Commit graph

72 commits

Author SHA1 Message Date
Thomas Daubney
540324cd21 Correct styling of Mbed TLS in documentation
Several bits of documentation were incorrectly styling Mbed TLS
as MbedTLS.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2023-10-06 17:07:24 +01:00
Kristian Larsson
a1aeff4124 Use quotes include of psa_util_internal.h
psa_utils_internal.h was broken out of mbedtls/psa_utils.h, which in
some places were included as <mbedtls/psa_utils.h>. But since
psa_utils_internals.h should be internal, we should not rely on the
system include paths. I suspect a regexp replace gone slightly wrong.

Signed-off-by: Kristian Larsson <kristian@spritelink.net>
2023-09-04 10:36:37 +02:00
Paul Elliott
2a12fc20f2 Fix logical dead code found by Coverity
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-08-11 17:45:20 +01:00
Tom Cosgrove
ca8c61b815 Provide and use internal function mbedtls_zeroize_and_free()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-07-17 15:17:40 +01:00
Manuel Pégourié-Gonnard
2be8c63af7 Create psa_util_internal.h
Most functions in psa_util.h are going to end up there (except those
that can be static in one file), but I wanted to have separate commits
for file creation and moving code around, so for now the new file's
pretty empty but that will change in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
David Horstmann
57727cd3fc Explain the sequence of mbedtls_psa_pake_ calls
Add a comment showing the order in which the mbedtls_psa_pake_xyz()
functions may be called.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-22 15:22:35 +01:00
David Horstmann
e5b374adaf Remove comment explaining the state machine
The explanation of the dispatch layer's state machine should not be in
the file containing the software implementation and a better
understanding can be had by reading the dispatch layer's code.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-22 15:22:35 +01:00
Przemek Stekiel
aede2ad554 Optimize code (pake role type, freeing buffers)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-25 14:30:34 +02:00
Przemek Stekiel
6e628a4e7b Add undfined role for ec j-pake
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-04-25 13:11:36 +02:00
Przemek Stekiel
e80ec0a9af Adapt J-PAKE built-in impl to use user/peer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-23 13:37:12 +01:00
Przemek Stekiel
691e91adac Further pake code optimizations
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-08 09:54:00 +01:00
Przemek Stekiel
4dc83d40af Add check for pake operation buffer overflow
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-07 10:50:00 +01:00
Przemek Stekiel
e3ef3a15cd Further pake code optimizations
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-03-06 17:24:32 +01:00
Przemek Stekiel
d93de32267 Move to computation stage only on successfull setup
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-24 08:39:49 +01:00
Przemek Stekiel
083745e097 Fix code style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-23 17:28:23 +01:00
Przemek Stekiel
ce131bf5c5 PAKE driver: fix password releasing
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
a54dc69fe0 mbedtls_psa_pake_setup: move driver password and alg init to the common part
Also in the core part change stage to computation after return from psa_driver_wrapper_pake_setup() regardless of the result. At this point driver context is active even if init has failed.

Additionally handle deallocation of password on failure in mbedtls_psa_pake_setup(). The plan was to handle deallocation on core level by calling abort on failure.
Unfortunately in this case when mbedtls_psa_pake_setup() fails with an unsupported result the built-in implementation is executed (if available) and it will reallocate the password leading to the memory leak.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
6b64862ef7 Documentation fixes and code adaptation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
251e86ae3f Adapt names to more suitable and fix conditional compilation flags
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
6d77830c6a Remove redundant code
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
dff21d3429 Move jpake role check to psa_pake_complete_inputs()
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
4fcc61eec0 Optimize psa_pake_ecjpake_setup()
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
849c35f8b4 Remove pake abort on failure from driver (handled by core)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
5cbca790f7 Make usage of pake input getters
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:32 +01:00
Przemek Stekiel
b09c487546 Combine core pake computation stage(step,sequence,state) into single driver step
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
9a5b812aa8 Cleanup the code
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
2797d37424 Split handling of memory allocation for password between core and driver
Driver is now responsible for creating its own copy of the password in the setup function.
After calling pake setup driver entry point core frees memory for password.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
e12ed36a6c Move JPAKE state machine logic from driver to core
- Add `alg` and `computation_stage` to `psa_pake_operation_s`.
  Now when logic is moved to core information about `alg` is required.
  `computation_stage` is a structure that provides a union of computation stages for pake algorithms.
- Move the jpake operation logic from driver to core. This requires changing driver entry points for `psa_pake_output`/`psa_pake_input` functions and adding a `computation_stage` parameter. I'm not sure if this solution is correct. Now the driver can check the current computation stage and perform some action. For jpake drivers `step` parameter is now not used, but I think it needs to stay as it might be needed for other pake algorithms.
- Removed test that seems to be redundant as we can't be sure that operation is aborted after failure.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:30:31 +01:00
Przemek Stekiel
51eac53b93 Divide pake operation into two phases collecting inputs and computation.
Functions that only set inputs do not have driver entry points.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Przemek Stekiel
0c78180ee5 mbedtls_psa_pake_get_implicit_key: move psa_key_derivation_input_bytes call to upper layer
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Przemek Stekiel
6c7644150a Adapt pake impl for driver dispatch
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-02-22 11:25:30 +01:00
Neil Armstrong
5ae609631e Move the common parameters check code out of the wrapper
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2023-02-22 11:25:30 +01:00
Neil Armstrong
56b8d23ca1 Add mbedtls_ prefix to PSA PAKE over MbedTLS implementation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2023-02-22 11:25:30 +01:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Valerio Setti
6d4e75f0c6 psa_crypto_pake: initialize psa_status_t stack variables
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 18:52:17 +01:00
Valerio Setti
fdb77cdae3 psa_crypto_pake: internally call to psa_pake_abort() in case of errors
In this way, in case of error, it is not possible to continue using
the same psa_pake_operation_t without reinitializing it.
This should make the PSA pake's behavior closer to what expected by
the specification

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 18:41:01 +01:00
Przemek Stekiel
0bdec19c93 Further optimizations of pake set_password implementation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-22 09:10:35 +01:00
Przemek Stekiel
ad0f357178 Optimize pake code that sets/use password key
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-21 15:04:37 +01:00
Przemek Stekiel
369ae0afc3 Zeroize pake password buffer before free
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-17 14:14:31 +01:00
Przemek Stekiel
152ae07682 Change password ec j-pake operation fields to more suitable
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-17 13:24:36 +01:00
Przemyslaw Stekiel
1def5becc2 Add psa_get_and_lock_key_slot_with_policy to header file
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-16 16:28:04 +01:00
Przemek Stekiel
348410f709 Make a copy of the key in operation while setting pake password
Additionally use psa_get_and_lock_key_slot_with_policy() to obtain key.
This requires making this function public. This will have to be solved while adding driver dipatch for EC-JPAKE.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-15 22:22:07 +01:00
Manuel Pégourié-Gonnard
02f82bbfa9 Fix MSVC warning
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-13 13:32:02 +02:00
Manuel Pégourié-Gonnard
f155ab9a91 Abort on errors when we should
We're not strictly required to abort, but at least to leave the context
is an invalid state. For "late" functions like input() and output(),
calling abort() is the easiest way to do that. Do it systematically for
input() and output() by using a wrapper. psa_pake_get_implicit_key() was
already doing it. For "early" function, we can just leave the operation
in its current state which is already invalid.

Restore previous tests about that. Not adding systematic tests, though,
just test the two functions that are the most important, and more likely
to return errors.

Since we now abort in more cases, we need to make sure we don't
invalidate the operation that's going to be re-used later in the test.
For that reason, use a copy of the operation for calls to input() and
output() that are expected to return errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-13 13:20:31 +02:00
Manuel Pégourié-Gonnard
0771d41584 Fix missing length check
There was a check against the remaining size of the buffer, which used
to be correct, but was broken two commits ago when we started not just
copying the input but also adding to it.

Replace it with a check that the input length is not greater that what's
expected for this step. This guarantees we won't overflow the internal
buffer.

While at it, add an explicit cast to uint8_t when writing the length to
the buffer, so silence an MSVC warning. This cast is safe because we
checked that the length is no larger than 65 or 32 (depending on the
step), so in any case is fits in one byte.

This was found because some lengths had not been adjusted in the test
suite, and instead of failing cleanly, library code performed buffer
overflows. I'll fix the tests in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-06 09:30:34 +02:00
Manuel Pégourié-Gonnard
79617d99ae Fix namespacing issue
This macro is specific to the Mbed TLS implementation and not part of
the public API, so it shouldn't used the PSA_ namespace.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-05 12:55:50 +02:00
Manuel Pégourié-Gonnard
ec7012dbc7 Fix I/O format of PSA EC J-PAKE for compliance
The format used by the mbedtls_ecjpake_xxx() APIs and that defined by
the PSA Crypto PAKE extension are quite different; the former is
tailored to the needs of TLS while the later is quite generic and plain.
Previously we only addressed some part of this impedance mismatch: the
different number of I/O rounds, but failed to address the part where the
legacy API adds some extras (length bytes, ECParameters) that shouldn't
be present in the PSA Crypto version. See comments in the code.

Add some length testing as well; would have caught the issue.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-05 12:52:48 +02:00
Neil Armstrong
6a12a7704d Fix typo in comment
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-09-14 12:17:42 +02:00
Neil Armstrong
fa84962296 Add comment explaining PSA PAKE vs Mbedtls J-PAKE API matching strategy
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-09-13 15:19:56 +02:00
Neil Armstrong
3d4966a5cb Move possible input/output steps check inside PSA_ALG_JPAKE handling
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-09-13 15:19:56 +02:00