The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Previously, ecp_add_mixed(), commputing say P+Q, would allow for the
Q parameter to have an unset Z coordinate as a shortcut for Z == 1.
This was leveraged during computation and usage of the T-table
(storing low multiples of the to-be-multiplied point on the curve).
It is a potentially error-prone corner case, though, since an MPIs
with unset data pointer coordinate and limb size 0 is also a valid
representation of the number 0.
As a first step towards removing ECP points with unset Z coordinate,
the constant time T-array getter ecp_select_comb() has previously
been modified to return 'full' mbedtls_ecp_point structures,
including a 1-initialized Z-coordinate.
Similarly, this commit ...
- Modifies ecp_normalize_jac_many() to set the Z coordinates
of the points it operates on to 1 instead of freeing them.
- Frees the Z-coordinates of the T[]-array explicitly
once the computation and normalization of the T-table has finished.
As a minimal functional difference between old and new code,
the new code also frees the Z-coordinate of T[0]=P, which the
old code did not.
- Modifies ecp_add_mixed() to no longer allow unset Z coordinates.
Except for the post-precomputation storage form of the T[] array,
the code does therefore no longer use EC points with unset Z coordinate.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
psa_aead_encrypt_setup() and psa_aead_decrypt_setup() were returning
PSA_ERROR_INVALID_ARGUMENT, while the same failed checks were producing
PSA_ERROR_NOT_SUPPORTED if they happened in psa_aead_encrypt() or
psa_aead_decrypt().
The PSA Crypto API 1.1 spec will specify PSA_ERROR_INVALID_ARGUMENT
in the case that the supplied algorithm is not an AEAD one.
Also move these shared checks to a helper function, to reduce code
duplication and ensure that the functions remain in sync.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
ecp_select_comb() did previously not set the Z coordinate of the target point.
Instead, callers would either set it explicitly or leave it uninitialized,
relying on the (only partly upheld) convention that sometimes an uninitialized
Z value represents 1.
This commit modifies ecp_select_comb() to always set the Z coordinate to 1.
This comes at the cost of memory for a single coordinate, which seems worth
it for the increased robustness.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This improves readibility and prepares for further changes
like the introduction of a single double-width temporary for
ECP arithmetic.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Fix library references, tests and programs.
Testing is performed in the already present all.sh test.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
`ecp_add_mixed()` and `ecp_double_jac()` are the core subroutines
for elliptic curve arithmetic, and as such crucial for the performance
of ECP primitives like ECDHE and ECDSA.
This commit provides a very slight simplification and performance and
memory usage improvement to `ecp_add_mixed()` by removing the use of
three temporary MPIs used for coordinate calculations.
Where those variables were used, the code now writes directly to the
coordinate MPIs of the target elliptic curve point.
This is a valid change even if there is aliasing between input and
output, since at the time any of the coordinate MPIs in question is
written, the corresponding coordinates of both inputs are no longer
read.
(The analogous change in `ecp_double_jac()` can not be made since
this property does not hold for `ecp_double_jac()`.)
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit removes code from the Montgomery multiplication routine
`mpi_montmul()` which seems to serve no purpose.
Details: `mpi_montmul()` uses a temporary storage `T` for intermediate
results which is assumed to be of twice the size as the inputs to be
multiplied, and which is used as follows: After the i-th (i=0,1,...)
iteration, the n-limb word starting at `T->p + i + 1` contains the
Montgomery multiplication of B with the limbs 0,..,i of A, and the
variable `d` points to `T->p + i + 1`. In particular, after `n` iterations,
`T->p + n` holds the full multiplication
(subject to conditional subtraction).
As a consequence of this way of using the temporary `T`, the contents
of `{T->p, ..., T->p + i}` are irrelevant after the i-th iteration. Nonetheless,
the code copies `A[i]` to `T->p[i]` at the end of the i-th iterations, which is
redundant and can be removed.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
* Updated the default argument to create less noise with argument
passing.
* Reworded ChangeLog to match MbedTLS documentation/ announcement
requirements
Signed-off-by: Archana <archana.madhavan@silabs.com>
Pylint errors are fixed.
The Python script is improved to take default arguments when not
passed (eg invoked from root of the tree)
check-generated-files.sh and CMakeLists.sh updated.
Signed-off-by: Archana <archana.madhavan@silabs.com>
Moved python script generate_driver_wrappers.py under scripts and
corresponding template file under script/data_files.
Signed-off-by: Archana <archana.madhavan@silabs.com>
The file psa_crypto_driver_wrappers.c is deleted to be autogenerated.
Updated psa_crypto_driver_wrappers.h, this file only contains the
prototypes for the driver wrappers, we don't expect this to be auto
generated.
Signed-off-by: Archana <archana.madhavan@silabs.com>
Having an automatically generated header file makes it harder to have
working build scripts. The content of ssl_debug_helpers_generated.h isn't
likely to change often, so we can update it manually.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Running `generate_ssl_debug_helpers.py` generates both
`ssl_debug_helpers_generated.c` and `ssl_debug_helpers_generated.h`.
List the `.h` file as well as the `.c` file in `check-generated-files.sh` so
that `check-generated-files.sh -u` will complain if it isn't up to date.
List it in `Makefile` and `CMakeLists.txt` so that parallel builds know when
to wait until the `.h` file is present. In `Makefile`, declare the `.c` file
as depending on the `.h` file for order. This way, a dependency for either
will wait until the `.h` file is present, and since the `.h` file is
generated after the `.c` file, this guarantees that the `.c` file is
present.
This fixes random failures of `make -j` from a fresh checkout.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Zeroize temporary buffers used to sanity-check the signature.
If there is an error, overwrite the tentative signature in the output
buffer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.
Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_pk_parse_key() makes a temporary copy of the key when it calls
pk_parse_key_pkcs8_encrypted_der(), because that function requires a
writable buffer. pk_parse_key_pkcs8_encrypted_der() always rejects an
empty password, so skip calling it in that case, which allows us to
skip the allocation as well.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
"mbedtls_ssl_handshake_params: reorder fields to save code size" moved this
filed earlier along with byte-sized fields that should be in the 128-element
access window on Arm Thumb. This took away precious room in the 128-byte
window. Move it back further out.
Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2860 -> 2816 (diff: 44)
library/ssl_msg.o: 3080 -> 3076 (diff: 4)
library/ssl_srv.o: 3340 -> 3300 (diff: 40)
library/ssl_tls.o: 6546 -> 6478 (diff: 68)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The current testing of the PSA configuration is
based on test code located in the library itself.
Remove this code as we are moving to using a
test library instead.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Rename test driver entry points to
libtestdriver1_<name of the Mbed TLS entry point>.
This aligns with the renaming of all Mbed TLS APIs
for the test driver library (that will be put in place
in the following commits) to avoid name conflicts
when linking it with the Mbed TLS library.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
In preparation of the driver test entry points to be
provided by a test driver library, move their prototypes
to tests directory.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
In psa_asymmetric_encrypt/decrypt(), always return
PSA_ERROR_INVALID_ARGUMENT if the key is a PSA key
and the algorithm is not a PSA algorithm we know
about, whether RSA is supported or not.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define test driver entry points that provide an alternative
to Mbed TLS driver entry points only when the PSA configuration
is used. Their purpose is only to test the PSA configuration
thus there is no good reason to use them out of this scope.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The test entry points defined in psa_crypto_hash.c
and psa_crypto_mac.c are supposed to be exact
clones of the Mbed TLS driver entry points. Thus
the operation type should be the Mbed TLS operation
type not a test one. There was no compilation error
as the hash and cipher operation test types are
currently equal to the Mbed TLS ones.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Align RSA/ECP sign/verify hash dispatch with the
corresponding code of the library. The library
code was modified recently but not the test code
one and these modifications ease the following work.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Reorder fields mbedtls_ssl_handshake_params in order to save code on Arm
Thumb builds. The general idea is to put often-used fields in the direct
access window of 128 elements from the beginning of the structure.
The reordering is a human selection based on a report of field offset and
use counts, and informed by measuring the code size with various
arrangements. Some notes:
* This is the same reordering as the corresponding commit in #5189 for 2.2x.
* I moved most byte-sized fields at the beginning where they're sure to be
in the direct access window.
* I moved buffering earlier because it can be around the threshold depending
on the configuration, and it's accessed in a lot of places.
* I moved several fields, including update_checksum and friends, early so
that they're guaranteed to be in the early access window.
Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 19763 -> 19687 (diff: 76)
library/ssl_msg.o: 24874 -> 24834 (diff: 40)
library/ssl_srv.o: 20754 -> 20562 (diff: 192)
library/ssl_tls.o: 21003 -> 20907 (diff: 96)
library/ssl_tls13_client.o: 7284 -> 7272 (diff: 12)
library/ssl_tls13_generic.o: 4749 -> 4721 (diff: 28)
library/ssl_tls13_keys.o: 5133 -> 5077 (diff: 56)
Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 3000 -> 2936 (diff: 64)
library/ssl_msg.o: 3084 -> 3080 (diff: 4)
library/ssl_srv.o: 3428 -> 3400 (diff: 28)
library/ssl_tls.o: 6754 -> 6730 (diff: 24)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Replace bitfields mbedtls_ssl_handshake_params by bytes. This saves some
code size, and since the bitfields weren't group, this doesn't increase the
RAM usage.
Replace several ints that only store values in the range 0..255 by uint8_t.
This can increase or decrease the code size depending on the architecture
and on how the field is used. I chose changes that save code size on Arm
Thumb builds and will save more after field reordering.
Leave the bitfields in struct mbedtls_ssl_hs_buffer alone: replacing them by
uint8_t slightly increases the code size.
Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 19759 -> 19763 (diff: -4)
library/ssl_srv.o: 20790 -> 20754 (diff: 36)
library/ssl_tls13_keys.o: 5153 -> 5133 (diff: 20)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't use the output buffer in psa_aead_generate_nonce()
to pass the generated nonce to the driver as a local
attacker could potentially control it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
