple of 8). Change it to always generate the top bit randomly
first.

This doesn't make any difference in practice: the probability
distribution is the same either way, and no supported or plausible
curve has a size of the form 8n+1 anyway. But it slightly simplifies
reasoning about the behavior of this function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
67986d0613 mbedtls_ecp_gen_privkey_mx: make bit manipulations unconditional
Don't calculate the bit-size of the initially generated random number.
This is not necessary to reach the desired distribution of private
keys, and creates a (tiny) side channel opportunity.

This changes the way the result is derived from the random number, but
does not affect the resulting distribution.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
96449ceebe mbedtls_ecp_gen_privkey_mx: remove the exception for all-zero
The library rejected an RNG input of all-bits-zero, which led to the
key 2^{254} (for Curve25519) having a 31/32 chance of being generated
compared to other keys. This had no practical impact because the
probability of non-compliance was 2^{-256}, but needlessly
complicated the code.

The exception was added in 98e28a74e3 to
avoid the case where b - 1 wraps because b is 0. Instead, change the
comparison code to avoid calculating b - 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:04 +02:00
Gilles Peskine
55c46040f6 mbedtls_ecp_gen_privkey_mx: rename n_bits to high_bit
For Montgomery keys, n_bits is actually the position of the highest
bit and not the number of bits, which would be 1 more (fence vs
posts). Rename the variable accordingly to lessen the confusion.

No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:03 +02:00
Gilles Peskine
72fcc98d23 mbedtls_ecp_gen_privkey: create subfunctions for each curve type
Put the Montgomery and short Weierstrass implementations of
mbedtls_ecp_gen_privkey into their own function which can be tested
independently, but will not be part of the public ABI/API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:03 +02:00
Gilles Peskine
cce0601485 mbedtls_ecp_gen_privkey: minor refactoring
Prepare to isolate the Montgomery and short Weierstrass
implementations of mbedtls_ecp_gen_privkey into their own function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 18:10:03 +02:00
Manuel Pégourié-Gonnard
84191eab06
Merge pull request #4315 from Kxuan/feat-pre-compute-tls
Static initialize comb table
2021-06-03 11:41:54 +02:00
TRodziewicz
58d6eb5024 Removing unneeded comment
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-02 14:43:11 +02:00
Manuel Pégourié-Gonnard
1b1327cc0d
Merge pull request #4581 from TRodziewicz/remove_supp_for_extensions_in_pre-v3_X.509_certs
Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
2021-06-02 13:48:03 +02:00
Manuel Pégourié-Gonnard
df77624ab5
Merge pull request #4490 from TRodziewicz/Combine__SSL_<CID-TLS1_3>_PADDING_GRANULARITY_options
Combine _SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
2021-06-02 13:47:48 +02:00
Manuel Pégourié-Gonnard
1b3b27cbb0
Merge pull request #4587 from TRodziewicz/remove_3DES_ciphersuites
Remove 3DES ciphersuites
2021-06-02 11:01:42 +02:00
Gilles Peskine
9f5c34cc88
Merge pull request #4596 from gilles-peskine-arm/nist_kw-null_dereference-3.0
Fix null pointer arithmetic in NIST_KW
2021-06-01 16:40:19 +02:00
Gilles Peskine
89ee599092 Fix null pointer arithmetic in error case
When mbedtls_nist_kw_wrap was called with output=NULL and out_size=0, it
performed arithmetic on the null pointer before detecting that the output
buffer is too small and returning an error code. This was unlikely to have
consequences on real-world hardware today, but it is undefined behavior and
UBSan with Clang 10 flagged it. So fix it (fix #4025).

Fix a similar-looking pattern in unwrap, though I haven't verified that it's
reachable there.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-01 11:22:56 +02:00
kXuan
ba9cb76e9f
static initialize comb table
MBEDTLS_ECP_FIXED_POINT_OPTIM aims to speed up ecc multiplication performance.

We compute the comb table in runtime now. It is a costly operation.

This patch add a pre-computed table to initialize well-known curves. It speed up ECDSA signature verify process in runtime by using more ROM size.

Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-01 10:02:13 +08:00
Hanno Becker
cd817b0630 Remove misleading comment in TLS 1.3 key schedule code
The implementation documentation of

```
   mbedtls_ssl_tls1_3_derive_early_secrets()
```

mentioned the PSK binder key, which is misleading because the
function doesn't actually calculate it.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-31 19:40:45 +01:00
Manuel Pégourié-Gonnard
6d84e917bb
Merge pull request #4568 from creiter32/to_upstream/csr_critical_extensions
Expose flag for critical extensions
2021-05-31 12:46:59 +02:00
TRodziewicz
3670e387dc Remove 3DES ciphersuites
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-31 12:11:53 +02:00
Ronald Cron
ea62d2f391
Merge pull request #4369 from hanno-arm/relax_psk_config
Implement relaxed semantics for static PSK configuration in Mbed TLS 3.0
2021-05-31 10:03:56 +02:00
TRodziewicz
dee975af7d Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
Remove define

Add ChangeLog file and migration guide entry

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-28 15:27:01 +02:00
Ronald Cron
f1eb425782
Merge pull request #4469 from xiaoxiang781216/padlock
aes: Check aes_padlock_ace > 0 before calling padlock
2021-05-28 11:06:40 +02:00
Ronald Cron
c44a1d522a
Merge pull request #4507 from Venafi/userid-oid
Add OID for User ID
2021-05-28 10:43:41 +02:00
TRodziewicz
062f353804 Changes after code review
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-27 17:34:14 +02:00
TRodziewicz
cc7074128a Remove MBEDTLS_CHECK_PARAMS option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-27 17:33:32 +02:00
Mateusz Starzyk
e7dce558c9 Merge branch 'development' into mbedtls_private_with_python
Conflicts:
	include/mbedtls/ssl.h

Conflicts resolved by using code from development branch and
manually re-applying MBEDTLS_PRIVATE wrapping.
2021-05-27 16:02:46 +02:00
Mateusz Starzyk
03f00307a2 Add missing common.h include.
Remove obsolete config.h include when common.h is included.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-27 14:40:40 +02:00
Mateusz Starzyk
57d1d198ef Fix typo
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-27 14:39:53 +02:00
Christoph Reiter
95273f4b07 Expose flag for critical extensions
Enables creating X.509 CSRs with critical extensions.

Signed-off-by: Christoph Reiter <christoph.reiter@infineon.com>
2021-05-27 14:27:43 +02:00
Ronald Cron
142c205ffc
Merge pull request #4513 from Patater/psa-without-genprime-fix
psa: Support RSA signature without MBEDTLS_GENPRIME
2021-05-27 14:19:24 +02:00
TRodziewicz
46cccb8f39 _SSL_DTLS_BADMAC_LIMIT config.h option removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 13:36:21 +02:00
TRodziewicz
e8dd7097c3 Combine MBEDTLS_SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-26 13:19:08 +02:00
Hanno Becker
28e5f1ed57 Avoid unused variable warning in TLS 1.3 PSK binder calculation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-26 09:29:49 +01:00
Hanno Becker
c8d3ccd67b Fix Doxygen for TLS 1.3 PSK binder helper
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-26 04:47:29 +01:00
Gilles Peskine
b7abba28e3
Merge pull request #4515 from tom-daubney-arm/remove_rsa_mode_params_2
Remove rsa mode params part 2
2021-05-25 20:36:33 +02:00
Gilles Peskine
8a5304d446
Merge pull request #4553 from gilles-peskine-arm/aria_alt-3.0
Fix ARIA_ALT header and self-test and CAMELLIA_ALT self-test
2021-05-25 20:32:40 +02:00
Gilles Peskine
c537aa83f4 CAMELLIA: add missing context init/free
This fixes the self-test with alternative implementations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 09:23:10 +02:00
Gilles Peskine
be89fea1a7 ARIA: add missing context init/free
This fixes the self-test with alternative implementations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 09:23:10 +02:00
TRodziewicz
4ca18aae38 Corrections after the code review
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 13:38:00 +02:00
TRodziewicz
6370dbeb1d Remove the _SSL_FALLBACK_ parts
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:59 +02:00
TRodziewicz
2d8800e227 Small corrections in the comments
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:24 +02:00
TRodziewicz
b5850c5216 Correction of too restrictive ssl cli minor check
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:15 +02:00
TRodziewicz
ef73f01927 Removing strayed dtls1 after doing tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:04 +02:00
TRodziewicz
28126050f2 Removal of constants and functions and a new ChangeLog file
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:48:12 +02:00
TRodziewicz
0f82ec6740 Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:45:20 +02:00
Hanno Becker
b7d9bad6be Add helper function for calculation of TLS 1.3 PSK binder
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-24 11:20:30 +01:00
Hanno Becker
ef5235bc2e Add TLS 1.3 second level key derivations
This commit adds helper functions to ssl_tls13_keys.[ch]
allowing to derive the secrets specific to each stage of
a TLS 1.3 handshake (early, handshake, application) from
the corresponding master secret (early secret, handshake
secret, master secret).

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-24 08:32:24 +01:00
Hanno Becker
2d8e99b097 Add API to query maximum plaintext size of incoming records
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Hanno Becker
9752aadd85 Make query API for state of MFL extension internal
This commit makes the API

- mbedtls_ssl_get_output_max_frag_len()
- mbedtls_ssl_get_input_max_frag_len()
- mbedtls_ssl_get__max_frag_len()

for querying the state of the Maximum Fragment Length
extension internal.

Rationale: The value those APIs provide to the user is in
upper bounds for the size of incoming and outgoing records,
which can be used to size application data buffers apporpriately
before passing them to mbedtls_ssl_{read,write}(). However,
there are other factors which influence such upper bounds,
such as the MTU or other extensions (specifically, the
record_size_limit extension which is still to be implemented)
which should be taken into account.

There should be more general APIs for querying the maximum
size of incoming and outgoing records.

For the maximum size of outgoing records, we already have such,
namely mbedtls_ssl_get_max_out_record_payload().

For the maximum size of incoming records, a new API will be
added in a subsequent commit.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-23 06:03:55 +01:00
Mateusz Starzyk
88fa17d1e9 Add missing 'common.h' include.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-21 18:10:44 +02:00
Mateusz Starzyk
2c09c9bca9 Introduce MBEDTLS_PRIVATE macro.
Public structs members are considered private and should not
be used by users application.

MBEDTLS_PRIVATE(member) macro is intended to clearly indicate
which members are private.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-21 18:07:06 +02:00
Thomas Daubney
d58ed587fd Restores erroneously removed checks
Some padding checks in rsa.c were
erroneously removed in a previous
commit and are restored in this
commit.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-21 11:50:39 +01:00
Janos Follath
7fc487c4d6
Merge pull request #4347 from hanno-arm/ssl_session_cache_3_0
Add session ID as an explicit parameter to SSL session cache API
2021-05-21 09:28:55 +01:00
Ronald Cron
ca72287583
Merge pull request #4304 from mstarzyk-mobica/convert_NO_SHA384_to_positive
Modify config option for SHA384.
2021-05-21 08:04:33 +02:00
Jaeden Amero
424fa93efd psa: Support RSA signature without MBEDTLS_GENPRIME
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-20 17:08:59 +01:00
Gilles Peskine
e913174c8a
Merge pull request #4543 from gilles-peskine-arm/undefined-reference-3.0
Fix missing compilation guard around psa_crypto_driver_wrappers.c
2021-05-20 17:20:31 +02:00
Gilles Peskine
3248be4b3a
Merge pull request #4462 from netfoundry/gcc11.fixes
build with gcc11
2021-05-20 15:54:23 +02:00
Gilles Peskine
f4c1d58607
Merge pull request #4453 from facchinm/crt_in_filesystem_mbed_os
mbed-os: allow storing certificates in filesystem
2021-05-20 15:53:47 +02:00
Ronald Cron
49fef37ebf
Merge pull request #4342 from gilles-peskine-arm/gcm-update-any-length
GCM: allow arbitrary lengths for update
Only the ABI-API-checking job failed and this is expected thus good to go.
2021-05-20 15:08:55 +02:00
Mateusz Starzyk
17011a3185 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
	library/version_features.c
	programs/test/query_config.c

Files were removed in development branch and modified by current branch.
Conflicts fixes by removing them.
2021-05-20 14:18:12 +02:00
Gilles Peskine
eb30b0cc39 Merge remote-tracking branch 'upstream-public/development' into no-generated-files-3.0
Conflicts: generated files that are removed in this branch and have
changed in development. Resolved by keeping the files removed.
2021-05-20 10:40:48 +02:00
Gilles Peskine
1411c7c0d6 Don't make configuration-independent files depend on config.h
Don't regenerate configuration-independent files when config.h or
crypto_config.h changes. These files only depend on the set of symbols
present in the headers and not on which symbols are enabled. To avoid
rebuilding the generated files whenever the configuration changes,
don't declare the configuration as a dependency.

In the rare event that a maintainer makes an edit to *config.h that
affects the generated files, they'll have to remove the generated files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Gilles Peskine
b5e08637ad Ignore generated source files that are no longer checked in
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-20 10:37:22 +02:00
Manuel Pégourié-Gonnard
729fa5be88
Merge pull request #4450 from mstarzyk-mobica/remove_null_entropy
Remove MBEDTLS_TEST_NULL_ENTROPY config option.
2021-05-20 09:19:55 +02:00
Gilles Peskine
1905a24488 Fix missing compilation guard around psa_crypto_driver_wrappers.c
Fix #4411.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 21:06:01 +02:00
Shawn Carey
aa13e93941 avoid "maybe-uninitialized" and "free-nonheap-object" errors/warnings with gcc11
Signed-off-by: Shawn Carey <shawn.carey@netfoundry.io>
2021-05-19 11:31:37 -04:00
Mateusz Starzyk
c6d94aba50 Fix remaining SHA384 dependencies and ifdef blocks.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-19 16:23:47 +02:00
Thomas Daubney
41e4ce4884 Removes RSA constants
This commit removes the RSA
constants MBEDTLS_RSA_PUBLIC
and MBEDTLS_RSA_PRIVATE because
they are now superfluous given
that the mode parameter has been
removed.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 15:10:05 +01:00
Thomas Daubney
cad59ed48e Removes mode param from rsa_rsassa_pss_sign
Commit removes the mode parameter
from the internal function
rsa_rsassa_pss_sign.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 15:04:08 +01:00
Manuel Pégourié-Gonnard
2213871654
Merge pull request #4489 from TRodziewicz/Remove__SSL_RECORD_CHECKING
Remove  ssl record checking
2021-05-19 13:57:51 +02:00
Thomas Daubney
782a7f5bd6 Removes mode param from mbedtls_rsa_rsassa_pss_verify_ext
Commit removes the mode parameter
from the mbedtls_rsa_rsassa_pss_verify_ext
function. This change is propagated
throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:27:35 +01:00
Thomas Daubney
9e65f791b5 Removes f_rng param from mbedtls_rsa_rsassa_pss_verify_ext
Commit removes the f_rng parameter from
the mbedtls_rsa_rsassa_pss_verify_ext
function. This is in preparation for
the removal of the mode parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:18:58 +01:00
Thomas Daubney
578e9abcbd Removes p_rng param from mbedtls_rsa_rsassa_pss_verify_ext
Commit removes p_rng parameter from the
mbedtls_rsa_rsassa_pss_verify_ext function
in preparation for removal of the mode
parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:14:57 +01:00
Dave Rodgman
9cf91affa2
Merge pull request #4536 from daverodgman/padlock-docs-fix
Fix docs for mbedtls_padlock_has_support
2021-05-19 12:12:14 +01:00
Thomas Daubney
5ee4cc031c Removes mode param from mbedtls_rsa_rsassa_pss_verify
Commit removes the mode parameter
from the mbedtls_rsa_rsassa_pss_verify
function and propagates the change
throughout the process.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:07:42 +01:00
Thomas Daubney
718a53db2c Removed f_rng param from mbedtls_rsa_rsassa_pss_verify
Commit removes f_rng parameter from
mbedtls_rsa_rsassa_pss_verify function in
preparation of mode parameter removal.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 12:01:35 +01:00
Thomas Daubney
08f4c9c571 Removes p_rng param from mbedtls_rsa_rsassa_pss_verify
Commit removes p_rng parameter from
mbedtls_rsa_rsassa_pss_verify function
as preparation for removing the mode
parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:56:02 +01:00
Thomas Daubney
2e1262517c Removes mode parameter from mbedtls_rsa_rsassa_pkcs1_v15_verify
Commit removes mode parameter from
mbedtls_rsa_rsassa_pkcs1_v15_verify and
propagates the change throughout the
codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:48:53 +01:00
Thomas Daubney
475053df2c Removes f_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify
Commit performs removal of f_rng parameter
from mbedtls_rsa_rsassa_pkcs1_v15_verify
function in preparation for removal of mode
parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:44:27 +01:00
Thomas Daubney
cbc088f5d0 Removes p_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify
Commit removes p_rng from
mbedtls_rsa_rsassa_pkcs1_v15_verify function in
preparation of removal of mode parameter.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-19 11:39:58 +01:00
Ronald Cron
0e3ec27598
Merge pull request #4506 from gilles-peskine-arm/array-parameters-to-pointers-sha512
Change sha256 and sha512 output type from an array to a pointer
2021-05-19 12:37:17 +02:00
Mateusz Starzyk
3ea8e2d5ad Restore alphabetical order of SHA definitions
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-19 11:38:01 +02:00
Mateusz Starzyk
4228f895c0 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
* configs/config-psa-crypto.h: modified here, removed in development
* tests/suites/test_suite_x509parse.data: all conflicts are in depends_on
  lines where development made a change unrelated to MBEDTLS_SHAxxx and our
  branch either changed `MBEDTLS_SHA256_C` to `MBEDTLS_SHA224_C` or
  `MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384` to ``MBEDTLS_SHA384_C`, with
  no change to what the test does. Pick the other branch's dependency
  changes then apply our SHA dpeendency change.
2021-05-19 11:37:49 +02:00
Manuel Pégourié-Gonnard
5ca21db813 Fix misuse of MD API in SSL constant-flow HMAC
The sequence of calls starts-update-starts-update-finish is not a
guaranteed valid way to abort an operation and start a new one. Our
software implementation just happens to support it, but alt
implementations may very well not support it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-19 10:33:40 +02:00
Gilles Peskine
b7bb0687f7 Rework and reword the guarantees on output_size
To simplify the documentation, and because there are only two realistic
behaviors in practice, only allow two behaviors for multipart output:
immediate output, or buffering of the last partial block.

State some simple rules that applications can follow if they don't care about
the details.

Explicitly state how much output is needed for finish(). Only require the
buffer size to be the size of the actual output, not the size of the potential
output in the worst case. Rename the parameter from output_len to output_size
since it's a buffer size and not necessarily the length of the data.

No longer guarantee that the built-in implementation produces immediate
output.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 23:15:40 +02:00
Thomas Daubney
68d9cbca97 Removes mode param from mbedtls_rsa_pkcs1_verify
Commit removes mode parameter from
mbedtls_rsa_pkcs1_verify and propagates the
change throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:14:32 +01:00
Thomas Daubney
613d1a4fb7 Removes p_rng param from mbedtls_rsa_pkcs1_verify
Commit removes p_rng from mbedtls_rsa_pkcs1_verify
since p_rng has no relevance following the removal
of f_rng from this function.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:13 +01:00
Thomas Daubney
ac1331211e Removes f_rng parameter from mbedtls_rsa_pkcs1_verify
Commit removes f_rng parameter from
mbedtls_rsa_pkcs1_verify as a prerequisite
to removing the mode parameter. f_rng no
longer has relevance in this function if
mode is removed.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:13 +01:00
Thomas Daubney
de9fdc4b12 Removes mode param from mbedtls_rsa_rsassa_pss_sign
Commit removes the mode param from
mbedtls_rsa_rsassa_pss_sign and propagates
the changes throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:13 +01:00
Thomas Daubney
526549854c Removes mode param from mbedtls_rsa_rsassa_pkcs1_v15_sign
Commit removes the mode parameter from
mbedtls_rsa_rsassa_pkcs1_v15_sign and
propagates the change throughout the
codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 20:07:05 +01:00
Dave Rodgman
c1ae30a05e Fix docs for mbedtls_padlock_has_support
Fix a slight inaccuracy in the docs for the return value of
mbedtls_padlock_has_support.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-05-18 19:01:42 +01:00
Thomas Daubney
140184d029 Removes mode param from mbedtls_rsa_pkcs1_sign
Commit removes the mode parameter from
mbedtls_rsa_pkcs1_sign and progagates the
change to all relevant parts of the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 18:02:24 +01:00
Thomas Daubney
fa1581ea03 Modifies typedef of mbedtls_pk_rsa_alt_sign_func
This commit modifies the typedef of
mbedtls_pk_rsa_alt_sign_func and propagates the
associated changes throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-18 12:38:33 +01:00
Gilles Peskine
9c58274484 Remove automatically generated source files
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-17 22:48:08 +02:00
Gilles Peskine
687d1ab714 Makefile targets for automatically generated files
Run `make generated_files` to generate the automatically generated
C source files and build scripts.

Run `make neat` to remove all automatically generated files, even C
source files and build scripts.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-17 22:47:02 +02:00
Ronald Cron
fdcde47f36
Merge pull request #4458 from davidhorstmann-arm/remove-max-content-len
Remove MBEDTLS_SSL_MAX_CONTENT_LEN option
2021-05-17 16:36:04 +02:00
Gilles Peskine
864b425156
Merge pull request #4488 from tom-daubney-arm/remove_rsa_mode_params
Remove rsa mode params part 1
2021-05-17 13:49:19 +02:00
Manuel Pégourié-Gonnard
9370f01391
Merge pull request #3927 from hanno-arm/ciphersuite_helper_macros
Unify naming scheme for macros indicating presence of classes of ciphersuites
2021-05-17 11:18:58 +02:00
Thomas Daubney
141700f057 Removes mode param from mbedtls_rsa_rsaes_oaep_encrypt
Removes mode parameter from
mbedtls_rsa_rsaes_oaep_encrypt and propagates
changes throughout the codebase.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 10:11:05 +01:00
Thomas Daubney
53e4ac64b7 Removes mode param from mbedtls_rsa_rsaes_pkcs1_v15_encrypt
Removal of mode parameter from
mbedtls_rsa_rsaes_pkcs1_v15_encrypt. This commit
propagates the change to all relevant function calls
and tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 10:11:05 +01:00
Thomas Daubney
2177277dda Removes mode param from mbedtls_rsa_pkcs1_encrypt
Removal of the mode parameter from
mbedtls_rsa_pkcs1_encrypt function. This change
is propagated throughout the codebase and to
relevant tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-17 10:11:05 +01:00
Manuel Pégourié-Gonnard
5605911fd3
Merge pull request #4447 from hanno-arm/ssl_config_cleanup
Avoid and remove some SSL error codes for Mbed TLS 3.0
2021-05-17 10:55:17 +02:00
Hanno Becker
8cce50d726 Remove reference to SSLv3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:15:52 +01:00
Hanno Becker
d086bf0c62 Fix typo
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:14:56 +01:00
Hanno Becker
31351cef6f Add missing escape character in multi-line preprocessor directive
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:14:56 +01:00
Hanno Becker
0cc4661365 Introduce helper macro for presence of stream ciphersuites
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:14:56 +01:00
Hanno Becker
fd86ca8626 Rename SOME_MODES_USE_MAC -> SOME_SUITES_USE_MAC
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-15 06:07:48 +01:00
Hanno Becker
541af8575e Use -1 instead of 1 as failure return value in internal SSL function
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 16:49:01 +01:00
Hanno Becker
e810bbc1ac Implement 3.0-semantics for mbedtls_ssl_{get,set}_session()
mbedtls_ssl_{get,set}_session() exhibited idempotent behaviour
in Mbed TLS 2.x. Multiple calls to those functions are not useful
in TLS 1.2, and the idempotent nature is unsuitable for support of
TLS 1.3 which introduces the availabilty to offer multiple tickets
for resumption, as well as receive multiple tickets.

In preparation for TLS 1.3 support, this commit relaxes the semantics
of `mbedtls_ssl_{get,set}_session()` by allowing implementations to
fail gracefully, and leveraging this freedom by modifying the
existing TLS 1.2 implementation to only accept one call to
`mbedtls_ssl_{get,set}_session()` per context, and non-fatally
failing all subsequent invocations.

For TLS 1.3, it will be leveraged by making multiple calls to
`mbedtls_ssl_get_session()` issue one ticket a time until no more
tickets are available, and by using multiple calls to
`mbedtls_ssl_set_session()` to allow the client to offer multiple
tickets to the server.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 16:27:54 +01:00
Hanno Becker
494dc71de8 Remove mbedtls_ssl_get_session_pointer()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 15:15:35 +01:00
Hanno Becker
fc1f4135c3 Use memset( x, 0, sizeof( x ) ) to clear local structure
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 14:57:54 +01:00
Hanno Becker
78196e366f Fix search for outdated entries in SSL session cache
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 14:55:15 +01:00
Hanno Becker
c3f4a97b8f Don't infer last element of SSL session cache twice
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 14:54:24 +01:00
Hanno Becker
466ed6fd08 Improve local variable naming in SSL session cache implementation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 14:54:00 +01:00
Hanno Becker
5cf6f7eafe Fix swapping of first and last entry in SSL session cache
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 14:45:04 +01:00
Hanno Becker
006f2cce2e Fix compile-time guard in session cache implementation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 04:57:44 +01:00
Hanno Becker
b94fdae3c3 Improve code structure for session cache query
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-14 04:57:40 +01:00
gabor-mezei-arm
d5218df572
Enable fallback to software implementation in psa_sign/verify_message driver
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:19:01 +02:00
gabor-mezei-arm
f048618b43
Unify variable type and rename to be unambiguous
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:19:01 +02:00
gabor-mezei-arm
2b8373f856
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:19:01 +02:00
gabor-mezei-arm
256443e64e
Change the driver calling logic for psa_sign/verify_messsage
The changed logic is to try a sign-message driver (opaque or transparent);
if there isn't one, fallback to builtin sofware and do the hashing,
then try a sign-hash driver. This will enable to the opaque driver
to fallback to software.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:19:00 +02:00
gabor-mezei-arm
6883fd248d
Rename sign/verify builtin functions called by driver wrapper functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:19:00 +02:00
gabor-mezei-arm
474a35f635
Return error if algorithm is not hash-then-sign for psa_sign_message
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:59 +02:00
gabor-mezei-arm
8b3e88614c
Use bool variable instead of enum values
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:59 +02:00
gabor-mezei-arm
12b4f34fff
Fix documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:59 +02:00
gabor-mezei-arm
6cdf637f88
Use switch-case for error handling
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:59 +02:00
gabor-mezei-arm
f9820f92cf
Fix for algorithms other than hash-then-sign
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:59 +02:00
gabor-mezei-arm
b5c1e37aff
Use driver-wrapper functions for psa_sign/verify_message
To avoid code duplication of the old-style SE interface usage
call psa_driver_wrapper_sign/verify_hash function instead of
the direct internal functions.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:58 +02:00
gabor-mezei-arm
df0f230762
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:58 +02:00
gabor-mezei-arm
0f62240942
Enable algorithms other than hash-then-sign
For psa_hash/verify_message other algorithms than hash-then-sign is
enabled like PureEdDSA.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:58 +02:00
gabor-mezei-arm
46c23a051c
Fix error checking
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:58 +02:00
gabor-mezei-arm
2522c0b1cd
Update macro names
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:58 +02:00
gabor-mezei-arm
50eac35d58
Dispatch sign/verify funtions through the driver interface
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:57 +02:00
gabor-mezei-arm
38cbaf2881
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:57 +02:00
gabor-mezei-arm
5b44652593
Unify similar functions
Use common funtion for psa_sign_hash and psa_sign_message and one for
psa_verify_hash and psa_verify_message to unify them.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:57 +02:00
gabor-mezei-arm
4a21019653 Implement psa_sign_message and psa_verify_message functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-13 11:18:49 +02:00
Hanno Becker
845ceb7cc8 Improve readability and efficiency of SSL cache reference impl
The reference session cache implementation may end up storing multiple
sessions associated to the same session ID if the set()-call for the
second session finds an outdated cache entry prior to noticing the entry
with the matching session ID. While this logically overwrites the existing
entry since we always search the cache in order, this is at least a waste
of resources.

This commit fixes this by always checking first whether the given ID is
already present in the cache.

It also restructures the code for easier readability.

Fixes #4509.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-13 07:11:30 +01:00
Hanno Becker
f47199da26 Improve naming of helper function for reference session cache
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-13 07:09:09 +01:00
Hanno Becker
df56402623 Fix memory leak upon ciphersuite mismatch during session resumption
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-13 07:09:06 +01:00
Hanno Becker
7ad77963d1 Use shorthand local variable for session under negotiation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-13 06:13:34 +01:00
Hanno Becker
f6e09c6f83 Don't use ssl_check_xxx() for functions with void return
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-13 06:12:38 +01:00
Micah N Gorrell
21d4bdbb39 Add OID for User ID
Signed-off-by: Micah N Gorrell <micah.gorrell@venafi.com>
2021-05-12 17:46:56 -06:00
Gilles Peskine
d7b3d92476 Change sha256 output type from an array to a pointer
The output parameter of mbedtls_sha256_finish_ret and mbedtls_sha256_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-224 hash into a
28-byte buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 00:46:29 +02:00
Gilles Peskine
3e3a6789d1 Remove a kludge for the output size of mbedtls_sha512_finish_ret
Remove a kludge to avoid a warning in GCC 11 when calling
mbedtls_sha512_finish_ret with a 48-byte output buffer. This is correct
since we're calculating SHA-384. When mbedtls_sha512_finish_ret's output
parameter was declared as a 64-byte array, GCC 11 -Wstringop-overflow
emitted a well-meaning, but inaccurate buffer overflow warning, which we
tried to work around (successfully with beta releases but unsuccessfully
with GCC 11.1.0 as released). Now that the output parameter is declared as a
pointer, no workaround is necessary.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 00:46:10 +02:00
Gilles Peskine
e02e02f203 Change sha512 output type from an array to a pointer
The output parameter of mbedtls_sha512_finish_ret and mbedtls_sha512_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-384 hash into a
48-byte buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 00:32:45 +02:00
Thomas Daubney
3473308b5d Remove mode param from mbedtls_rsa_rsaes_pkcs1_v15_decrypt
Remove mode param from mbedtls_rsa_rsaes_pkcs1_v15_decrypt
and also modify and remove relevant tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 18:55:58 +01:00
Thomas Daubney
d21e0b780a Remove mode parameter from mbedtls_rsa_rsaes_oaep_decrypt function
Removing the mode parameter from the mbedtls_rsa_rsaes_oaep_decrypt
function. The change is progagated to all function calls, including in
test suite .function files. Additionally fully removing one test
where the wrong mode was being tested.

Signed-off-by: Tom Daubney <Thomas.Daubney@arm.com>
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 18:49:41 +01:00
Thomas Daubney
c7feaf349c Remove mode param from mbedtls_rsa_pkcs1_decrypt
The mode parameter has been removed from the
mbedtls_rsa_pkcs1_decrypt function. The change
has been progagated to all function calls,
including in test suite .function files.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 18:43:06 +01:00
Gilles Peskine
5d1f747d85
Merge pull request #4377 from mpg/psa-pbkdf2-api
PSA API for PBKDF2-HMAC
2021-05-12 18:00:30 +02:00
Thomas Daubney
99914146a4 Preparatory commit to remove tests
Removed a conditional compilation block
relating to MBEDTLS_PKCS1_V15 in
rsa_pkcs1_verify_raw function that was no
longer relevant.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-05-12 15:18:20 +01:00
Ronald Cron
7dbcc3c794
Merge pull request #4470 from d3zd3z/fix-posix-define
Check if feature macro is defined before define it
2021-05-12 15:47:12 +02:00
TRodziewicz
102c89ed65 Remove the MBEDTLS_SSL_RECORD_CHECKING option
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-12 13:28:59 +02:00
Ronald Cron
eb3e463380
Merge pull request #4247 from stevew817/dispatch_mac_operations
Dispatch MAC operations through the driver interface
Only API-ABI checking job failing which is expected thus CI OK.
2021-05-11 17:56:50 +02:00
Mateusz Starzyk
72f60dfcc1 Remove MBEDTLS_TEST_NULL_ENTROPY config option.
Building the library without entropy sources negates any and all security
provided by the library.
This option was originally requested a relatively long time ago and it
does not provide any tangible benefit for users any more.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-11 13:15:19 +02:00
Xiang Xiao
12e18369e8 aes: Check aes_padlock_ace > 0 before calling padlock
Sometime user may forget to call mbedtls_aes_setkey_enc or
mbedtls_aes_setkey_dec before mbedtls_aes_crypt_ecb and then
the code normally crash inside the assembly code. With this
patch, the code will stop inside the C source code which is
more convenient to locate the problem.

Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
Change-Id: I0e1d6b219f8709f8acaee5f345344335fc82fed3
2021-05-11 03:28:46 -07:00
Steven Cooreman
9e15fb783c Refactor out mac_sign_setup and mac_verify_setup
Since they became equivalent after moving the is_sign checking back to
the PSA core, they're now redundant, and the generic mac_setup function
can just be called directly.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 11:10:34 +02:00
Steven Cooreman
8af5c5c7de Be explicit about why the zero-length check is there
Since a valid mac operation context would guarantee that the stored
mac size is >= 4, it wasn't immediately obvious that the zero-length
check is meant for static analyzers and a bit of robustness.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 11:09:13 +02:00
David Horstmann
95d516f319 Remove MBEDTLS_SSL_MAX_CONTENT_LEN option
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-05-10 17:02:48 +01:00
Mateusz Starzyk
6326a8dd37 Fix SHA definitions and their dependencies in library and test suites.
Rework SHA224 and SHA283 documentation.
Define MBEDTLS_SHAxxx_C options in alphabetic order.
Fix SHA224 and SHA384 dependencies in test suites.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-05-10 13:51:53 +02:00
Steven Cooreman
d1a68f10c0 Supply actual key bits to PSA_MAC_LENGTH during MAC setup
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:14 +02:00
Steven Cooreman
b29902ac9f Correctly mark unused arguments when MAC algorithms are compiled out
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:14 +02:00
Steven Cooreman
0c23965977 Add sanity tests for CMAC-(3)DES through PSA Crypto
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:13 +02:00
Steven Cooreman
02865f5cbb Use the proper define guards in the MAC driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:13 +02:00
Steven Cooreman
2f60f20884 Remove superfluous checking from MAC driver
The PSA core checks the key type and algorithm combination before
calling the driver, so the driver doesn't have to do this once more.

The PSA core will also not start an operation with a requested length
which is larger than the full MAC output size, so the output length check
in the driver isn't needed as long as the driver returns an error on
mac_setup if it doesn't support the underlying hash algorithm.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:13 +02:00
Steven Cooreman
72f736a191 Move is_sign and mac_size checking back to PSA core scope
It makes sense to do the length checking in the core rather than expect
each driver to deal with it themselves. This puts the onus on the core to
dictate which algorithm/key combinations are valid before calling a driver.

Additionally, this commit also updates the psa_mac_sign_finish function
to better deal with output buffer sanitation, as per the review comments
on #4247.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-10 11:29:13 +02:00
Steven Cooreman
f45f071f01 Minor documentation and language fixes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
3409b02b27 Remove superfluous check
As psa_mac_sign_finish / psa_mac_verify_finish already checks that the
operation structure is valid (id is non-zero), the driver itself doesn't
have to check for that anymore. If the operation has a driver ID assigned,
it means that driver has returned success from its setup function, so the
algorithm value will be set correctly.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
8f37004bd7 Remove unused variable from MAC driver structure
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
dcd0811501 Remove superfluous length check
The key passed to the driver has been imported by the PSA Core, meaning
its length has already been verified, and the driver can rely on the
buffer length and key attributes being consistent.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
094a77e79c Code flow and style improvements
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
a6df6040ee Base the PSA implementation of TLS 1.2 PRF on the MAC API
This means there is no longer a need to have an internal HMAC API, so
it is being removed in this commit as well.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
d1ed1d935f Make HKDF use the generic MAC API
Such that the underlying HMAC can be accelerated if such a driver is present

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
dd1a915c0f Rename HMAC operation structure
Prefix with 'mbedtls_psa' as per the other types which implement some
sort of algorithm in software.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
36876a01a4 Make safer_memcmp available to all compile units under PSA
Now renamed to mbedtls_psa_safer_memcmp, it provides a single location
for buffer comparison.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
a4638e708e Remove redundant key_set from MAC operation structure
The purpose of key_set was to guard the operation structure from being
used for update/finish before a key was set. Now that the implementation
fully adheres to the PSA API, that function is covered by the `alg`
variable instead. It's set to the algorithm in use when a key is set, and
is zero when the operation is reset/invalid.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
ba9a5bf5e7 Code flow/readability improvements after review
* Early return since there's nothing to clean up
* Get rid of unnecessary local variable
* Check algorithm validity for MAC in the PSA core instead of in the driver

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
02fc62a6fa Remove unused items from MAC operation context structure
Apparently it was at some point assumed that there would be
support for MAC algorithms with IV, but that hasn't been
implemented yet. Until that time, these context structure
members are superfluous and can be removed.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
c7f0a576b6 Add testing of the MAC driver entry points
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:33:50 +02:00
Steven Cooreman
d1955af5df Rename internal HMAC structure type to match convention
Typedef'ed structures are suffixed _t
Also updated the initialiser macro with content that actually
matches the structure's content.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00
Steven Cooreman
4fdf060a81 Complete, document and fully use internal HMAC API
Since HMAC moved into its own compilation unit, the internal API needed
to be documented and finalized. This means no more reaching deep into
the operation structure from within the PSA Crypto core. This will make
future refactoring work easier, since internal HMAC is now opaque to the
core.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-07 23:32:32 +02:00