Commit graph

1089 commits

Author SHA1 Message Date
Gilles Peskine
9c3e060253 Explain the design of mbedtls_psa_get_random better
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-05 16:03:55 +01:00
Gilles Peskine
0c59ba88cb Fix the error detection in psa_generate_random
If a call to mbedtls_psa_get_random other than the last one failed,
this went undetected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-05 14:10:59 +01:00
Gilles Peskine
71ddab9154 Simplify the chunk loop in psa_generate_random
Make the code slightly more readable and slightly smaller.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-04 21:01:07 +01:00
Fredrik Strupe
462aa575a4 PSA Crypto: Don't skip key data removal when SE driver is not in use
Closing a wrapped key with the new SE driver interface while
MBEDTLS_PSA_CRYPTO_SE_C is also enabled leads to the key material not
being freed, even though an old SE driver is not in use, leading to a
memory leak. This is because a wrapped key is also considered external.

This commit extends the check for skipping by checking whether an
old-style SE driver is registered with the provided slot, in addition to
checking whether the key is external.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-12-17 11:05:36 +01:00
Gilles Peskine
b2b64d3642 Rename psa_crypto_random.h to psa_crypto_random_impl.h
Make it clear that this is an abstraction of the random generator
abstraction, and not an abstraction of the PSA random generator.

mbedtls_psa_get_random and MBEDTLS_PSA_RANDOM_STATE are public-facing
definitions and will be moved in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 16:43:58 +01:00
Gilles Peskine
8814fc4a34 Make mbedtls_psa_get_random more usable outside psa_crypto.c
In the external RNG case, don't make mbedtls_psa_get_random() a
static inline function: this would likely result in identical
instances of this function in every module that uses it. Instead, make
it a single function with external linkage.

In the non-external case, instead of a trivial wrapper function, make
mbedtls_psa_get_random a constant pointer to whichever DRBG function
is being used.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 15:33:44 +01:00
Gilles Peskine
5894e8e7a4 Replace mbedtls_psa_random_state( ... ) by MBEDTLS_PSA_RANDOM_STATE
Hide the obtention of the pointer to the RNG state behind a macro.

To make it possible to use this macro in a module other than
psa_crypto.c, which will happen in the future, make sure that the
definition of the macro does not reference internal variables of
psa_crypto.c. For this purpose, in the internal-DRBG case, export a
symbol containing the address of the DRBG state.

When the RNG state is a pointer a DRBG state, just keep this pointer
in a variable: there's no need to store a pointer to a larger structure.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 14:57:24 +01:00
Gilles Peskine
2b759626a9
Merge pull request #3948 from bensze01/update_psa_values
Update the values of PSA Crypto API macros to version 1.0.0
2020-12-08 11:03:33 +01:00
Bence Szépkúti
cbe395332c Substitute PSA_ALG_STREAM_CIPHER into all files
Deprecate PSA_ALG_ARC4 and PSA_ALG_CHACHA20.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 00:01:31 +01:00
Bence Szépkúti
1de907d4a4 Introduce PSA_ALG_STREAM_CIPHER
This algorithm replaces the pre-existing stream cipher algorithms.
The underlying stream cipher is determined by the key type.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-07 21:03:05 +01:00
John Durkop
6ca2327150 Update guards for ALG_SHA_224 and ALG_SHA_384 in crypto library
The previous revision of guards around SHA_224 and SHA_384 were not
correct. This set of changes ensures the proper code is available
when SHA_224 and SHA_384 are enabled for use.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-12-03 06:07:04 -08:00
John Durkop
d62b678473 Minor updates to address review comments
Removed unecessary checks on the ALG_SHA_224 and ALG_SHA_384 since
those are handled in config_psa.h by ensuring the correct _C is
included. Reformatted config_psa.h to be alphabetical and made the
assignments line up correctly for consistency. Fixed the guards
for ALG_SHA_224 and ALG_SHA_384 to be correct in the crypto library
source.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-30 21:06:05 -08:00
John Durkop
ee4e6602bd Use new MBEDTLS_PSA_BUILTIN_ macros for hashes in crypto library
This set of changes converts all the previous MBEDTLS_*_C guards in
the crypto library to use the new MBEDTLS_PSA_BUILTIN_ guards for
hash algorithms.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-27 08:48:46 -08:00
gabor-mezei-arm
452b0a32ad Update documentation
The return values of the functions are updated in the documetation.
All possible return values are added including nested functions' return
values. The values which cannot be returned are removed.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-11-25 13:10:50 +01:00
gabor-mezei-arm
fe30924c45 Use PSA_ERROR_DATA_INVALID error code
If the file is read correctly, but it contains data that isn't valid,
the crypto storage code returns PSA_ERROR_DATA_INVALID.
The PSA_ERROR_DATA_CORRUPT and PSA_ERROR_STORAGE_FAILURE error codes are
replaced with PSA_ERROR_DATA_INVALID, except in the ITS subsystem.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-11-24 13:37:52 +01:00
Gilles Peskine
bee96c8db9 Explain the conditions for checking DRBG error codes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 21:00:09 +01:00
Gilles Peskine
82e57d1611 PSA: support HMAC_DRBG
Support using HMAC_DRBG instead of CTR_DRBG in the PSA subsystem.

Use HMAC_DRBG if CTR_DRBG is available. Choose between SHA-256 and
SHA-512 based on availability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
4fc21fdeb6 Implement MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Implement support for MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.

For test purposes, write an implementation that uses libc rand().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
1c49f1ac46 Include headers in psa_crypto.h for mbedtls_to_psa_error
psa_crypto must be able to convert error codes even from modules that
it doesn't call directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 16:28:09 +01:00
Gilles Peskine
30524eb7e5 psa_crypto: create random and drbg abstraction
Create wrapper functions around calls to CTR_DRBG and around calls to
entropy+DRBG. This is in preparation for allowing alternative DRBG
implementations that use the Mbed TLS entropy module, or complete RNG
implementations that bypass the entropy module as well.

This is purely a refactoring commit. No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 16:27:40 +01:00
Gilles Peskine
90edc99e30 Create a header file for PSA crypto random generator abstraction
Subsequent commits will move declarations and definitions there.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 16:27:40 +01:00
Gilles Peskine
9aaa3e164a
Merge pull request #3786 from stevew817/feature/generate_pubkey_in_driver
Add export_public_key entry point for drivers
2020-11-23 11:54:53 +01:00
Gilles Peskine
662deb38d6
Merge pull request #3547 from ronald-cron-arm/psa-openless
Openless PSA crypto APIs implementation
2020-11-20 18:48:33 +01:00
Steven Cooreman
b9b844220b Plug in the entry point for public key export through driver
Including test.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-11-20 17:31:24 +01:00
Ronald Cron
5c522920ba psa: Rename functions to get a key slot
Rename functions to get a key slot:
. to make their naming more consistent
. to emphasize that those functions set a lock on the
  key slot they return to protect it from being wiped
  out and re-used while some part of the library
  is accessing it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
Ronald Cron
81709fc78e psa: Move key identifier return to psa_finish_key_creation()
Move the return of the identifier of a created key from
psa_start_key_creation() to psa_finish_key_creation().
That way in case of creation error, it is less likely to
return the identifier that was temporarily assigned to
the key while trying to create it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
Ronald Cron
5097294be9 psa: Decrement slot access count when finalizing key creation
Decrement the slot access count in psa_finish_key_creation()
when the finalization succeeds instead of in functions calling
psa_finish_key_creation(). That way the decrementation cannot
be forgotten and it reduces the code size.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
Ronald Cron
4640c15deb psa: Remove error message output
Remove error message output in case of
unexpected access counter as

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
Ronald Cron
cbd7beab0d psa: slot mgmt: Simplify psa_validate_key_id
Special handling of volatile key identifiers is not
needed eventually, they can be handled just as
key identifier in the vendor range.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
John Durkop
07cc04a8ad Updates to PSA crypto library based on review comments
Moved new check_crypto_config.h file from include/psa to library
directory and the file is now included from *.c instead of the
crypto_config.h file. Fixed guards in PSA crypto library based
on review comments for new PSA crypto config features.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-18 08:09:49 -08:00
John Durkop
5cc8dfb404 Removed final MBEDLTS_MD_C guard in PSA crypto library
There was one lingering MBEDTLS_MD_C that needed to be removed since
it is no longer needed.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-13 06:45:40 -08:00
Ronald Cron
7587ae49cb Miscellaneous documentation improvements
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-13 09:49:01 +01:00
John Durkop
6ba40d1faa Corrected guards in PSA library based on review comments
Revised the placement of various new MBEDTLS_PSA_BUILTIN_xxx
guards based on review comments. Corrected guards in psa
test driver to use _ACCEL version instead of _BUILTIN version.
Updated check_config_psa.h to include additional dependency checks
for more algorithms. Renamed some of the new tests to be a little
more clear on the purpose.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-12 10:21:40 -08:00
Ronald Cron
19daca9b2e Prefer persistent over permanent
For consistency across the code base, prefer
persistent over permanent to qualify a key
stored in persistent storage.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-11 15:12:16 +01:00
Ronald Cron
f291111007 psa: Do not reset a key slot under access
When psa_close/destroy/purge_key is called, do not
reset a key slot containing the description
of a persistent key if it is currently accessed.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron
ddd3d05803 psa: Add access counter check in slot wipe
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron
f95a2b1190 psa: mgmt: Add key slot access counter
Add key slot access counter to be able to
state if a key slot containing the description
of a permanent key can be reset or reset
and re-used.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron
54b900827b psa: Forbid creation/registration of keys in vendor range
The identifier of keys created/registred should be in
the application range.

This is by spec for key creation.
This may change for registered key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron
65f38a3c2e Add key id check when creating a volatile key
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron
d98059d599 psa: Fix tests/handling of lifetime incompatible with location
The lifetime of key attributes now encodes whether a key is
volatile/persistent or not AND its location.
Fix PSA code where the fact that the lifetime encodes
the key location was not taken into account properly.

Fix the impacted tests and add two non regression tests.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:18:15 +01:00
Ronald Cron
3c76a42475 Improve psa_key_start_creation description
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron
fc9c556127 Forbid volatile key identifiers for non volatile keys
Volatile key identifiers in the vendor range are
reserved to volatile keys thus don't allow them
for persistent keys when creating a key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron
cf56a0a320 psa: Move from key handle to key identifier
Move all the PSA crypto APIs using key handles
to use key identifiers but psa_key_open() and
psa_key_close(). This is done without modifying
any test as key handles and key identifiers are
now the same.

Update the library modules using PSA crypto APIs
to get rid of key handles.

Programs and unit tests are updated to not use
key handles in subsequent commits, not in this
one.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
c4d1b514ab Define handles as key identifiers
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.

The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
c26f8d467a Introduce psa_key_handle_is_null inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
91e9515424 Introduce PSA_KEY_HANDLE_INIT macro
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
2a99315cc5 Add volatile key identifiers
Volatile key identifiers are introduced in
PSA Crypto API v1.0.0. They are returned by the APIs
when importing or generating or deriving a volatile key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:31 +01:00
John Durkop
9814fa2b08 Minor updates from review comments
Updated macros in config_psa.h that used ECC_xxx to use KEY_TYPE_ECC_xxx
per comments from review. Implemented a check_config_psa.h to help with
dependency checking of features enabled in config_psa.h. Added
check_config_psa.h to visual studio project.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
0e00519711 Add feature support for RSA for PSA crypto config
In the original attempt to add RSA support to PSA crypto config was too
generic. This set of changes adds support for the following RSA features:
PSA_WANT_ALG_RSA_PKCS1V15_CRYPT, PSA_WANT_ALG_RSA_PKCS1V15_SIGN,
PSA_WANT_ALG_RSA_OAEP, PSA_WANT_ALG_RSA_PSS, PSA_WANT_KEY_TYPE_RSA_KEY_PAIR,
and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY.

There were also some updates to ensure the proper inclusion of PSA crypto
library code when certain features are enabled. These updates were made to
address warnings and errors in builds from the new tests for these
features being added for PSA crypto configuration.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:41 -08:00
John Durkop
f4c4cb008c Added additional support for ECP for PSA_CRYPTO_CONFIG
The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously
being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change
moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR
and PUBLIC_KEY as needed. Tests have also been added to validate the new
settings.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:11:35 -08:00
John Durkop
d032195278 Phase 2 support for MBEDTLS_PSA_CRYPTO_CONFIG
This phase adds in support for the following features being
added to the list of features that can be configured in the
include/psa/crypto_config.h header file using the PSA_WANT_ALG_xxx
macros: ECDH, HMAC, HKDF, and RSA. These changes include changes to
the PSA crypto library to use the appropriate new guards that
will allow the feature to be compiled in or out either using
new PSA_WANT_ALG_xxx or the previous MBEDTLS_xxx macros.

For HKDF and HMAC, most of the PSA library code did not have a
specific matching MBEDTLS_xxx macro for that feature, but was instead
using the generic dependent MBEDTLS_MD_C macro. The ECDH and RSA
features more closely aligned with a direct replacement with a similar
macro.

The new tests for RSA, HMAC, and HKDF would normally unset additional
dependent macros, but when attempting to implement that level of
testing it required removal of too many core features like MD_C, PK_C,
ECP_C and other low level features. This may point to additional phases of
work to complete the transition of these features to the new model.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-10 06:10:29 -08:00
Ronald Cron
d2ed4815da Split persistence and key id validation
With key usage based on key identifiers and not
key handles (openless APIs), volatile keys will
also have a key identifier. Thus, isolate key
identifier validation from key persistence
validation to clarify that key identifiers
are not specific to persistent keys.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-09 15:14:38 +01:00
Gilles Peskine
a455e71588
Merge pull request #3780 from stevew817/feature/validate_key_in_driver
Add validate_key hooks and tests
2020-11-02 11:37:42 +01:00
Steven Cooreman
40120f6b76 Address review comments
* zero key buffer on failure
* readability improvements
* psa_finish_key_creation adjustment after removing import_key_into_slot

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-30 10:20:01 +01:00
Steven Cooreman
162ec8758f Detecting bit size is no longer required
Storage format has been changed to always store the key's bit size

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-29 12:04:31 +01:00
Gilles Peskine
2d0b7231f7
Merge pull request #3712 from jdurkop/psa-crypto-config-ecdsa-3670
Introduce MBEDTLS_PSA_CRYPTO_CONFIG and use it for ECDSA
2020-10-27 17:40:04 +01:00
John Durkop
f87e3aea16 Update guards in PSA crypto library for ECDSA and DETERMINISTIC support
In the PSA crypto library, the code for verification of ECDSA is the same for
both MBEDTLS_PSA_BUILTIN_ALG_ECDSA and
MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA. So, the guards should allow for
either one to enable the code blocks. The original implementation only had
the check for ECDSA. In order to make this work, config_psa.h was updated
to ensure when MBEDTLS_CRYPTO_CONFIG is disabled, the setting for DETERMINISTIC
is only updated if MBEDTLS_ECDSA_C is also enabled.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-26 15:25:23 -07:00
Steven Cooreman
3ea0ce450f Separate 'import' from 'load into slot'
Now that there's a validate_key entry point for drivers, it becomes
much more important to separate the import action (where a key needs
to be validated) from the load action (where a key has been
previously validated, and thus re-validating it would be a waste of
time).

This also exposes why not storing the 'bits' attribute persistently
was a bad idea. The only reason there's a rather large function to
detect bit size is because loading from persistent storage requires
it.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Steven Cooreman
f7cebd4a2b Add internal helper function to load prevalidated key material
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Steven Cooreman
0452476eac Implement, plug in and test validate_key driver entry point
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Steven Cooreman
398aee5742 Rework psa_copy_key_material
There's no need for calling export-and-import when the key is
guaranteed to have been stored in export representation.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Gilles Peskine
01fc209969
Merge pull request #3748 from torstenes/3740_PSA_key_storage_systematically_store_bits
Changes PSA key storage format to include key bits
2020-10-26 15:33:58 +01:00
Gilles Peskine
b7eaa77e2a
Merge pull request #3743 from stevew817/bugfix/use_ecdh_key_in_streamlined_derivation
Fix PSA crypto inconsistencies in agreement+derivation
2020-10-21 13:25:21 +02:00
Ronald Cron
60ca77ca75
Merge pull request #3730 from gilles-peskine-arm/psa_generate_key-curve25519
Fix psa_generate_key on Curve25519
2020-10-21 09:03:00 +02:00
Steven Cooreman
fa5e631d23 Apply review feedback
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-15 17:07:12 +02:00
John Durkop
0ea39e0ee4 Correct use of MBEDTLS_PSA_BUILTIN_ALG_xxx in crypto library
The psa crypto library was generically using PSA_WANT_ALG_xxx, but
should have been using the correct MBEDTLS_PSA_BUILTIN_ALG_xxx
definition since that code is the builtin version. There were also
a couple of spots that needed to ensure the code block was enabled
for either ECDSA or DETERMINISTIC_ECDSA, not just one of them.

Fixed all the new ALG_ECDSA_DETERMINISTIC names to be
ALG_DETERMINISTIC_ECDSA instead.

Fixed test to use correct definitions.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-15 07:39:02 -07:00
Torstein Nesse
162a1104be Changes PSA key storage format to include key bits
* Stores bits in psa_persistent_key_storage_format.
* psa_load_persistent_key_into_slot still imports plaintext keys which
  ensures that the bits value gets set.
* Updates key specification to match new implementation.
* Expands persistent store and load tests with to check for bits
  attribute.
* Removes bits storage from psa_se_key_data_storage_t.

Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>
2020-10-07 10:54:24 +02:00
Steven Cooreman
0ee0d52967 Fix PSA crypto inconsistencies in agreement+derivation
* #3742 After input of a key as SECRET in the derivation, allow the
        derivation result to be used as key.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-05 16:08:18 +02:00
Steven Cooreman
ce48e85db9 Fix PSA crypto inconsistencies in agreement+derivation
* #3741 Allow key agreement inside derivation with a key that's allowed
        for the relevant agreement.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-05 16:02:45 +02:00
Gilles Peskine
2acbed387d psa_generate_key: remove the bit-size sanity check
In psa_generate_key_internal() for ECC keys, remove the check that the
bit-size according to Mbed TLS is equal to the requested bit-size.
This check was necessary back when the PSA API encoded curves and key
sizes independently, in order to reject combinations such as SECP256R1
with a 512-bit size. Since the curve encoding changed to specifying a
curve family and a size separately, the Mbed TLS curve id (grp_id) and
the curve data (curve_info) are now determined from the size, and
checking that (curve_info->bit_size == bits) is now only a redundant
sanity check.

This check is actually buggy, because PSA Crypto and Mbed TLS don't
have exactly the same notion of key size. PSA thinks Curve25519 is
255-bit and secp224k1 is 225-bit, but Mbed TLS thinks they're 256-bit
and 224-bit respectively. Removing the check allows key generation to
work for these curves.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 22:03:29 +02:00
Fredrik Strupe
f90e3019dd Use PSA_ERROR_INVALID_ARGUMENT for invalid cipher input sizes
... as opposed to PSA_ERROR_BAD_STATE.

The spec on psa_cipher_finish() states that PSA_ERROR_INVALID_ARGUMENT
should be returned when:

"The total input size passed to this operation is not valid for this
particular algorithm. For example, the algorithm is a based on block
cipher and requires a whole number of blocks, but the total input size
is not a multiple of the block size."

Currently, there is a distinction between encryption and decryption
on whether INVALID_ARGUMENT or BAD_STATE is returned, but this is not
a part of the spec.

This fix ensures that PSA_ERROR_INVALID_ARGUMENT is returned
consistently on invalid cipher input sizes.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-09-30 12:26:58 +02:00
John Durkop
d8959390c5 Add ECDSA support to PSA crypto configuration
Initial changes to PSA crypto core to support configuration
of ECDSA algorithm using PSA crypto configuration mechanism.
Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have
been changed to be based off PSA_WANT_ALG_ECDSA and
PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to
confirm new settings are working properly. Current code does not
pass the tests since built in signature verification is not in place.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
Steven Cooreman
6d81f7e119 Final feedback from @ronald-cron-arm
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman
ef8575e1bf Apply review feedback
* Reworked the cipher context once again to be more robustly defined
* Removed redundant memset
* Unified behaviour on failure between driver and software in cipher_finish
* Cipher test driver setup function now also returns early when its status
  is overridden, like the other test driver functions
* Removed redundant test cases
* Added bad-order checking to verify the driver doesn't get called where
  the spec says it won't.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman
a07b9970c6 Update semantics around driver context use in psa_cipher_setup
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:39 +02:00
Steven Cooreman
e55f3e8de4 Make sure to not call mbedtls_cipher_free on an uninitialised context
As pointed out by Gilles

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman
b5e52f2e31 Remove superfluous call in PSA cipher setup
As pointed out by Ronald. The key slot is populated using
get_key_from_slot, and after calling the driver the slot is
validated to not contain an external key, so calling
get_transparent_key is superfluous.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman
7df0292f5a Check & set operation flags for both driver and software in the core
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:30 +02:00
Steven Cooreman
fb81aa5889 Only pass the driver-relevant portion of the context struct
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:58 +02:00
Steven Cooreman
5240e8b519 Style and language fixes from review
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:58 +02:00
Steven Cooreman
8b12225717 Add a working implementation of a multipart AES-CTR test driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:58 +02:00
Steven Cooreman
d3feccd3a5 Restructure cipher context object to contain driver switch
Once an operation has been 'accepted' by a driver, the remainder is bound
to the same driver, since driver-specific context structs cannot be shared.
This provides a pretty good gate mechanism for the fallback logic, too.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:52 +02:00
Steven Cooreman
37941cb5e1 Add initial pass on a multi-part test driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:30:14 +02:00
Gilles Peskine
b1d3f2779b
Merge pull request #3480 from stevew817/feature/aes-ecb
Added support for AES-ECB to the PSA Crypto implementation
2020-09-14 14:45:14 +02:00
Steven Cooreman
177deba54b Fix style and pull out ECB processing in separate function
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-07 17:14:14 +02:00
Steven Cooreman
8d2bde77a1 Make sure software fallback isn't tried on opaque keys
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:28 +02:00
Steven Cooreman
2a1664cb49 Add & splice in test driver for ECC keygen
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman
0116416e61 Expose mbedtls_error_to_psa_status for use in test drivers
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman
55ae2176ab Add and splice in signature verification through driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman
7a2505788c Move handling of 'SE' drivers into driver wrappers
This is a more natural place for handling the drivers belonging to the
'previous' SE driver spec. It makes for a cleaner psa_crypto.c, and
potentially an easier overview of how to migrate from the old SE driver
interface to the 'opaque accelerator' interface.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman
cd84cb4903 Add a handcrafted first version of the driver wrapper code
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:26 +02:00
Steven Cooreman
ffecb7b982 Implement support for multipart ECB and add tests
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-25 17:00:24 +02:00
Steven Cooreman
a6033e92af Style and language fixes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-25 12:32:22 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Steven Cooreman
d4867877f1 Initialize key pointer in ecdh to NULL
Since it is being dereferenced by free on exit it should be inited to NULL.
Also added a small test that would trigger the issue.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:47 +02:00
Steven Cooreman
b7f6deaae7 Add buffer zeroization when ecp_write_key fails
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:47 +02:00
Steven Cooreman
fd4d69a72e Simplified key slot deletion
And zeroize key buffer before freeing to avoid keys hanging around on the
heap.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:32 +02:00
Steven Cooreman
291498600b Style fixes
* return is treated as a function call
* space between opening and closing parentheses
* remove whiteline between assignment and checking of same variable

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 16:44:24 +02:00
Steven Cooreman
4fed455347 Apply review feedback
* No need to check for NULL before free'ing
* No need to reset variables that weren't touched
* Set output buffer to zero if key output fails
* Document internal functions and rearrange order of input arguments to
  better match other functions.
* Clean up Montgomery fix to be less verbose code

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-03 14:46:12 +02:00
Steven Cooreman
3fa684ed91 Allow importing Montgomery public keys in PSA Crypto
PSA Crypto was checking the byte length of a to-be-imported public ECP key
against the expected length for Weierstrass keys, forgetting that
Curve25519/Curve448 exists.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:35:14 +02:00
Steven Cooreman
7f39187d6b Convert load_xxx_representation to take buffers instead of a whole slot
Avoids stack-allocating a key slot during ECDH, and mock-attaching a
key to a key slot during key import.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:21:41 +02:00
Steven Cooreman
6d839f05bf Cleanup
* No null-check before calling free
* Close memory leak
* No need for double check of privkey validity

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:21:41 +02:00
Steven Cooreman
a2371e53e4 Update after feedback from #3492
* Allocate internal representation contexts on the heap (i.e. don't change
  where they're being allocated)
* Unify load_xxx_representation in terms of allocation and init behaviour

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-28 14:30:39 +02:00
Steven Cooreman
75b743666e Update after feedback on #3492
* Updated wording
* Split out buffer allocation to a convenience function
* Moved variable declarations to beginning of their code block

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-28 14:30:13 +02:00
Steven Cooreman
19fd574b3a Disconnect knowing about a PSA key type from knowing the mbedTLS API
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:46:21 +02:00
Steven Cooreman
560c28a1ac Unify key handling logic
Now that both ECP and RSA keys are represented in export representation,
they can be treated more uniformly.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman
acda8346bf Remove ECP internal representation from key slot
Change to on-demand loading of the internal representation when required
in order to call an mbed TLS cryptography API.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman
a01795d609 Remove RSA internal representation from key slot
Change to on-demand loading of the internal representation when required
in order to call an mbed TLS cryptography API.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman
81be2fa0b2 Pull apart slot memory allocation from key validation.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman
71fd80d279 Re-define members of psa_key_slot_t
In preparation for the implementation of the accelerator APIs. This is
ramping up to the goal of only storing the export representation in the
key slot, and not keeping the crypto implementation-specific representations
around.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:25 +02:00
Steven Cooreman
aec44e9fe8 Merge remote-tracking branch 'mbedtls/development' into montgomery-keys-clarification 2020-07-13 11:48:21 +02:00
Steven Cooreman
0024df6b37 Remove superfluous argument to ecp_write_key
Removed after feedback from PR review.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-13 10:59:40 +02:00
Manuel Pégourié-Gonnard
fafe8553c6
Merge pull request #3392 from paul-elliott-arm/psa_ecc_dh_macros
PSA: update EC curve and DH group family macros
2020-07-07 09:20:44 +02:00
Steven Cooreman
ed3c9ec71a Added support for AES-ECB to the PSA Crypto implementation
PSA_ALG_ECB_NO_PADDING came in to the PSA Crypto API spec v1.0.0, but
was not implemented yet in the mbed TLS implementation.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 14:16:10 +02:00
Steven Cooreman
c9b7f78647 Rework mbedtls_ecp_write_key to remove unnecessary output parameter
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:52:32 +02:00
Steven Cooreman
e3fd39289e Fix endianness and masking for Curve25519 keys handled by PSA
Changed PSA core (and PKWrite) from reaching into MPI to using the proper
ecp function to fetch a private key.
Added changelog.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:45:31 +02:00
Paul Elliott
8ff510ac26 Rename ECC Family Macros According to PSA Spec
Rename PSA_ECC_CURVE_xxx to PSA_ECC_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_CURVE to PSA_KEY_TYPE_ECC_GET_FAMILY and rename
psa_ecc_curve_t to psa_ecc_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-07-02 16:59:30 +01:00
Gilles Peskine
db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Gilles Peskine
961914df12
Merge pull request #3382 from stevew817/feature/volatile-keys-in-SE
Support volatile keys in external SE
2020-06-26 20:27:11 +02:00
Steven Cooreman
8c1e759e1d Documentation and new function signature update
Inline with review comments.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-17 14:52:05 +02:00
Steven Cooreman
81fe7c311a Split 'validate persistent key parameters' into independent validation
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-17 13:53:18 +02:00
Bence Szépkúti
869746577a Add Apache-2.0 headers to all source files
Also normalize the first line of the copyright headers.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find scripts
find -path './.git' -prune -o '(' -name '*.c' -o -name '*.cpp' -o -name '*.fmt' -o -name '*.h' ')' -print | xargs sed -i '

# Normalize the first line of the copyright headers (no text on the first line of a block comment)
/^\/\*.*Copyright.*Arm/I {
  i\
/*
  s/^\// /
}

/Copyright.*Arm/I {

  # Print copyright declaration
  p

  # Read the two lines immediately following the copyright declaration
  N
  N

  # Insert Apache header if it is missing
  /SPDX/! i\
 *  SPDX-License-Identifier: Apache-2.0\
 *\
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\
 *  not use this file except in compliance with the License.\
 *  You may obtain a copy of the License at\
 *\
 *  http://www.apache.org/licenses/LICENSE-2.0\
 *\
 *  Unless required by applicable law or agreed to in writing, software\
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
 *  See the License for the specific language governing permissions and\
 *  limitations under the License.

  # Clear copyright declaration from buffer
  D
}
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-16 17:38:44 +02:00
Steven Cooreman
bbeaf18eac Do not persist transactions on volatile external keys
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:29:44 +02:00
Steven Cooreman
c59de6ab7e Refactor lifetime checking to reflect split in location and persistence
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-06-08 18:28:25 +02:00
Darryl Green
2f0eb51aae psa: Define mbedtls_ecc_group_to_psa() inline
On dual world platforms, we want to run the PK module (pk.c) on the NS
side so TLS can use PSA APIs via the PK interface. PK currently has a
hard dependency on mbedtls_ecc_group_to_psa() which is declared in
crypto_extra.h, but only defined in psa_crypto.c, which is only built
for the S side.

Without this change, dual world platforms get error messages like the
following.

    [Error] @0,0: L6218E: Undefined symbol mbedtls_ecc_group_to_psa (referred from BUILD/LPC55S69_NS/ARM/mbed-os/features/mbedtls/mbed-crypto/src/pk.o)

Make mbedtls_ecc_group_to_psa() inline within crypto_extra.h so that it
is available to both NS and S world code.

Fixes #3300

Signed-off-by: Darryl Green <darryl.green@arm.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2020-05-05 12:41:48 +01:00
Jaeden Amero
1bde9cdf71 psa: Clear bits in mbedtls_ecc_group_to_psa()
Clear bits in mbedtls_ecc_group_to_psa() to avoid static analyzers and
possibly compilers from warning that bits may be used uninitialized in
certain code paths.

For example, if mbedtls_ecc_group_to_psa() were to be inlined in
crypto_extra.h, the following compiler warning is likely.

    In file included from ../include/psa/crypto.h:3774:0,
                     from ../include/mbedtls/pk.h:49,
                     from pk.c:29:
    pk.c: In function 'mbedtls_pk_wrap_as_opaque':
    ../include/psa/crypto_struct.h:460:33: error: 'bits' may be used uninitialized in this function [-Werror=maybe-uninitialized]
             attributes->core.bits = (psa_key_bits_t) bits;
                                     ^~~~~~~~~~~~~~~~~~~~~
    pk.c:608:12: note: 'bits' was declared here
         size_t bits;
                ^~~~

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2020-05-05 12:41:41 +01:00
Janos Follath
b7000d4b2f
Merge pull request #345 from gilles-peskine-arm/psa_mac_verify_finish-status
Fix possible error code mangling in psa_mac_verify_finish
2020-02-03 13:55:11 +00:00
Gilles Peskine
3e819b7d69 psa_key_agreement_ecdh: zeroize output on failure
If psa_key_agreement_ecdh fails, there may be output that leaks
sensitive information in the output buffer. Zeroize it.

If this is due to an underlying failure in the ECDH implementation, it
is currently not an issue since both the traditional Mbed TLS/Crypto
implementation and Everest only write to the output buffer once every
intermediate step has succeeded, but zeroizing is more robust. If this
is because the recently added key size check fails, a leak could be a
serious issue.
2020-01-31 10:24:21 +01:00
Gilles Peskine
f65ed6f254 Change key types to a 16-bit encoding
All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.

Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.

Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.

Reorder psa_core_key_attributes_t to avoid padding.
2020-01-31 10:24:21 +01:00
Gilles Peskine
b87b719467 Remove old values of curve encodings
Remove the values of curve encodings that are based on the TLS registry
and include the curve size, keeping only the new encoding that merely
encodes a curve family in 8 bits.

Keep the old constant names as aliases for the new values and
deprecate the old names.
2020-01-31 10:24:21 +01:00
Gilles Peskine
228abc5773 Define EC curve family constants
Define constants for ECC curve families and DH group families. These
constants have 0x0000 in the lower 16 bits of the key type.

Support these constants in the implementation and in the PSA metadata
tests.

Switch the slot management and secure element driver HAL tests to the
new curve encodings. This requires SE driver code to become slightly
more clever when figuring out the bit-size of an imported EC key since
it now needs to take the data size into account.

Switch some documentation to the new encodings.

Remove the macro PSA_ECC_CURVE_BITS which can no longer be implemented.
2020-01-31 10:15:32 +01:00
Gilles Peskine
025fccdc32 Change the encoding of EC curves and DH groups to include the size
Change the representation of psa_ecc_curve_t and psa_dh_group_t from
the IETF 16-bit encoding to a custom 24-bit encoding where the upper 8
bits represent a curve family and the lower 16 bits are the key size
in bits. Families are based on naming and mathematical similarity,
with sufficiently precise families that no two curves in a family have
the same bit size (for example SECP-R1 and SECP-R2 are two different
families).

As a consequence, the lower 16 bits of a key type value are always
either the key size or 0.
2020-01-31 10:15:32 +01:00
Gilles Peskine
5055b239bf Expose mbedtls/psa curve identifier conversions from psa_crypto.c 2020-01-31 10:15:32 +01:00
Gilles Peskine
4295e8b9c5 Rework PSA curve to mbedlts group id conversion
Don't rely on the bit size encoded in the PSA curve identifier, in
preparation for removing that.

For some inputs, the error code on EC key creation changes from
PSA_ERROR_INVALID_ARGUMENT to PSA_ERROR_NOT_SUPPORTED or vice versa.
There will be further such changes in subsequent commits.
2020-01-31 10:15:32 +01:00
Gilles Peskine
c7ef5b3f45 Rework mbedlts group id to PSA curve conversion
Don't rely on the PSA curve identifier determining the key size, in
preparation for removing that.
2020-01-31 10:15:32 +01:00
Gilles Peskine
84b8fc8213 Use psa_hash_compute in psa_hmac_setup_internal 2020-01-30 12:27:14 +01:00
Gilles Peskine
0a749c8fa3 Implement and test psa_hash_compute, psa_hash_compare 2020-01-30 12:27:12 +01:00
Manuel Pégourié-Gonnard
b7f7092f57 Remove preprocessor directive for consistency
Other cases in this switch statement aren't guarded either.
2020-01-24 10:59:08 +01:00
Gilles Peskine
28cd41676e Fix possible error code mangling in psa_mac_verify_finish
If psa_mac_finish_internal fails (which can only happen due to bad
parameters or hardware problem), the error code was converted to
PSA_ERROR_INVALID_SIGNATURE if the uninitialized stack variable
actual_mac happened to contain the expected MAC. This is a minor bug
but it may be possible to leverage it as part of a longer attack path
in some scenarios.

Reported externally. Found by static analysis.
2020-01-20 16:31:06 +01:00
Manuel Pégourié-Gonnard
792b16d83b Make more code paths conditional in psa_crypto.c 2020-01-07 10:13:18 +01:00
Manuel Pégourié-Gonnard
d602084cde Implement NO_SHA384 in MD layer and PSA 2020-01-06 11:40:23 +01:00
Jaeden Amero
795c6bab62
Merge pull request #323 from yanesca/iotcrypt-942-initialise-return-values
Initialise return values to an error
2019-12-19 10:24:22 +00:00
Gilles Peskine
4cd3277656 Factor common code of psa_import_ec_{public,private}_key 2019-12-12 09:00:27 +01:00
Janos Follath
24eed8d2d2 Initialise return values to an error
Initialising the return values to and error is best practice and makes
the library more robust.
2019-12-03 16:07:18 +00:00
Janos Follath
a13b905d8d Map the new Mbed TLS error value in PSA 2019-12-03 16:03:11 +00:00
Gilles Peskine
89d8c5c447 Rename some signature-related identifiers
Rename some macros and functions related to signature which are
changing as part of the addition of psa_sign_message and
psa_verify_message.

perl -i -pe '%t = (
PSA_KEY_USAGE_SIGN => PSA_KEY_USAGE_SIGN_HASH,
PSA_KEY_USAGE_VERIFY => PSA_KEY_USAGE_VERIFY_HASH,
PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE => PSA_SIGNATURE_MAX_SIZE,
PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE => PSA_SIGN_OUTPUT_SIZE,
psa_asymmetric_sign => psa_sign_hash,
psa_asymmetric_verify => psa_verify_hash,
); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files . ':!:**/crypto_compat.h')
2019-11-26 18:20:59 +01:00
Gilles Peskine
cb0101ff33
Merge pull request #298 from gilles-peskine-arm/config-symmetric-only
Test a build without any asymmetric cryptography
2019-11-12 19:37:13 +01:00
Gilles Peskine
150d577780
Merge pull request #292 from gilles-peskine-arm/psa-destroy_0
Make psa_close_key(0) and psa_destroy_key(0) succeed
2019-10-14 11:21:54 +02:00
Gilles Peskine
b16841ee69 Fixed -Wunused warnings when building without asymmetric crypto 2019-10-11 18:21:08 +02:00
Gilles Peskine
1841cf43ee Make psa_close_key(0) and psa_destroy_key(0) succeed 2019-10-08 15:57:27 +02:00
Gilles Peskine
d9348f218e SE driver: call the p_init method during psa_crypto_init() 2019-10-01 15:22:29 +02:00
Gilles Peskine
3efcebbc5e SE support: Use a transaction when registering a key
When registering a key in a secure element, go through the transaction
mechanism. This makes the code simpler, at the expense of a few extra
storage operations. Given that registering a key is typically very
rare over the lifetime of a device, this is an acceptable loss.

Drivers must now have a p_validate_slot_number method, otherwise
registering a key is not possible. This reduces the risk that due to a
mistake during the integration of a device, an application might claim
a slot in a way that is not supported by the driver.
2019-10-01 14:18:35 +02:00
Gilles Peskine
178c9aa966 Key derivation: forbid output_key without input_key
If none of the inputs to a key derivation is a
PSA_KEY_DERIVATION_INPUT_SECRET passed with
psa_key_derivation_input_key(), forbid
psa_key_derivation_output_key(). It usually doesn't make sense to
derive a key object if the secret isn't itself a proper key.
2019-09-24 18:39:03 +02:00
Gilles Peskine
b8965193a0 Use the constant PSA_KEY_TYPE_NONE rather than 0
No behavior change, just a readability improvement.
2019-09-24 18:39:03 +02:00
Gilles Peskine
46d7faf195 Don't jump past a variable declaration
This is valid C99 (since the variable in question is not a VLA and is
not used) but not accepted by IAR 8.20.
2019-09-24 18:39:03 +02:00
Gilles Peskine
593773d9f2 Consistently abort key derivation operations on input error 2019-09-24 18:39:03 +02:00
Gilles Peskine
224b0d656a Key derivation: allow both keys and direct inputs
Allow a direct input as the SECRET input step in a key derivation, in
addition to allowing DERIVE keys. This makes it easier for
applications to run a key derivation where the "secret" input is
obtained from somewhere else. This makes it possible for the "secret"
input to be empty (keys cannot be empty), which some protocols do (for
example the IV derivation in EAP-TLS).

Conversely, allow a RAW_DATA key as the INFO/LABEL/SALT/SEED input to a key
derivation, in addition to allowing direct inputs. This doesn't
improve security, but removes a step when a personalization parameter
is stored in the key store, and allows this personalization parameter
to remain opaque.

Add test cases that explore step/key-type-and-keyhood combinations.
2019-09-24 18:39:03 +02:00
Gilles Peskine
a291413a1e
Merge pull request #257 from gilles-peskine-arm/psa-remove_zero_length_keys
Forbid zero-length keys
2019-09-19 13:07:41 +02:00
Gilles Peskine
89cc74f447 Fix signature size checks in psa_asymmetric_verify for RSA
The signature must have exactly the same length as the key, it can't
be longer. Fix #258

If the signature doesn't have the correct size, that's an invalid
signature, not a problem with an output buffer size. Fix the error code.

Add test cases.
2019-09-13 11:39:11 +02:00
Gilles Peskine
4019f0e914 Immediately reject 0-size signature buffer when signing
In psa_asymmetric_sign, immediately reject an empty signature buffer.
This can never be right.

Add test cases (one RSA and one ECDSA).

Change the SE HAL mock tests not to use an empty signature buffer.
2019-09-12 22:05:59 +02:00
Gilles Peskine
f916894ef3 Remove special handling for zero-length keys
Zero-length keys are rejected at creation time, so we don't need any
special handling internally.

When exporting a key, we do need to take care of the case where the
output buffer is empty, but this is easy: an empty output buffer is
never valid.
2019-09-12 19:21:37 +02:00
Gilles Peskine
0f84d6245b Reject keys of size 0
Implement the prohibition on keys of size 0.
2019-09-12 19:03:13 +02:00
Ron Eldor
296eca6e76 Fix a buffer overflow in hmac_setup_internal
At the end of `psa_hmac_setup_internal()`, the ipad is cleared.
However, the size that was given to clear was `key_len` which is larger
than the size of `ipad`.
2019-09-10 15:21:37 +03:00
Darryl Green
5e843fa133 Use safer deterministic function in psa_ecdsa_sign 2019-09-05 14:06:34 +01:00
Jaeden Amero
21db2a94a4
Merge pull request #229 from k-stachowiak/IOTCRYPT-791-remove-legacy-psa-key-derivation
Remove legacy psa key derivation
2019-08-29 11:31:23 +01:00
Darryl Green
0892d0fbbf Initialize key bits to max size + 1 in psa_import_key
In psa_import_key, the key bits value was uninitialized before
calling the secure element driver import function. There is a
potential issue if the driver returns PSA_SUCCESS without setting
the key bits. This shouldn't happen, but shouldn't be discounted
either, so we initialize the key bits to an invalid issue.
2019-08-21 16:56:16 +01:00
Darryl Green
572a16e694 Merge branch 'psa-api-1.0-beta' into api-to-development 2019-08-21 10:31:12 +01:00
k-stachowiak
012dcc4b87 Remove PSA_PRE_1_0_KEY_DERIVATION and the corresponding code 2019-08-13 18:42:40 +02:00
k-stachowiak
0b74cf85ea Remove psa_key_derivation() and associated static functions 2019-08-13 18:42:27 +02:00
Gilles Peskine
c9d7f94a65 Add issue numbers for some missing parts of secure element support 2019-08-13 16:17:16 +02:00
Gilles Peskine
4b7f340fbf Clean up status code handling inside psa_destroy_key
Adopt a simple method for tracking whether there was a failure: each
fallible operation sets overall_status, unless overall_status is
already non-successful. Thus in case of multiple failures, the
function always reports whatever failed first. This may not always be
the right thing, but it's simple.

This revealed a bug whereby if the only failure was the call to
psa_destroy_se_key(), i.e. if the driver reported a failure or if the
driver lacked support for destroying keys, psa_destroy_key() would
ignore that failure.

For a key in a secure element, if creating a transaction file fails,
don't touch storage, but close the key in memory. This may not be
right, but it's no wronger than it was before. Tracked in
https://github.com/ARMmbed/mbed-crypto/issues/215
2019-08-13 15:58:36 +02:00
Gilles Peskine
9ce31c466d Note about destroying a key with other open handles
https://github.com/ARMmbed/mbed-crypto/issues/214
2019-08-13 15:14:20 +02:00
Gilles Peskine
caec27821f SE keys: make psa_destroy_key remove the key from storage 2019-08-13 15:11:49 +02:00
Gilles Peskine
3f7cd62ff5 Document better what wiping a key slot does not do
When a key slot is wiped, a copy of the key material may remain in
operations. This is undesirable, but does not violate the safety of
the code. Tracked in https://github.com/ARMmbed/mbed-crypto/issues/86
2019-08-13 15:01:08 +02:00
Janos Follath
1d57a20cbe Make TODO comments consistent 2019-08-13 12:15:34 +01:00
Gilles Peskine
edc6424d77 SE driver support: Implement sign and verify hooks 2019-08-09 16:43:35 +02:00
Gilles Peskine
11792086cc SE keys: implement and smoke-test p_generate 2019-08-09 16:43:35 +02:00
Gilles Peskine
f3801fff77 Update import_key and generate_key SE methods to the current API
The methods to import and generate a key in a secure element drivers
were written for an earlier version of the application-side interface.
Now that there is a psa_key_attributes_t structure that combines all
key metadata including its lifetime (location), type, size, policy and
extra type-specific data (domain parameters), pass that to drivers
instead of separate arguments for each piece of metadata. This makes
the interface less cluttered.

Update parameter names and descriptions to follow general conventions.

Document the public-key output on key generation more precisely.
Explain that it is optional in a driver, and when a driver would
implement it. Declare that it is optional in the core, too (which
means that a crypto core might not support drivers for secure elements
that do need this feature).

Update the implementation and the tests accordingly.
2019-08-09 16:43:35 +02:00
Gilles Peskine
a5f8749812 SE key registration: call p_validate_slot_number
When registering a key in a secure element, if the driver has a
p_validate_slot_number method, call it.
2019-08-09 15:05:32 +02:00
Gilles Peskine
d772958ffc New function mbedtls_psa_register_se_key
Register an existing key in a secure element.

Minimal implementation that doesn't call any driver method and just
lets the application declare whatever it wants.
2019-08-09 15:05:21 +02:00
Gilles Peskine
e88c2c1338 Pass the key creation method to drivers
Pass the key creation method (import/generate/derive/copy) to the
driver methods to allocate or validate a slot number. This allows
drivers to enforce policies such as "this key slot can only be used
for keys generated inside the secure element".
2019-08-09 14:59:31 +02:00
Gilles Peskine
df17914e01 psa_start_key_creation: take the method as a parameter
Let psa_start_key_creation know what type of key creation this is. This
will be used at least for key registration in a secure element, which
is a peculiar kind of creation since it uses existing key material.
2019-08-09 14:54:03 +02:00
Janos Follath
8aa7e9bc56 Merge branch 'psa-api-1.0-beta' into merge-psa-api-branch-into-development 2019-08-08 14:40:23 +01:00
Gilles Peskine
46d9439a5e Support slot_number attribute when creating a key
Allow the application to choose the slot number in a secure element,
rather than always letting the driver choose.

With this commit, any application may request any slot. In an
implementation with isolation, it's up to the service to filter key
creation requests and apply policies to limit which applications can
request which slot.
2019-08-08 11:02:30 +02:00
Gilles Peskine
edbed5670a Rename psa_internal_allocate_key_slot to psa_get_empty_key_slot
This function no longer modifies anything, so it doesn't actually
allocate the slot. Now, it just returns the empty key slot, and it's
up to the caller to cause the slot to be in use (or not).
2019-08-08 10:58:09 +02:00
Gilles Peskine
094dac1d12 Fix copypasta 2019-08-08 10:58:09 +02:00
Gilles Peskine
013f5474cf Fix erasure of external flags
This didn't break anything now, but would have broken things once we
start to add internal flags.
2019-08-08 10:58:09 +02:00
Gilles Peskine
5a68056755 Rename internal macro to pass check-names.sh
check-names.sh rejects MBEDTLS_XXX identifiers that are not defined in
a public header.
2019-08-08 10:58:09 +02:00
Gilles Peskine
c8000c005a Add slot_number attribute
Add a slot_number field to psa_key_attributes_t and getter/setter
functions. Since slot numbers can have the value 0, indicate the
presence of the field via a separate flag.

In psa_get_key_attributes(), report the slot number if the key is in a
secure element.

When creating a key, for now, applications cannot choose a slot
number. A subsequent commit will add this capability in the secure
element HAL.
2019-08-08 10:58:09 +02:00
Gilles Peskine
91e8c33f48 Add infrastructure for key attribute flags
Add infrastructure for internal, external and dual-use flags, with a
compile-time check (if static_assert is available) to ensure that the
same numerical value doesn't get declared for two different purposes
in crypto_struct.h (external or dual-use) and
psa_crypto_core.h (internal).
2019-08-08 10:58:09 +02:00
Gilles Peskine
0c77b0e2f9
Merge pull request #198 from gilles-peskine-arm/psa-api-1.0-beta-merge_development_20190801
Merge mbed-crypto/development into psa-api-1.0-beta
2019-08-08 10:24:53 +02:00
Gilles Peskine
f181eca350 Fix psa_generate_random for >1024 bytes
mbedtls_ctr_drbg_random can only return up to
MBEDTLS_CTR_DRBG_MAX_REQUEST (normally 1024) bytes at a time. So if
more than that is requested, call mbedtls_ctr_drbg_random in a loop.
2019-08-07 13:49:00 +02:00
Gilles Peskine
a6b2f60b4c Fix double free in psa_generate_key when psa_generate_random fails
When psa_generate_random fails, psa_generate_key_internal frees the
key buffer but a the pointer to the now-freed buffer in the slot. Then
psa_generate_key calls psa_fail_key_creation which sees the pointer
and calls free() again.

This bug was introduced by ff5f0e7221
"Implement atomic-creation psa_{generate,generator_import}_key" which
changed how psa_generate_key() cleans up on errors. I went through the
code and could not find a similar bug in cleanup on an error during
key creation.

Fix #207
2019-08-07 13:43:09 +02:00
Gilles Peskine
1b9505c451 Correct some comments 2019-08-07 10:59:45 +02:00
Vikas Katariya
21599b6622 Return right error code.
Issue : 126
https://github.com/ARMmbed/mbed-crypto/issues/126

PSA_ERROR_BUFFER_TOO_SMALL error returned when we check for output_size.
2019-08-02 13:01:58 +01:00
Gilles Peskine
8908c5e81c Make psa_calculate_key_bits return psa_key_bits_t
This is cleaner and solves a complaint from MSVC about truncation from
size_t to psa_key_bits_t.
2019-07-31 18:55:00 +02:00
Gilles Peskine
72c8c5b352 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190801
Conflict resolution:
* `scripts/config.pl`:
  Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch.
  Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from
  the development branch.
* `tests/scripts/all.sh`:
  Multiple instances of factoring a sequence of `config.pl` calls into
  a mere `config.pl baremetal` in the development branch, and a change in
  the composition of `baremetal` in the API branch. In each case, take the
  version from development.
* `tests/suites/test_suite_psa_crypto_slot_management.function`:
  A function became non-static in development and disappeared in the API
  branch. Keep the version from the API branch. Functions need to be
  non-static if they're defined but unused in some configurations,
  which is not the case for any function in this file at the moment.
* `tests/suites/test_suite_psa_crypto.function`:
  Consecutive changes in the two branches, reconciled.
2019-07-31 17:47:49 +02:00
Gilles Peskine
1b8594a218 More refactoring: consolidate attribute validation
Consolidate attribute validation at the beginning of key creation into
a single function. Improve comments.
2019-07-31 17:21:46 +02:00
Gilles Peskine
3825e14e65 Fix policy validity check on key creation.
Add a non-regression test.
2019-07-31 16:54:38 +02:00
Gilles Peskine
41e50d26ea Remove "allocated" flag from key slots
The flag to mark key slots as allocated was introduced to mark slots
that are claimed and in use, but do not have key material yet, at a
time when creating a key used several API functions: allocate a slot,
then progressively set its metadata, and finally create the key
material. Now that all of these steps are combined into a single
API function call, the notion of allocated-but-not-filled slot is no
longer relevant. So remove the corresponding flag.

A slot is occupied iff there is a key in it. (For a key in a secure
element, the key material is not present, but the slot contains the
key metadata.) This key must have a type which is nonzero, so use this
as an indicator that a slot is in use.
2019-07-31 16:54:38 +02:00
Gilles Peskine
76aa09c9a9 Take advantage of psa_core_key_attributes_t internally #2
Key creation and psa_get_key_attributes
2019-07-31 16:54:37 +02:00
Gilles Peskine
b46bef2f76 Store the key size in the slot in memory
There is now a field for the key size in the key slot in memory. Use
it.

This makes psa_get_key_attributes() marginally faster at the expense
of memory that is available anyway in the current memory layout (16
bits for the size, 16 bits for flags). That's not the goal, though:
the goal is to simplify the code, in particular to make it more
uniform between transparent keys (whose size can be recomputed) and
keys in secure elements (whose size cannot be recomputed).

For keys in a secure element, the bit size is now saved by serializing
the type psa_key_bits_t (which is an alias for uint16_t) rather than
size_t.
2019-07-31 14:16:50 +02:00
Gilles Peskine
4ed0e6f11a Switch storage functions over to psa_core_key_attributes_t 2019-07-31 14:15:27 +02:00
Gilles Peskine
8e3387029d Use psa_core_key_attributes_t in key slots in memory
Change the type of key slots in memory to use
psa_core_key_attributes_t rather than separate fields. The goal is to
simplify some parts of the code. This commit only does the mechanical
replacement, not the substitution.

The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED`
in the `flags` field.

Write accessor functions for flags.

Key slots now contain a bit size field which is currently unused.
Subsequent commits will make use of it.
2019-07-31 14:15:27 +02:00
Gilles Peskine
68cc433b5b Store key sizes in 16 bits in attributes
This is larger than the maximum key size introduced in the previous
commit, by design.

Make some room for flags (not used yet).
2019-07-30 21:08:38 +02:00
Gilles Peskine
c744d99386 Limit keys to 65528 bits
65528 bits is more than any reasonable key until we start supporting
post-quantum cryptography.

This limit is chosen to allow bit-sizes to be stored in 16 bits, with
65535 left to indicate an invalid value. It's a whole number of bytes,
which facilitates some calculations, in particular allowing a key of
exactly PSA_CRYPTO_MAX_STORAGE_SIZE to be created but not one bit
more.

As a resource usage limit, this is arguably too large, but that's out
of scope of the current commit.

Test that key import, generation and derivation reject overly large
sizes.
2019-07-30 20:58:33 +02:00
Gilles Peskine
7e0cff90b9 Move attribute fields to a substructure
Move the "core attributes" to a substructure of psa_key_attribute_t.
The motivation is to be able to use the new structure
psa_core_key_attributes_t internally.
2019-07-30 20:58:27 +02:00
Gilles Peskine
e60d1d08a4 SE keys: save the bit size in storage
For a key in a secure element, save the bit size alongside the slot
number.

This is a quick-and-dirty implementation where the storage format
depends on sizeof(size_t), which is fragile. This should be replaced
by a more robust implementation before going into production.
2019-07-29 18:11:09 +02:00
Gilles Peskine
1801740a7c SE driver: report the bit size on key import
Add a parameter to the key import method of a secure element driver to
make it report the key size in bits. This is necessary (otherwise the
core has no idea what the bit-size is), and making import report it is
easier than adding a separate method (for other key creation methods,
this information is an input, not an output).
2019-07-29 18:07:09 +02:00
Gilles Peskine
dc5bfe9784 SE keys: implement and test psa_get_key_attributes 2019-07-29 18:07:03 +02:00
Gilles Peskine
424f89453b SE keys: store the bit size internally (partial implementation)
This commit blindingly copies the size from the attributes. This is
not correct for copy and import.
2019-07-29 17:06:06 +02:00
Gilles Peskine
adb1c52149
Merge pull request #157 from gilles-peskine-arm/psa-se_driver-create_key
Secure element key creation foundation
2019-07-26 14:39:55 +02:00
Gilles Peskine
66be51c35d If starting a transaction fails, wipe the transaction data
Nothing has been saved to disk yet, but there is stale data in
psa_crypto_transaction. This stale data should not be reused, but do
wipe it to reduce the risk of it mattering somehow in the future.
2019-07-26 13:23:51 +02:00
Gilles Peskine
f9bb29ec26 Add boilerplate to recover a transaction during init 2019-07-25 17:52:59 +02:00
Gilles Peskine
4aea1036c6 Bug fix: don't start a transaction for non-SE keys 2019-07-25 17:38:34 +02:00
Gilles Peskine
2e0f388d2a Don't explicitly dereference function pointers
Be stylistically consistent.
2019-07-25 11:42:19 +02:00
Gilles Peskine
60450a4812 Improve comments 2019-07-25 11:32:45 +02:00
Gilles Peskine
725f22a545 Bug fix: save the driver's persistent data in destroy_key 2019-07-25 11:32:27 +02:00
Gilles Peskine
adad813d7b psa_key_slot_is_external exists. Use it. 2019-07-25 11:32:27 +02:00
Gilles Peskine
f77a6acf83 Fix indentation 2019-07-25 10:51:03 +02:00
Gilles Peskine
4b73422318 Transaction support: be more future-proof
If there's ever a non-SE-related transaction, make sure it gets
handled during init.
2019-07-24 15:56:31 +02:00
Gilles Peskine
f4ee662868 SE keys: error out in key creation function that lack support 2019-07-24 13:44:30 +02:00
Gilles Peskine
28f8f3068f SE keys: ensure that functions that lack support properly error out
Introduce a new function psa_get_transparent_key which returns
NOT_SUPPORTED if the key is in a secure element. Use this function in
functions that don't support keys in a secure element.

After this commit, all functions that access a key slot directly via
psa_get_key_slot or psa_get_key_from_slot rather than via
psa_get_transparent_key have at least enough support for secure
elements not to crash or otherwise cause undefined behavior. Lesser
bad behavior such as wrong results or resource leakage is still
possible in error cases.
2019-07-24 13:30:31 +02:00
Gilles Peskine
1df83d4f5b SE keys: implement persistent storage
For a key in a secure element, persist the key slot.

This is implemented in the nominal case. Failures may not be handled
properly.
2019-07-23 16:13:14 +02:00
Gilles Peskine
bfd322ff34 Use a key attribute structure in the internal storage interface
Pass information via a key attribute structure rather than as separate
parameters to psa_crypto_storage functions. This makes it easier to
maintain the code when the metadata of a key evolves.

This has negligible impact on code size (+4B with "gcc -Os" on x86_64).
2019-07-23 13:31:54 +02:00
Gilles Peskine
fc76265385 Do secure element key creation and destruction in a transaction
Key creation and key destruction for a key in a secure element both
require updating three pieces of data: the key data in the secure
element, the key metadata in internal storage, and the SE driver's
persistent data. Perform these actions in a transaction so that
recovery is possible if the action is interrupted midway.
2019-07-22 19:46:22 +02:00
Gilles Peskine
c11c4dcf95 Favor stdint.h types in internal types
Use uint8_t for PSA buffers. Keep unsigned char for generic libc
buffers and for mbedtls buffers.
2019-07-15 11:17:53 +02:00
Gilles Peskine
7228da25f9 Favor stdint.h types in implementation-specific API 2019-07-15 11:16:18 +02:00
Andrew Thoelke
163639b830 Apply same changes to implementation source code 2019-07-15 11:14:56 +02:00
Gilles Peskine
5d309672af SE keys: support import and export 2019-07-12 23:47:28 +02:00
Gilles Peskine
354f7671f4 SE keys: support destroy
When destroying a key in a secure element, call the driver's destroy
method and update the driver's persistent data in storage.
2019-07-12 23:46:38 +02:00
Gilles Peskine
cbaff467ef SE keys: allocate a slot before creating the key 2019-07-12 23:46:04 +02:00
Gilles Peskine
73167e128f SE keys: store the slot number in the memory slot 2019-07-12 23:44:37 +02:00
Gilles Peskine
8abe6a2d5c Driver table entries are now mutable
Since driver table entries contain the driver context, which is
mutable, they can't be const anymore.
2019-07-12 23:42:20 +02:00
Gilles Peskine
011e4284a1 Look up the SE driver when creating a key
When creating a key with a lifetime that places it in a secure
element, retrieve the appropriate driver table entry.

This commit doesn't yet achieve behavior: so far the code only
retrieves the driver, it doesn't call the driver.
2019-07-12 11:47:50 +02:00
Adrian L. Shaw
2282cfa660 Remove GMAC algorithm (for now)
It can't be implemented with the current version of the API
2019-07-11 15:51:45 +01:00
Jaeden Amero
c19dcebbdd
Merge pull request #154 from yanesca/iotcrypt-789-update-tls-prf-to-multipart
Update TLS 1.2 PRF to multipart API
2019-07-04 11:53:04 +01:00
Janos Follath
d6dce9f4f3 Fix zero-length seed or label in TLS 1.2 PRF
The psa_tls12_prf_set_seed() and psa_tls12_prf_set_label() functions did
not work on platforms where malloc(0) returns NULL.

It does not affect the TLS use case but these PRFs are used in other
protocols as well and might not be used the same way. For example EAP
uses the TLS PRF with an empty secret. (This would not trigger the bug,
but is a strong indication that it is not safe to assume that certain
inputs to this function are not zero length.)

The conditional block includes the memcpy() call as well to avoid
passing a NULL pointer as a parameter resulting in undefined behaviour.

The current tests are already using zero length label and seed, there is
no need to add new test for this bug.
2019-07-04 09:11:38 +01:00
Janos Follath
0c1ed84258 Improve style 2019-06-28 15:10:06 +01:00
Gilles Peskine
a8ade16ffd Gate secure element support by a separate config option
Secure element support has its own source file, and in addition
requires many hooks in other files. This is a nontrivial amount of
code, so make it optional (but default on).
2019-06-26 20:01:35 +02:00
Janos Follath
40e1393816 Optimize TLS PRF PSK key calculation 2019-06-26 13:23:10 +01:00
Janos Follath
76c3984477 Clarify TLS PRF algorithm description 2019-06-26 12:50:36 +01:00
Janos Follath
30090bc2cf Fix error code
PSA_ERROR_BAD_STATE means that the function was called on a context in a
bad state.

This error is something that can't happen while only using the PSA API and
therefore a PSA_ERROR_CORRUPTION_DETECTED is a more appropriate error
code.
2019-06-26 09:15:08 +01:00
Janos Follath
5fe19734d5 Make key derivation initialisation consistent
The macro initialiser might leave bytes in the union unspecified.
Zeroising it in setup makes sure that the behaviour is the same
independently of the initialisation method used.
2019-06-26 09:15:08 +01:00
Janos Follath
ea29bfb148 Add tls12_prf key derivation to the new API
The TLS 1.2 pseudorandom function does a lot of distinct HMAC operations
with the same key. To save the battery and CPU cycles spent on
calculating the paddings and hashing the inner padding, we keep the
hash context in the status right after the inner padding having been
hashed and clone it as needed.
2019-06-26 09:15:08 +01:00
Janos Follath
844eb0e5fa Add tls12_prf_read for the new API
Technically we could have reused the old one for the new API, but then
we had to set an extra field during setup. The new version works when
all the fields that haven't been set explicitely are zero-initialised.
2019-06-26 09:15:08 +01:00
Janos Follath
7742feea53 Add stub for new tls12_prf_generate_next_block 2019-06-26 09:15:08 +01:00
Janos Follath
6c6c8fceaa Improve style 2019-06-26 09:15:08 +01:00
Janos Follath
6660f0eb98 Add TLS 1.2 PSK master secret generation 2019-06-26 09:15:08 +01:00
Janos Follath
51f4a0f9ac Style: enforce 80 column limit 2019-06-26 09:15:08 +01:00
Janos Follath
c56215163f Simplify psa_key_derivation_input_bytes
The specific key derivation input functions support a subset of the
input options and need to check it anyway. Checking it at the top level
is redundant, it brings a very little value and comes with a cost in
code size and maintainability.
2019-06-26 09:15:08 +01:00
Janos Follath
adbec81cc4 Remove the deprecated PSA_ALG_SELECT_RAW option
This change affects the psa_key_derivation_s structure. With the buffer
removed from the union, it is empty if MBEDTLS_MD_C is not defined.

We can avoid undefined behaviour by adding a new dummy field that is
always present or make the whole union conditional on MBEDTLS_MD_C.

In this latter case the initialiser macro has to depend on MBEDTLS_MD_C
as well. Furthermore the first structure would be either
psa_hkdf_key_derivation_t or psa_tls12_prf_key_derivation_t both of
which are very deep and would make the initialisation macro difficult
to maintain, therefore we go with the first option.
2019-06-26 09:15:08 +01:00
Janos Follath
63028dd906 Add label input for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
8155054e28 Add key import for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
f08e2654ed Add seed input for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
ef83f5e98e Move raw key derivation input to a new function 2019-06-26 09:15:08 +01:00
Janos Follath
b80a94e2ea Rename psa_key_derivation_input_raw
The function dispatches between all the available methods and
does not just handle the raw key derivation case like the name suggests.
2019-06-26 09:15:08 +01:00
Janos Follath
b03233e196 Add stubs for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
6a1d262803 Adapt psa_key_derivation_abort to the new context 2019-06-26 09:15:08 +01:00
Janos Follath
999f648437 Add new psa_tls12_prf_key_derivation_t
As part of adapting TLS 1.2 key derivation to the PSA 1.0 API we need to
change the context structure.
2019-06-26 09:15:08 +01:00
Janos Follath
083036af64 Safely erase key material upon abort
Some key derivation operation contexts (like
psa_tls12_prf_key_derivation_t) directly contain buffers with parts of
the derived key. Erase them safely as part of the abort.
2019-06-26 09:15:58 +01:00
Janos Follath
71a4c9125b Add flag for removing deprecated API
Add the compile time option PSA_PRE_1_0_KEY_DERIVATION. If this is not
turned on, then the function `psa_key_derivation()` is removed.

Most of the tests regarding key derivation haven't been adapted to the
new API yet and some of them have only been adapted partially. When this
new option is turned off, the tests using the old API and test cases
using the old API of partially adapted tests are skipped.

The sole purpose of this option is to make the transition to the new API
smoother. Once the transition is complete it can and should be removed
along with the old API and its implementation.
2019-06-26 09:15:08 +01:00
Gilles Peskine
8f2a6dcc25 Support PSA_KEY_DERIVATION_INPUT_SEED 2019-06-25 12:02:31 +01:00
Gilles Peskine
d089021128 Unregister drivers on library deinitialization 2019-06-24 19:55:48 +02:00
Jaeden Amero
7654161dbf psa: Add NV seed as an entropy source when needed
When MBEDTLS_PSA_INJECT_ENTROPY is used, we now require also defining
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES. When
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES is defined, we do not add entropy
sources by default. This includes the NV seed entropy source, which the
PSA entropy injection API is built upon.

The PSA entropy injection feature depends on using NV seed as an entropy
source. Add NV seed as an entropy source for PSA entropy injection.

Fixes e3dbdd8d90 ("Gate entropy injection through a dedicated configuration option")
2019-06-05 11:09:38 +01:00
Gilles Peskine
267c65666a Simplify key slot allocation
Now that psa_allocate_key() is no longer a public function, expose
psa_internal_allocate_key_slot() instead, which provides a pointer to
the slot to its caller.
2019-06-05 11:34:54 +02:00
Gilles Peskine
f46f81ceb5 Remove obsolete key creation functions
Remove the key creation functions from before the attribute-based API,
i.e. the key creation functions that worked by allocating a slot, then
setting metadata through the handle and finally creating key material.
2019-06-05 11:34:54 +02:00
Gilles Peskine
f25c9ec02e Minor documentation improvements 2019-05-27 14:08:27 +02:00
Gilles Peskine
96f0b3b1d3 Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-27 14:08:27 +02:00
Gilles Peskine
549ea8676a Minor documentation improvements 2019-05-22 11:45:59 +02:00
Gilles Peskine
2c86ebc2f8 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allowed to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-21 17:06:27 +02:00
Gilles Peskine
d6f371b1ba Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-21 17:06:03 +02:00
Gilles Peskine
eff4942202
Merge pull request #268 from ARMmbed/psa-error_tampering_detected
Rename PSA_ERROR_TAMPERING_DETECTED to PSA_ERROR_CORRUPTION_DETECTED
2019-05-17 11:06:09 +02:00
Gilles Peskine
35ef36b62f Rename psa_generate_random_key back to psa_generate_key
generate_key is a more classical name. The longer name was only
introduced to avoid confusion with getting a key from a generator,
which is key derivation, but we no longer use the generator
terminology so this reason no longer applies.

perl -i -pe 's/psa_generate_random_key/psa_generate_key/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
c93b80c350 Rename *KEYPAIR* to *KEY_PAIR*
Be consistent with PUBLIC_KEY.

perl -i -pe 's/KEYPAIR/KEY_PAIR/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
4b3eb69271 Rename PSA_ERROR_TAMPERING_DETECTED to ..._CORRUPTION_DETECTED
“Tampering detected” was misleading because in the real world it can
also arise due to a software bug. “Corruption detected” is neutral and
more precisely reflects what can trigger the error.

perl -i -pe 's/PSA_ERROR_TAMPERING_DETECTED/PSA_ERROR_CORRUPTION_DETECTED/gi' $(git ls-files)
2019-05-16 21:35:18 +02:00
Gilles Peskine
be697d8324 Shorten the name of psa_key_agreement_raw_shared_secret
There is less of a risk of confusion with the KA+KDF function now.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cf7292e257 Wrap and reindent some lines
After renaming several identifiers, re-wrap and re-indent some lines
to make the code prettier.
2019-05-16 18:55:25 +02:00
Gilles Peskine
51ae0e4b79 Rename "generator" to "operation"
Generators are now key derivation operations.

Keep "random generator" intact.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cbe6650394 Rename generator-related internal identifiers
perl -pe 's/crypto_generator/key_derivation/gi' $(git ls-files)
    perl -pe 's/_generator/_key_derivation/gi' $(git ls-files)
2019-05-16 18:55:25 +02:00
Gilles Peskine
03410b5c5f Rename PSA_KDF_STEP_xxx -> PSA_KEY_DERIVATION_INPUT_xxx
More consistent with the new function names.
2019-05-16 18:55:25 +02:00
Gilles Peskine
a99d3fbd05 Rename generator functions to psa_key_derivation_xxx
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology. Call a generator a key
derivation operation structure, since it behaves like other multipart
operation structures. Furthermore, the function names are not fully
consistent.

In this commit, I rename the functions to consistently have the prefix
"psa_key_derivation_". I used the following command:

    perl -i -pe '%t = (
        psa_crypto_generator_t => "psa_key_derivation_operation_t",
        psa_crypto_generator_init => "psa_key_derivation_init",
        psa_key_derivation_setup => "psa_key_derivation_setup",
        psa_key_derivation_input_key => "psa_key_derivation_input_key",
        psa_key_derivation_input_bytes => "psa_key_derivation_input_bytes",
        psa_key_agreement => "psa_key_derivation_key_agreement",
        psa_set_generator_capacity => "psa_key_derivation_set_capacity",
        psa_get_generator_capacity => "psa_key_derivation_get_capacity",
        psa_generator_read => "psa_key_derivation_output_bytes",
        psa_generate_derived_key => "psa_key_derivation_output_key",
        psa_generator_abort => "psa_key_derivation_abort",
        PSA_CRYPTO_GENERATOR_INIT => "PSA_KEY_DERIVATION_OPERATION_INIT",
        PSA_GENERATOR_UNBRIDLED_CAPACITY => "PSA_KEY_DERIVATION_UNLIMITED_CAPACITY",
        ); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files)
2019-05-16 18:55:21 +02:00
Jaeden Amero
99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Jaeden Amero
16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero
76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero
826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Gilles Peskine
c9d910bed6 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allow to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-16 00:18:48 +02:00
Gilles Peskine
73676cbc50 Put handle parameter last: psa_import_key
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
98dd779eb5 Put handle parameter last: psa_generate_derived_key
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
c160d9ec83 psa_copy_key: enforce PSA_KEY_USAGE_COPY
Implement the check and add a negative test.
2019-05-14 14:32:03 +02:00
Gilles Peskine
8e0206aa26 New usage flag PSA_KEY_USAGE_COPY
Document the new flag and allow its use.
2019-05-14 14:24:28 +02:00
Jaeden Amero
1fe90fab30
Merge pull request #101 from gilles-peskine-arm/psa-key_attributes-verify_attributes
Check unused attributes in import and copy
2019-05-13 11:48:40 +01:00
Gilles Peskine
f9666595e1 Implement and test the new key identifier range
Only allow creating keys in the application (user) range. Allow
opening keys in the implementation (vendor) range as well.

Compared with what the implementation allowed, which was undocumented:
0 is now allowed; values from 0x40000000 to 0xfffeffff are now
forbidden.
2019-05-06 18:56:30 +02:00
Gilles Peskine
26869f2d9b Implement ChaCha20 and ChaCha20-Poly1305
Smoke tests: test data for ChaCha20 calculated with PyCryptodome; test
vector from RFC 7539 for ChaCha20-Poly1305.
2019-05-06 15:59:44 +02:00
Gilles Peskine
f7e7b01a25 Minor refactoring in AEAD code
Make it a little easier to add ChaCha20-Poly1305.

This also fixes the error code in case mbedtls_gcm_setkey() fails with
a status that doesn't map to INVALID_ARGUMENT.
2019-05-06 15:59:44 +02:00
Gilles Peskine
ff2d200fa5 Always include platform.h for MBEDTLS_ERR_PLATFORM_xxx
Recognize MBEDTLS_ERR_PLATFORM_xxx in mbedtls_to_psa_error().
2019-05-06 15:59:44 +02:00
Gilles Peskine
4ce2a9dcbf Check unused attributes in import and copy
In psa_import_key and psa_copy_key, some information comes from the
key data (input buffer or source key) rather than from the attributes:
key size for import, key size and type and domain parameters for copy.
If an unused attribute is nonzero in the attribute structure, check
that it matches the correct value. This protects against application
errors.
2019-05-03 16:57:15 +02:00
Adrian L. Shaw
5a5a79ae2a Rename psa_generate_key() and psa_generator_import_key() 2019-05-03 15:44:28 +01:00
Gilles Peskine
9bc88c6e2c Document the key creation flow (start, variable, finish, and fail) 2019-04-28 11:48:29 +02:00
Gilles Peskine
e56e878207 Remove extra parameter from psa_generate_key
Read extra data from the domain parameters in the attribute structure
instead of taking an argument on the function call.

Implement this for RSA key generation, where the public exponent can
be set as a domain parameter.

Add tests that generate RSA keys with various public exponents.
2019-04-26 17:37:50 +02:00
Gilles Peskine
772c8b16b4 psa_get_domain_parameters: for RSA, if e=65537, output an empty string 2019-04-26 17:37:21 +02:00
Gilles Peskine
b699f07af0 Switch psa_{get,set}_domain_parameters to attributes
Change psa_get_domain_parameters() and psa_set_domain_parameters() to
access a psa_key_attributes_t structure rather than a key handle.

In psa_get_key_attributes(), treat the RSA public exponent as a domain
parameter and read it out. This is in preparation for removing the
`extra` parameter of psa_generate_key() and setting the RSA public
exponent for key generation via domain parameters.

In this commit, the default public exponent 65537 is not treated
specially, which allows us to verify that test code that should be
calling psa_reset_key_attributes() after retrieving the attributes of
an RSA key is doing so properly (if it wasn't, there would be a memory
leak), even if the test data happens to use an RSA key with the
default public exponent.
2019-04-26 17:37:08 +02:00
Gilles Peskine
3a4f1f8e46 Set the key size as an attribute
Instead of passing a separate parameter for the key size to
psa_generate_key and psa_generator_import_key, set it through the
attributes, like the key type and other metadata.
2019-04-26 13:49:28 +02:00
Gilles Peskine
30afafd527 Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled 2019-04-25 17:42:32 +02:00
Gilles Peskine
d167b94b87 Reject invalid key ids/lifetimes in attribute-based creation 2019-04-24 15:46:04 +02:00
Gilles Peskine
8c8f2ab66b Implement psa_get_key_attributes
Implement attribute querying.

Test attribute getters and setters. Use psa_get_key_attributes instead
of the deprecated functions psa_get_key_policy or
psa_get_key_information in most tests.
2019-04-24 15:46:04 +02:00
Gilles Peskine
ff5f0e7221 Implement atomic-creation psa_{generate,generator_import}_key
Implement the new, attribute-based psa_generate_key and
psa_generator_import_key.
2019-04-24 15:46:03 +02:00
Gilles Peskine
db4b3abab1 Implement missing attributes setters and getters 2019-04-24 15:46:03 +02:00
Gilles Peskine
4747d19d18 Implement atomic-creation psa_import_key
Implement the new, attribute-based psa_import_key and some basic
functions to access psa_key_attributes_t. Replace
psa_import_key_to_handle by psa_import_key in a few test functions.

This commit does not handle persistence attributes yet.
2019-04-24 15:45:50 +02:00
Gilles Peskine
87a5e565f4 Rename functions that inject key material to an allocated handle
This commit starts a migration to a new interface for key creation.
Today, the application allocates a handle, then fills its metadata,
and finally injects key material. The new interface fills metadata
into a temporary structure, and a handle is allocated at the same time
it gets filled with both metadata and key material.

This commit was obtained by moving the declaration of the old-style
functions to crypto_extra.h and renaming them with the to_handle
suffix, adding declarations for the new-style functions in crypto.h
under their new name, and running

    perl -i -pe 's/\bpsa_(import|copy|generator_import|generate)_key\b/$&_to_handle/g' library/*.c tests/suites/*.function programs/psa/*.c
    perl -i -pe 's/\bpsa_get_key_lifetime\b/$&_from_handle/g' library/*.c tests/suites/*.function programs/psa/*.c

Many functions that are specific to the old interface, and which will
not remain under the same name with the new interface, are still in
crypto.h for now.

All functional tests should still pass. The documentation may have
some broken links.
2019-04-24 15:24:45 +02:00
Gilles Peskine
2b522db26d fixup! Key derivation by small input steps: proof-of-concept
Simplify the logic inside a few case statements. This removes
unreachable break statements.
2019-04-18 09:42:21 +02:00
Gilles Peskine
ab4b201497 fixup! Key derivation by small input steps: proof-of-concept
Fix logic error that clang helpfully points out
2019-04-18 09:42:21 +02:00
Gilles Peskine
c88644dd24 Remove "TODO" comments
One was obsolete. Reword the other two to avoid the magic word that
our CI rejects.
2019-04-18 09:42:21 +02:00
Gilles Peskine
0216fe16b7 Implement psa_key_agreement_raw_shared_secret
Refactor: split psa_key_agreement_raw_internal out of
psa_key_agreement_internal, and call it from
psa_key_agreement_raw_shared_secret as well.
2019-04-18 09:42:21 +02:00
Gilles Peskine
f9ee633d33 Fix confusion between HMAC algorithm and the corresponding hash 2019-04-11 21:22:52 +02:00
Gilles Peskine
3135184cfc Merge remote-tracking branch 'upstream-crypto/development' into psa-api-beta2-merge-development
Merge the Mbed Crypto development branch a little after
mbedcrypto-1.0.0 into the PSA Crypto API 1.0 beta branch a little
after beta 2.

Summary of merge conflicts:

* Some features (psa_copy_key, public key format without
  SubjectPublicKeyInfo wrapping) went into both sides, but with a few
  improvements on the implementation side. For those, take the
  implementation side.
* The key derivation API changed considerably on the API side. This
  merge commit generally goes with the updated API except in the tests
  where it keeps some aspects of the implementation.

Due to the divergence between the two branches on key derivation and
key agreement, test_suite_psa_crypto does not compile. This will be
resolved in subsequent commits.
2019-04-09 12:00:00 +02:00
Gilles Peskine
e3dbdd8d90 Gate entropy injection through a dedicated configuration option
Entropy injection has specific testing requirements. Therefore it
should depend on a specific option.
2019-03-15 11:15:21 +01:00
Gilles Peskine
6bf4baef95 Remove compilation option MBEDTLS_PSA_HAS_ITS_IO
MBEDTLS_PSA_HAS_ITS_IO is not really useful since it doesn't actually
enable anything except the entropy seed file support, which only
requires the ITS interface and not a native implemetation. Remove it.
2019-03-15 11:15:13 +01:00
Gilles Peskine
9ab61b603d Fix cleanup in psa_cipher_setup
In some error cases, psa_cipher_setup was leaving a partly-initialized
operation context.
2019-02-26 11:29:17 +01:00
Jaeden Amero
bf61ca7a04
Merge pull request #58 from Patater/disallow-invalid-context
Disallow use of invalid contexts
2019-02-21 17:37:04 +00:00
Jaeden Amero
e236c2a13c psa: Don't abort when operations are invalid
In places where we detect a context is in a bad state and there is no
sensitive data to clear, simply return PSA_ERROR_BAD_STATE and don't
abort on behalf of the application. The application will choose what to
do when it gets a bad state error.

The motivation for this change is that an application should decide what
to do when it misuses the API and encounters a PSA_ERROR_BAD_STATE
error. The library should not attempt to abort on behalf of the
application, as that may not be the correct thing to do in all
circumstances.
2019-02-20 17:38:25 +00:00
Jaeden Amero
36ee5d0fbf psa: Disallow repeated setup
Calling psa_*_setup() twice on a MAC, cipher, or hash context should
result in a PSA_ERROR_BAD_STATE error because the operation has already
been set up.

Fixes #10
2019-02-20 15:27:41 +00:00
Jaeden Amero
a0f625ac9a psa: Disallow use of invalid hash contexts
If a hash context has not been set up, fail with PSA_ERROR_BAD_STATE as
documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero
ab43997f44 psa: Disallow use of invalid cipher contexts
Ensure that when doing cipher operations out of order,
PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA
Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero
252ef28dac psa: Disallow use of invalid MAC contexts
Ensure that when doing MAC operations out of order, PSA_ERROR_BAD_STATE
is returned as documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero
93e21119b7 psa: Be compatible with deprecated constants
In case the new constants aren't available yet in Mbed TLS, continue to
use the deprecated constants if they are available.
2019-02-20 13:59:05 +00:00
itayzafrir
7723ab1739 Add common header for crypto service integration 2019-02-19 15:09:14 +02:00
Jaeden Amero
cf2010cf58 psa: Check generator validity before read
Check generator validity (i.e. that alg has been initialized) before
allowing reads from the generator or allowing reads of the generator's
capacity.

This aligns our implementation with the documented error code behavior
in our crypto.h and the PSA Crypto API.
2019-02-18 17:05:50 +00:00
Jaeden Amero
9654e11b1d
Merge pull request #55 from davidsaada/david_its_ps_err_codes
Modify PSA related error codes and types
2019-02-18 15:39:27 +00:00
David Saada
a2523b2c6d Replace ITS specific types with more generic PSA storage types
PSA spec now defines more generic PSA storage types instead of the ITS
specific ones. This is necessary in order to integrate with
the newer implementation of PSA ITS landing in Mbed OS soon.
Changes include the following:
- psa_status_t replaces psa_its_status_t
- psa_storage_info_t replaces psa_its_info_t
- psa_storage_uid_t replaces psa_its_uid_t
2019-02-18 13:56:26 +02:00
David Saada
b4ecc27629 Replace PSA error code definitions with the ones defined in PSA spec 2019-02-18 13:53:13 +02:00
Jaeden Amero
892cd6df70 psa: Use new generic error codes
Mbed TLS has deprecated a few module specific error codes in favor of
more general-purpose or cross-module error codes. Use these new error
codes instead of the deprecated error codes.
2019-02-14 16:01:14 +00:00
Darryl Green
8096cafa94 Only zeroize buffer if the buffer length is non-zero 2019-02-11 14:03:03 +00:00
Darryl Green
8593bca7f8 Allow NULL buffers in psa_copy_key_material when the key size is zero 2019-02-11 13:26:36 +00:00
Gilles Peskine
122d002912 Fix memory leak in psa_copy_key 2019-01-28 14:41:11 +01:00
Gilles Peskine
f603c718c9 New function psa_copy_key
Copy a key from one slot to another.

Implemented and smoke-tested.
2019-01-28 14:41:11 +01:00
Jaeden Amero
43bafcca94
Merge pull request #15 from gilles-peskine-arm/psa-signature_policy_wildcard
Support wildcard hash in signature policies
2019-01-28 13:31:14 +00:00
Jaeden Amero
d46548c833
Merge pull request #23 from orenc17/its_update
Update usage of PSA ITS to comply with v1.0
2019-01-28 12:06:26 +00:00
Oren Cohen
23a6784cb9 Update usage of PSA ITS to comply with v1.0 2019-01-27 10:19:18 +02:00
Jaeden Amero
4d69cf1a84
Merge pull request #13 from Patater/pubkey-format
Simplify RSA and EC public key formats
2019-01-25 10:09:40 +00:00
Jaeden Amero
c67200d0e6 psa: Remove extra status handling from import
Remove extra status handling code from psa_import_key_into_slot(). This
helps save a tiny amount of code space, but mainly serves to improve the
readability of the code.
2019-01-23 17:39:46 +00:00
Jaeden Amero
cd09d8c83a psa: Refactor psa_import_rsa_key() pk-using code
Move pk-using code to inside psa_import_rsa_key(). This aligns the shape
of psa_import_rsa_key() to match that of psa_import_ec_private_key() and
psa_import_ec_public_key().
2019-01-23 17:39:46 +00:00
Jaeden Amero
ccdce90adb psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-23 17:39:46 +00:00
Jaeden Amero
97271b37c8 psa: Use psa_status_t in psa_key_agreement_ecdh()
Use the PSA-native status type in psa_key_agreement_ecdh() in
preparation for us calling PSA functions (and not just Mbed TLS
functions) and still being able to return a psa_status_t (without having
to translate it to a Mbed TLS error and then back again).
2019-01-23 17:31:50 +00:00
Jaeden Amero
25384a236e psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-23 17:31:50 +00:00
Jaeden Amero
cfb7ae9318
Merge pull request #16 from itayzafrir/spm-support-crypto-handles-api
Support for slots to handles crypto API changes under SPM
2019-01-23 13:38:50 +00:00
Gilles Peskine
eb35d78a11 Style fix 2019-01-22 17:56:16 +01:00
Gilles Peskine
ea2e3604b1 Merge branch 'psa-copy_key' into psa-api-1.0-beta
New function psa_copy_key().

Conflicts:
* library/psa_crypto.c: trivial conflicts due to consecutive changes.
* tests/suites/test_suite_psa_crypto.data: the same code
  was added on both sides, but with a conflict resolution on one side.
* tests/suites/test_suite_psa_crypto_metadata.function: the same code
  was added on both sides, but with a conflict resolution on one side.
2019-01-19 13:56:35 +01:00
Gilles Peskine
4cb9dde84a New function psa_copy_key
Copy a key from one slot to another.

Implemented and smoke-tested.
2019-01-19 13:46:36 +01:00
Gilles Peskine
0ce26e35d6 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-19 13:42:51 +01:00
Gilles Peskine
b37af92eb9 Merge branch 'psa-hash_clone' into psa-api-1.0-beta
Add psa_hash_clone.
2019-01-19 12:07:27 +01:00
Gilles Peskine
ebb2c3e419 New function psa_hash_clone
Clone a hash operation.

Test good cases as part as multipart tests. Add new test functions for
the state machine.
2019-01-19 12:03:41 +01:00
Gilles Peskine
9dcc80e628 Merge branch 'psa-derive_input_steps-agreement_as_one_step' into psa-api-1.0-beta
Change the key derivation API to take inputs in multiple steps,
instead of a single one-site-fits-poorly function.

Conflicts:
* include/psa/crypto.h: merge independent changes in the documentation
  of psa_key_agreement (public_key from the work on public key formats
  vs general description and other parameters in the work on key derivation).
* tests/suites/test_suite_psa_crypto.data: update the key agreement
  tests from the work on key derivation to the format from the work on
  public key formats.
* tests/suites/test_suite_psa_crypto_metadata.function: reconcile the
  addition of unrelated ALG_IS_xxx macros
2019-01-18 18:54:15 +01:00
Gilles Peskine
6843c29713 Simplify the encoding of key agreement algorithms
Get rid of "key selection" algorithms (of which there was only one:
raw key selection).

Encode key agreement by combining a raw key agreement with a KDF,
rather than passing the KDF as an argument of a key agreement macro.
2019-01-18 18:38:08 +01:00
Gilles Peskine
969c5d61f7 Make key agreement the secret input for key derivation
* Documentation
* Proof-of-concept implementation
* Updates to the tests (work in progress)
2019-01-18 18:34:28 +01:00
Gilles Peskine
6cdfdb75a9 Improve the rules on key derivation input types
Use separate step types for a KDF secret and for the private key in a
key agreement.

Determine which key type is allowed from the step type, independently
of the KDF.

Forbid raw inputs for certain steps. They definitely should be
forbidden for asymmetric keys, which are structured. Also forbid them
for KDF secrets: the secrets are supposed to be keys, even if they're
unstructured.
2019-01-18 18:33:12 +01:00
Gilles Peskine
b70a0fd1a5 Key derivation by small input steps: proof-of-concept
Document the new API. Keep the old one.

Implement for HKDF. Use it in a few test cases.

Key agreement is still unchanged.
2019-01-18 18:33:12 +01:00
Gilles Peskine
7666edbfe1 Merge branch 'psa-aead_multipart' into psa-api-1.0-beta
Add multipart AEAD API.

Add one-shot API for hash, MAC and cipher.
2019-01-18 17:59:30 +01:00
Gilles Peskine
1f9e58a1bb Merge branch 'psa-signature_policy_wildcard' into psa-api-1.0-beta
For hash-and-sign algorithms, allow a policy to specify a wildcard
instead of a specific hash algorithm.
2019-01-18 17:52:17 +01:00
Jaeden Amero
283dfd1613 psa: Add get/set domain parameters
DSA and static DH need extra domain parameters. Instead of passing these
in with the keys themselves, add get and set functions to set and
retrieve this information about keys.
2019-01-18 17:19:54 +01:00
itayzafrir
14e7678790 Documentation update regarding SPM integration 2019-01-16 11:16:39 +02:00
Jaeden Amero
08ad32721c psa: Remove extra status handling from import
Remove extra status handling code from psa_import_key_into_slot(). This
helps save a tiny amount of code space, but mainly serves to improve the
readability of the code.
2019-01-15 11:29:19 +00:00
Jaeden Amero
ec6ff863b5 psa: Refactor psa_import_rsa_key() pk-using code
Move pk-using code to inside psa_import_rsa_key(). This aligns the shape
of psa_import_rsa_key() to match that of psa_import_ec_private_key() and
psa_import_ec_public_key().
2019-01-15 11:29:19 +00:00
Jaeden Amero
0ae445f8fd psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-15 11:29:18 +00:00
Jaeden Amero
1e5c2bd8e3 psa: Use psa_status_t in psa_key_agreement_ecdh()
Use the PSA-native status type in psa_key_agreement_ecdh() in
preparation for us calling PSA functions (and not just Mbed TLS
functions) and still being able to return a psa_status_t (without having
to translate it to a Mbed TLS error and then back again).
2019-01-15 10:40:54 +00:00
Gilles Peskine
30f77cdfc1 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-14 19:38:56 +01:00
Gilles Peskine
30a9e41076 Declare multipart AEAD functions
Declare and document multipart AEAD functions.

This commit does not contain any implementation or tests.
2019-01-14 18:36:12 +01:00
Gilles Peskine
5f25dd00c0 Document that destroying a key aborts any ongoing operation
Document that psa_close_key() and psa_destroy_key() abort any ongoing
multipart operation that is using the key. This is not implemented
yet.
2019-01-14 18:29:46 +01:00
Jaeden Amero
6b19600fba psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-11 18:08:53 +00:00
Jaeden Amero
83d293951c psa: Call init when importing private EC keys
Previously we weren't initializing the freshly allocated ECP keypair
when importing private EC keys. This didn't seem to cause problems, at
least according to our current test coverage, but it's better to ensure
we don't have a partially initialized object by explicitly initializing
the keypair.
2019-01-10 20:25:55 +00:00
Jaeden Amero
70261c513a psa: Add initializers for key policies
Add new initializers for key policies and use them in our docs, example
programs, tests, and library code. Prefer using the macro initializers
due to their straightforwardness.
2019-01-08 14:28:04 +00:00
Gilles Peskine
1a76f3971c Merge remote-tracking branch 'psa/pr/230' into feature-psa
Implement a key handle mechanism
2018-12-12 16:15:34 +01:00
Gilles Peskine
fa4135b135 Move more slot management functions to the proper module
Move psa_load_persistent_key_into_slot,
psa_internal_make_key_persistent and psa_internal_release_key_slot to
the slot management module.

Expose psa_import_key_into_slot from the core.

After this commit, there are no longer any functions declared in
psa_crypto_slot_management.h and defined in psa_crypto.c. There are
still function calls in both directions between psa_crypto.c and
psa_crypto_slot_management.c.
2018-12-11 16:48:14 +01:00
Gilles Peskine
66fb126e87 Move the key slot array to the slot management module
Move the key slot array and its initialization and wiping to the slot
management module.

Also move the lowest-level key slot access function psa_get_key_slot
and the auxiliary function for slot allocation
psa_internal_allocate_key_slot to the slot management module.
2018-12-11 16:48:14 +01:00
Gilles Peskine
408319be3a Remove redundant check for slot->allocated
This check became redundant when support for direct access to key
slots was removed.
2018-12-11 16:48:14 +01:00
Gilles Peskine
48868129cd Document the maximum key identifier
Give it a name and explain why it was chosen.
2018-12-11 16:48:14 +01:00
Gilles Peskine
039b90cf5b Expose the PSA key slot structure to internal modules
Move psa_key_slot_t to a new header psa_crypto_core.h, to prepare for
moving the responsibility for some fields to
psa_crypto_slot_management.c.
2018-12-11 16:48:14 +01:00
Gilles Peskine
3f10812ff9 Use the library-wide zeroize function
Since Mbed TLS 2.10, there is a single copy of
mbedtls_platform_zeroize for the whole library instead of one per
module. Update the PSA crypto module accordingly.
2018-12-11 16:48:14 +01:00
Gilles Peskine
fe9756b1f5 Remove a comment that is no longer applicable 2018-12-11 16:48:14 +01:00
Gilles Peskine
2f060a8ea5 Rename key_slot_t to psa_key_slot_t in psa_crypto.c
That way it'll be ok to add it to an internal header so as to use it
in multiple source modules.
2018-12-11 16:48:14 +01:00
Gilles Peskine
4a044739a8 Fix the build without persistent storage
Add missing guards on MBEDTLS_PSA_CRYPTO_STORAGE_C.

Add test cases to test that psa_create_key and psa_open_key return
NOT_SUPPORTED.
2018-12-11 16:48:14 +01:00
Gilles Peskine
c5487a8892 Drop support for psa_key_slot_t in psa_crypto.c
This commit finishes the removal of support for direct access to key
slots in psa_crypto.c.

This marks the end of the necessary phase of the transition to key
handles. The code should subsequently be refactored to move key slot
management from psa_crypto.c to psa_crypto_slot_management.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine
b77a6b25c0 Remove psa_set_key_lifetime
This function is no longer relevant. Use psa_create_key instead.
2018-12-11 16:48:13 +01:00
Gilles Peskine
f6cc435a8a Remove psa_key_slot_t from public headers
This commit marks the beginning of the removal of support for direct
access to key slots. From this commit on, programs that use
psa_key_slot_t will no longer compile.

Subsequent commits will remove the now-unused legacy support in
psa_crypto.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine
f77ed1f20b Factor the common idiom psa_wipe_key_slot into a function
Many places in the code called psa_remove_key_data_from_memory (which
preserves metadata for the sake of failues in psa_import_key) followed
by clearing the slot data. Use an auxiliary function for this.
2018-12-11 16:48:13 +01:00
Gilles Peskine
d7c75707b8 mbedtls_psa_crypto_free: free allocated slots as well
Access the slot directly rather than going through psa_get_key_slot.
Unlike other places where key slots are accessed through
psa_get_key_slot, here, we know where all the slots are and there are
no policy or permission considerations.

This resolves a memory leak: allocated slots were not getting freed
because psa_get_key_slot rejected the attempt of accessing them
directly rather than via a handle.
2018-12-11 16:48:13 +01:00
Gilles Peskine
961849f6d1 Implement slot allocation
Implement psa_allocate_key, psa_open_key, psa_create_key,
psa_close_key.

Add support for keys designated to handles to psa_get_key_slot, and
thereby to the whole API.

Allocated and non-allocated keys can coexist. This is a temporary
stage in order to transition from the use of direct slot numbers to
allocated handles only. Once all the tests and sample programs have
been migrated to use handles, the implementation will be simplified
and made more robust with support for handles only.
2018-12-11 16:48:13 +01:00
Gilles Peskine
69f976b1d6 Distinguish in-memory slot number from in-storage slot identifier
At the moment, the in-storage slot identifier is the in-memory slot
number. But track them separately, to prepare for API changes that
will let them be different (psa_open_key, psa_create_key).
2018-12-11 16:48:12 +01:00
Jaeden Amero
750a049a15
Merge pull request #229 from ARMmbed/dev/Patater/fix-its-typo
storage: Correct typo of PSA_PS_ERROR_OFFSET
2018-12-05 13:19:31 +00:00
Gilles Peskine
5a3c50e890 Don't use an enum in a bit-field
This isn't standard C. GCC and Clang accept it but not every
compiler (e.g. Armcc 5).
2018-12-04 12:27:09 +01:00
Gilles Peskine
9edc146237
Merge pull request #209 from ARMmbed/psa-init_tests
Test psa_crypto_init and make it more robust
2018-11-30 13:28:47 +01:00
Jaeden Amero
58600557bb storage: Correct typo of PSA_PS_ERROR_OFFSET
Correct typo of PSA_PS_ERROR_OFFSET to PSA_ITS_ERROR_OFFSET.
2018-11-30 12:10:29 +00:00
Gilles Peskine
b0b189f31f Add missing compilation guards for GCM and CCM
Add missing compilation guards that broke the build if either GCM or
CCM was not defined.

Add missing guards on test cases that require GCM or CBC.

The build and tests now pass for any subset of {MBEDTLS_CCM_C,
MBEDTLS_GCM_C}. There are still unused variables warnings if neither
is defined.
2018-11-28 17:30:58 +01:00
Gilles Peskine
5e76952235 Add a facility to configure entropy sources
Add a function to configure entropy sources. For testing only.

Use it to test that the library initialization fails properly if there is no
entropy source.
2018-11-23 22:58:38 +01:00
Jaeden Amero
82df32e3fd psa: Unused key_bits is OK
When MD or CMAC are disabled, let the compiler know that it is OK that
`key_bits` is set but not used by casting `key_bits` to `(void)`.
2018-11-23 15:20:56 +00:00
Gilles Peskine
c6b6907066 Make library init and deinit more robust to errors
Allow mbedtls_psa_crypto_free to be called twice, or without a prior
call to psa_crypto_init. Keep track of the initialization state more
precisely in psa_crypto_init so that mbedtls_psa_crypto_free knows
what to do.
2018-11-22 13:46:51 +01:00
Gilles Peskine
a678f233a7
Merge pull request #197 from netanelgonen/entropy-inject
Add entropy inject API (#197)
2018-11-21 19:21:05 +01:00
avolinski
0d2c266c06 change MBEDTLS_RANDOM_SEED_ITS define to be PSA_CRYPTO_ITS_RANDOM_SEED_UID 2018-11-21 17:31:07 +02:00
avolinski
1c66205df6 Remove trailing space in psa_crypto.c 2018-11-21 16:54:09 +02:00
avolinski
13beb100c2 Adjust psa entropy inject tests to take as minimum seed size
the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE
2018-11-21 16:24:53 +02:00
avolinski
7cc8229d80 Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID
Update mbedtls_psa_inject_entropy function documentation
2018-11-21 16:24:53 +02:00
Netanel Gonen
21f37cbbec Add Tests for psa crypto entropy incjection
Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option
2018-11-21 16:24:52 +02:00
Netanel Gonen
2bcd312cda Add entropy injection function to psa cripto APIs 2018-11-21 16:15:14 +02:00
itayzafrir
910c76b3d1 Check that memory allocation was successful in psa_save_generated_persistent_key 2018-11-21 16:10:33 +02:00
Darryl Green
0c6575a84d psa: Extend psa_generate_key to support persistent lifetimes 2018-11-20 15:40:32 +00:00
Darryl Green
dd8fb777ce psa: Refactor psa_internal_export_key to use slot, rather than key
When generating keys that have persistent lifetime, we will need
the keys to be in the exported format to save to persistent storage.
This refactoring to separate checking the slots usage from the
exporting of the key data will be necessary for using
psa_internal_export_key in psa_generate_key.
2018-11-20 15:40:32 +00:00
Darryl Green
d49a499d03 psa: Implement persistent keys
Allow use of persistent keys, including configuring them, importing and
exporting them, and destroying them.

When getting a slot using psa_get_key_slot, there are 3 scenarios that
can occur if the keys lifetime is persistent:

1. Key type is PSA_KEY_TYPE_NONE, no persistent storage entry:
   -  The key slot is treated as a standard empty key slot
2. Key type is PSA_KEY_TYPE_NONE, persistent storage entry exists:
   -  Attempt to load the key from persistent storage
3. Key type is not PSA_KEY_TYPE_NONE:
   -  As checking persistent storage on every use of the key could
      be expensive, the persistent key is assumed to be saved in
      persistent storage, the in-memory key is continued to be used.
2018-11-20 15:40:25 +00:00
Darryl Green
40225ba709 psa: Refactor psa_destroy_key()
Create a new function psa_remove_key_from_memory() from psa_destroy_key().
This is needed as psa_destroy_key() will remove all key data, including
persistent storage. mbedtls_psa_crypto_free() will now only free in-memory
data and not persistent data.
2018-11-20 15:21:22 +00:00
Darryl Green
06fd18de37 psa: Move get_key_slot functions
Move the psa_get_key_slot and related static functions as they will need
to call psa_import_key_into_slot() for persistent keys.
2018-11-20 15:21:22 +00:00
Darryl Green
940d72c3e8 psa: Refactor psa_import_key()
Create a new function psa_import_key_into_slot() from psa_import_key().
This is common functionality that will be used both when importing a
key and loading a key from persistent storage.
2018-11-20 15:21:22 +00:00
Hanno Becker
1aaedc03d4 Add implementation of TLS-1.2 PSK-to-MS key derivation 2018-11-19 11:24:25 +00:00
Gilles Peskine
93f8500e2e Fix unused variables warning if MBEDTLS_ECDH_C is off
depends-pkalgs.pl passes.
2018-11-16 16:43:31 +01:00
Gilles Peskine
346797d7b9 Add missing cleanup on failure in psa_key_agreement
If psa_key_derivation_internal() fails, it's up to the caller to clean
up. Do this, and add a note at the top of
psa_key_derivation_internal() and its auxiliary functions.

There is no non-regression test because at the moment the only way to
trigger an error is a borderline low-memory condition and we don't
have the means to trigger this.
2018-11-16 16:09:27 +01:00
Gilles Peskine
a05219c70b Add some missing compilation guards
Add missing checks for defined(MBEDTLS_MD_C) around types and
functions that require it (HMAC, HKDF, TLS12_PRF).

Add missing checks for defined(MBEDTLS_ECDSA_DETERMINISTIC) around
code that calls mbedtls_ecdsa_sign_det().

Add missing checks for defined(MBEDTLS_ECDH_C) around ECDH-specific
functions.
2018-11-16 16:09:24 +01:00
Hanno Becker
353e45361d Don't call memcpy() with 0-length arguments
The standard prohibits calling memcpy() with NULL pointer
arguments, even if the size argument is 0.

The TLS-1.2 PRF generator setup function previously called
memcpy() with the label and salt as the source, even if
they were of length 0, as exercised by the derive_key_policy
test case in the PSA crypto test suite.

This commit adds guards around the memcpy() calls so that they
are only executed of salt or label have positive length, respectively.
2018-11-16 11:24:59 +00:00
Hanno Becker
3b339e2342 Simplify psa_generator_tls12_prf_generate_next_block() 2018-11-16 11:24:59 +00:00
Hanno Becker
580fba1431 Dynamically allocate A(i) + seed buffer for TLS-1.2 PRF 2018-11-16 11:24:59 +00:00
Hanno Becker
c8a41d71cb Add implementation of TLS-1.2 PRF 2018-11-16 11:24:55 +00:00
Gilles Peskine
b408661be9 ECDH: check that the keys are on the same curve
In psa_key_agreement_ecdh, check that the public key is on the same
curve as the private key. The underlying mbedtls API doesn't check.

If the curves don't match, psa_key_agreement_ecdh is practically
guaranteed to return INVALID_ARGUMENT anyway, because way the code is
written, the public point is interpreted on the curve of the private
point, and it is rejected because the point is not on the curve. This
is why the test case "PSA key agreement setup: ECDH, raw: public key
on different curve" passed even before adding this check.
2018-11-14 21:17:16 +01:00
Gilles Peskine
88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine
211a436f2e Document that key agreement produces a maximum-capacity generator 2018-11-14 21:15:37 +01:00
Gilles Peskine
b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine
01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
8feb3a886d Support key derivation with non-predefined capacity
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
751d965dfc Implement PSA_ALG_SELECT_RAW 2018-11-14 21:15:37 +01:00
Gilles Peskine
cce18aec4c Split off psa_key_derivation_internal
Refactor psa_key_derivation to prepare for key agreement algorithms
which need to plug into key derivation after argument validation.
2018-11-14 21:15:37 +01:00
Gilles Peskine
86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine
aac64a2839 Remove support for non-byte-aligned RSA keys
Remove the need for an extra function mbedtls_rsa_get_bitlen. Use
mbedtls_rsa_get_len, which is only correct for keys whose size is a
multiple of 8. Key sizes that aren't a multiple of 8 are extremely
rarely used, so in practice this is not a problematic limitation.
2018-11-12 18:37:42 +01:00
Gilles Peskine
52b9018cf7 psa_export_key: for raw-byte keys, zero the end of the output buffer
Skip all writing to the target buffer if its size is 0, since in this
case the pointer might be invalid and this would cause the calls to
memcpy and memset to have undefined behavior.
2018-10-31 14:10:06 +01:00
Gilles Peskine
188c71e382 Private EC key format: change to raw secret value (export)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine
f76aa7789b Private EC key format: change to raw secret value (doc, import)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the format
specification and the import code, but not the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine
e0e9c7c417 New macro PSA_ALG_FULL_LENGTH_MAC
Provide a documented way of constructing the full-length MAC algorithm
from a truncated version.
2018-10-17 18:30:47 +02:00
Gilles Peskine
57fbdb1939 Use a public macro for AEAD tag length variations
Avoid depending on the encoding of algorithms inside psa_crypto.c.
2018-10-17 18:30:47 +02:00
Gilles Peskine
f8a8fe60f8 Fix memory leak with AEAD with non-default tag lengths
When freeing the key context, choose the context format based on the
base algorithm value stored in the operation object.
2018-10-17 13:54:48 +02:00
Gilles Peskine
8cac2e628e Translate GCM_BAD_INPUT to INVALID_ARGUMENT, not NOT_SUPPORTED 2018-10-17 13:54:48 +02:00
Gilles Peskine
99b7d6b700 Wipe sensitive data in psa_mac_verify_finish
Wipe the whole MAC intermediate buffer, not just the requested MAC
size. With truncated MAC algorithms, the requested MAC size may be
smaller than what is written to the intermediate buffer.
2018-10-17 13:54:47 +02:00
Gilles Peskine
87b0ac49f8 Fix possible buffer overread in psa_mac_finish_internal (CMAC) 2018-10-17 13:54:47 +02:00
Gilles Peskine
6d72ff9e79 Document that the minimum truncated MAC length is implementation-defined 2018-10-17 13:54:47 +02:00
Gilles Peskine
23cc2ff9a8 Add support for non-default-tag-size AEAD (CCM and GCM) 2018-10-08 14:42:11 +02:00
Gilles Peskine
edf9a6576d Refactor AEAD setup into a common function
There was a lot of repetition between psa_aead_encrypt and
psa_aead_decrypt. Refactor the code into a new function psa_aead_setup.
The new code should behave identically except that in some cases where
multiple error conditions apply, the code may now return a different
error code.

Internally, I rearranged some of the code:

* I removed a check that the key type was in CATEGORY_SYMMETRIC because
  it's redundant with mbedtls_cipher_info_from_psa which enumerates
  supported key types explicitly.
* The order of some validations is different to allow the split between
  setup and data processing. The code now calls a more robust function
  psa_aead_abort in case of any error after the early stage of the setup.
2018-10-08 14:42:11 +02:00
Gilles Peskine
d911eb7915 Add support for truncated MAC algorithms 2018-10-08 14:42:11 +02:00
Gilles Peskine
159ebf3b8e
Merge pull request #142 from ARMmbed/psa-metadata_validation
Algorithm and key type encoding validation
2018-09-24 10:38:39 +02:00
Jaeden Amero
3bfe5f0388
Merge pull request #150 from ARMmbed/psa-rsa-verify-error
Don't return INVALID_PADDING on an invalid RSA signature
2018-09-21 16:15:10 +01:00
Jaeden Amero
40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00
Gilles Peskine
00709fafb8 Rename PSA_ALG_HMAC_HASH to PSA_ALG_HMAC_GET_HASH
Be consistent with other GET_HASH macros.
2018-09-20 12:00:21 +02:00
Gilles Peskine
daea26f70f Correct and simplify block-based cipher modes
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
2018-09-20 11:58:22 +02:00
Gilles Peskine
ef12c63de0 RSA verification: don't report an invalid padding error
Mbed TLS distinguishes "invalid padding" from "valid padding but the
rest of the signature is invalid". This has little use in practice and
PSA doesn't report this distinction. We just report "invalid
signature".
2018-09-17 14:33:43 +02:00
itayzafrir
90d8c7a728 Ensure the module is initialized in key based functions 2018-09-16 12:15:47 +03:00
itayzafrir
0adf0fc31c Ensure the module is initialized in psa_generate_random 2018-09-16 12:15:46 +03:00
Gilles Peskine
78b3bb670d Change the bitwise encoding of key type categories
There were only 5 categories (now 4). Reduce the category mask from 7
bits to 3.

Combine unformatted, not-necessarily-uniform keys (HMAC, derivation)
with raw data.

Reintroduce a KEY_TYPE_IS_UNSTRUCTURED macro (which used to exist
under the name KEY_TYPE_IS_RAW_DATA macro) for key types that don't
have any structure, including both should-be-uniform keys (such as
block cipher and stream cipher keys) and not-necessarily-uniform
keys (such as HMAC keys and secrets for key derivation).
2018-09-14 10:02:29 +01:00