Technically this function takes a low entropy secret as an input which
might or might not be the password. Using the term "secret" in the
function name is less misleading.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The password stretching (using slow and/or memory hard hashes) in PAKEs
usually serves two purposes:
- Defending against server compromise impersonation attacks. J-PAKE is an
augmented PAKE and as such, stores a password-equivalent and defending
against this class of attacks is out of scope.
- Preventing offline dictionary attacks. J-PAKE is proven to be zero
knowledge and leaks no information beyond the fact if the passwords
matched and offline dictionary attack is not possible.
In summary: J-PAKE does not benefit from pasword stretching and is
unlikely to be an input. This part of the API is not necessary at this
point and can be added later.
Signed-off-by: Janos Follath <janos.follath@arm.com>
We are not confident about the stability of the PAKE interface (it is
just a proposal, not part of the standard yet). So we should explicitly
document it as experimental, subject to change.
Signed-off-by: Janos Follath <janos.follath@arm.com>
At this point this is a proposed PAKE interface for the PSA Crypto API
and not part of the official standard. Place the interface in
crypto_extra.h to make this clear.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The API has PSA_ALG_GCM and not PSA_ALG_AEAD_GCM, PSA_ALG_MD5 and not
PSA_ALG_HASH_MD5, etc., so PSA_ALG_PAKE_JPAKE should be PSA_ALG_JPAKE as
well.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The caller is likely to receive the inputs on the wire, and having a
known size for which they can confidently reject longer inputs would be
helpful in cases where the application can't just use the input in
place.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Define the size macros to 0 rather than empty. That will lead to fewer
weird errors when we start implementing.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Remove padding parameters as mbedtls_rsa_init()
cannot return an error code when padding
parameters are invalid.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
mbedtls_rsa_set_padding() now returns the error
code MBEDTLS_ERR_RSA_INVALID_PADDING when
padding parameters are invalid.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ssl_server2 had a check that we never try to use a minor version lower
than 2 with DTLS, but that check is no longer needed, as there's no way
that would happen now that MBEDTLS_SSL_MINOR_VERSION_1 is no longer
public.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit removes the API
```
mbedtls_ssl_conf_ciphersuites_for_version()
```
which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.
With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.
This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and
```
mbedtls_ssl_conf_ciphersuites()
```
can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Note that this error has a negligible probability with a "crypto-sized"
bound, but macroscopic probability with a small bound.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Since mbedtls_mpi_random() is not specific to ECC code, move it from
the ECP module to the bignum module.
This increases the code size in builds without short Weierstrass
curves (including builds without ECC at all) that do not optimize out
unused functions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make input/output format documentation easier to find:
- Add direct reference to the steps from the input/output functions
- Move the format description directly to the step constants
Signed-off-by: Janos Follath <janos.follath@arm.com>
- Transformed setup description to a more explicit pseudocode based
approach.
- Explained implicit vs explicit key confirmation
Signed-off-by: Janos Follath <janos.follath@arm.com>
This step is not necessarily a memory-hard function. Memory-hard
functions are the best of the breed at the moment, but that's due to
current hardware designs, and CPU-hard-but-not-memory-hard functions
like PBKDF2 are acceptable as well. We're using “key stretching” as the
generic term for such functions.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The key derivation operation passed to psa_pake_set_password_mhf() might
enter an error state before the function returns. If this happens, the
user needs to know about it so that they can properly abort it.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The type of the key derivation operation was incorrect.
Also neither the PAKE nor key_derivation algorithm knows how many bytes
to transfer at this stage.
There is no optimal or recommended size, PAKEs don't mandate it either
(with the exception of OPAQUE, but that uses it internally and won't be
using this interface).
Adding an input length parameter to allow the application to control how
many bytes the PAKE takes from the key derivation.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Using memory hard functions with PAKEs is the more secure option. It
should be as convenient and efficient to use as less secure options, but
so far it required creating an additional temporary key object.
With psa_pake_set_password_mhf() this eliminates the need for this.
Similarly we could add a convenience function to supply the password
directly from character strings, but that would make the less secure
option more convenient again and therfore we are not doing it now.
Signed-off-by: Janos Follath <janos.follath@arm.com>
PAKE constructions that have multiple key shares will always consume and
produce the key shares in numerical order. So using PSA_PAKE_DATA_XXX_X
would demand step-sequence validation, and provides no functional
utility over having only PSA_PAKE_DATA_XXX.
Signed-off-by: Janos Follath <janos.follath@arm.com>
If PSA_PAKE_OUTPUT_SIZE takes cipher_suite as a parameter and it is a
structure it can't be a compile-time constant anymore.
Reintroducing psa_pake_primitive_t, because it can be constructed as an
integral type and holds enough information to allow PSA_PAKE_OUTPUT_SIZE
calculating accurate estimates on the output size in compile time.
Signed-off-by: Janos Follath <janos.follath@arm.com>
There are too many parameters to the setup function. This makes it hard
to figure out how to call the function and read code that calls the
function. This also opens the suspicion that there's yet another
parameter that we're missing.
Signed-off-by: Janos Follath <janos.follath@arm.com>
"Data" is too vague, renaming it to psa_pake_step_t. It is still
somewhat vague, but at least consistent with the naming used in key
derivation.
Signed-off-by: Janos Follath <janos.follath@arm.com>
__DOXYGEN_ONLY__ blocks were only used to typeset the PSA specification
back when it was extracted from Mbed TLS headers. They are no longer
used and should be removed.
The PSA Crypto Driver API is still under development and might be
extracted from Mbed TLS headers, leaving them there for now.
Signed-off-by: Janos Follath <janos.follath@arm.com>
It is the size of something that has no a priori reason to consist of 8
bits. This should be psa_pake_family_t, both for documentation (and
possibly static analysis) and in case 8 bits turn out not to be enough.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Identifier value was not consistent with PSA conventions (last byte is
reserved for hash algorithms or used in algorithms parametrized by
a hash).
Signed-off-by: Janos Follath <janos.follath@arm.com>
The cipher suite now defines the algorithm itself as well. Passing the
algorithm separately is redundant and error prone.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Making the cipher suite struct internal made a number of types and
macros in the interface unused.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Hiding the structure of the cipher suite implementation allows for
greater flexibility.
To preserve maximum flexibility, the constructor is replaced by
individual setter/getter functions.
Convenience macros and or functions can be added later.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In the key types API, PSA Crypto uses ECC to denote Elliptic curve
cryptography and DH to denote Finite Field Diffie-Hellman.
Change PSA_PAKE_PRIMITIVE_TYPE_XXX macros to be aligned.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The macro PSA_PAKE_KEY_SHARE_SIZE has been removed, we need to remove
references to it from the documentation as well.
Signed-off-by: Janos Follath <janos.follath@arm.com>
There were remnants of the PSA specification wording in the
documentation that can be confusing in Mbed TLS.
We need to make it clear what the consequences of being implementation
defined are in Mbed TLS.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The main purpose of psa_pake_get_key_share() is to provide a more
straightforward and convenient call flow for regular PAKEs. Most PAKEs
have a single key share and need a flow like this:
op=PSA_PAKE_OPERATION_INIT;
psa_pake_setup();
psa_pake_get_key_share();
psa_pake_set_key_share();
psa_pake_get_implicit_key();
Adding psa_pake_get/set_key_share() functions cuts out the
psa_pake_data_t constants from the users vision, hiding complexity that
exists only for unrelated PAKEs that aren't relevant for the user.
This comes with the cost of the two additional API functions that we need
to maintain.
Since the current stream of work focuses on enabling J-PAKE, there are
no benefits to these functions for now.
Once algorithms that can benefit from this simplification are added,
adding back these functions can be reconsidered.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The documentation is calling PAKEs protocols but it has an
psa_algorithm_t identifier. To align the terminology, the documentation
should call them algorithms as well.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Fix the typo in the macro definition and more specific parameter names
allow for future scripts to check validity of arguments.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The PSA_KEY_TYPE_PASSWORD key type to which this documentation change
refers to is not yet present in the code and will be introduced by a
parallel line of work.
Signed-off-by: Janos Follath <janos.follath@arm.com>
PAKE protocols make use of a range of cryptographic schemes and
primitives. Standards allow for several options to use for each of them.
They call the combination of specific algorithms cipher suites,
configurations or options.
Cipher suites are represented by a separate data type for several
reasons:
1. To allow for individual PAKE protocols to provide pre-defined cipher
suites.
2. To organise cipher suites into a unit that can be handled separately
from the operation context. The PAKE operation flow is already
complex, will be even more so when key confirmation is added.
Handling them separately should reduce the surface of the interface
the application developer needs to pay attention at any given time.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In most of the PAKEs the primitives are prime order groups, but some of
them might need the ring structure or just are using completely different
algebraic structures (eg. SRP or PQC schemes).
Signed-off-by: Janos Follath <janos.follath@arm.com>
Commit adds the conditional definition of
MBEDTLS_ECDH_LEGACY_CONTEXT to ecdh.h.
MBEDTLS_ECDH_LEGACY_CONTEXT is only defined
if MBEDTLS_ECP_RESTARTABLE is definied.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the definition of
MBEDTLS_ECDH_LEGACY_CONTEXT from config.h.
Additionally removes the unset calls to
MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Split operation start and the declaration of data lengths
to better align with the PSA Cryptography multipart AEAD
APIs.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
MBEDTLS_ECP_FIXED_POINT_OPTIM aims to speed up ecc multiplication performance.
We compute the comb table in runtime now. It is a costly operation.
This patch add a pre-computed table to initialize well-known curves. It speed up ECDSA signature verify process in runtime by using more ROM size.
Signed-off-by: kXuan <kxuanobj@gmail.com>
- the \internal note said that calling cipher_init() first would be made
mandatory later, but the documention of the ctx parameter already said
the context had to be initialized...
- the documentation was using the word initialize for two different
meanings (calling setup() vs calling init()), making the documentation
of the ctx parameter quite confusing (you must initialize before you can
initialize...)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Improve some length parameter descriptions, aligning
them with the descriptions for the one-shot
functions.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Change from `body` to `input` to refer to the input data.
Add prefix total_ to the new length parameters
to ease refering to them in the documentation of
the other multi-part APIs.
Add error code documentation.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define the dependency symbols PSA_WANT_ALG_ECDSA_ANY and
PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW as de facto synonyms of
PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_RSA_PKCS1V15_SIGN respectively: if
either one is requested, the other is set.
This makes it easier to systematically determine the dependencies of
an algorithm.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define CCM multi-part API along the lines of the
GCM multi-part API. The two APIs are not exactly
the same as, contrary to GCM, CCM needs the size
of the additional data and plaintext/ciphertext
from the start.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The previous documentation could be read as exhaustively listing
the factors that go into computing the maximum outgoing record
plaintext size -- we should give examples, but allow ourselves
to add more factors in the future.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit makes the API
- mbedtls_ssl_get_output_max_frag_len()
- mbedtls_ssl_get_input_max_frag_len()
- mbedtls_ssl_get__max_frag_len()
for querying the state of the Maximum Fragment Length
extension internal.
Rationale: The value those APIs provide to the user is in
upper bounds for the size of incoming and outgoing records,
which can be used to size application data buffers apporpriately
before passing them to mbedtls_ssl_{read,write}(). However,
there are other factors which influence such upper bounds,
such as the MTU or other extensions (specifically, the
record_size_limit extension which is still to be implemented)
which should be taken into account.
There should be more general APIs for querying the maximum
size of incoming and outgoing records.
For the maximum size of outgoing records, we already have such,
namely mbedtls_ssl_get_max_out_record_payload().
For the maximum size of incoming records, a new API will be
added in a subsequent commit.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Public structs members are considered private and should not
be used by users application.
MBEDTLS_PRIVATE(member) macro is intended to clearly indicate
which members are private.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Some documentation in rsa.h was
still incorrect regarding f_rng
being mandatory. This has now
been corrected.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Add comment to the effect that we cannot really check nonce size as the
GCM spec allows almost arbitrarily large nonces. As a result of this,
change the operation nonce over to an allocated buffer to avoid overflow
situations.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Conflicts:
library/version_features.c
programs/test/query_config.c
Files were removed in development branch and modified by current branch.
Conflicts fixes by removing them.
This commit removes the RSA
constants MBEDTLS_RSA_PUBLIC
and MBEDTLS_RSA_PRIVATE because
they are now superfluous given
that the mode parameter has been
removed.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the mode parameter
from the mbedtls_rsa_rsassa_pss_verify_ext
function. This change is propagated
throughout the codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the f_rng parameter from
the mbedtls_rsa_rsassa_pss_verify_ext
function. This is in preparation for
the removal of the mode parameter.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes p_rng parameter from the
mbedtls_rsa_rsassa_pss_verify_ext function
in preparation for removal of the mode
parameter.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the mode parameter
from the mbedtls_rsa_rsassa_pss_verify
function and propagates the change
throughout the process.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes f_rng parameter from
mbedtls_rsa_rsassa_pss_verify function in
preparation of mode parameter removal.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes p_rng parameter from
mbedtls_rsa_rsassa_pss_verify function
as preparation for removing the mode
parameter.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes mode parameter from
mbedtls_rsa_rsassa_pkcs1_v15_verify and
propagates the change throughout the
codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit performs removal of f_rng parameter
from mbedtls_rsa_rsassa_pkcs1_v15_verify
function in preparation for removal of mode
parameter.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes p_rng from
mbedtls_rsa_rsassa_pkcs1_v15_verify function in
preparation of removal of mode parameter.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Conflicts:
* configs/config-psa-crypto.h: modified here, removed in development
* tests/suites/test_suite_x509parse.data: all conflicts are in depends_on
lines where development made a change unrelated to MBEDTLS_SHAxxx and our
branch either changed `MBEDTLS_SHA256_C` to `MBEDTLS_SHA224_C` or
`MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384` to ``MBEDTLS_SHA384_C`, with
no change to what the test does. Pick the other branch's dependency
changes then apply our SHA dpeendency change.
To simplify the documentation, and because there are only two realistic
behaviors in practice, only allow two behaviors for multipart output:
immediate output, or buffering of the last partial block.
State some simple rules that applications can follow if they don't care about
the details.
Explicitly state how much output is needed for finish(). Only require the
buffer size to be the size of the actual output, not the size of the potential
output in the worst case. Rename the parameter from output_len to output_size
since it's a buffer size and not necessarily the length of the data.
No longer guarantee that the built-in implementation produces immediate
output.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Commit removes mode parameter from
mbedtls_rsa_pkcs1_verify and propagates the
change throughout the codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes p_rng from mbedtls_rsa_pkcs1_verify
since p_rng has no relevance following the removal
of f_rng from this function.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes f_rng parameter from
mbedtls_rsa_pkcs1_verify as a prerequisite
to removing the mode parameter. f_rng no
longer has relevance in this function if
mode is removed.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the mode param from
mbedtls_rsa_rsassa_pss_sign and propagates
the changes throughout the codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the mode parameter from
mbedtls_rsa_rsassa_pkcs1_v15_sign and
propagates the change throughout the
codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Commit removes the mode parameter from
mbedtls_rsa_pkcs1_sign and progagates the
change to all relevant parts of the codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
This commit modifies the typedef of
mbedtls_pk_rsa_alt_sign_func and propagates the
associated changes throughout the codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Removes mode parameter from
mbedtls_rsa_rsaes_oaep_encrypt and propagates
changes throughout the codebase.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Removal of mode parameter from
mbedtls_rsa_rsaes_pkcs1_v15_encrypt. This commit
propagates the change to all relevant function calls
and tests.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Removal of the mode parameter from
mbedtls_rsa_pkcs1_encrypt function. This change
is propagated throughout the codebase and to
relevant tests.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
As picked up in review, this commit
modifies the documentation by removing some
wording that is now superfluous given the
removal of the mode parameter.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Split to data required for internal implementation and data required for
driver implementation with data left over for the PSA layer.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Add (internal only) define to config.h which allows the temporary
implementation of CCM to work, by removing the buffer zeroization on tag
fail when decrypting. This will obviously be removed when multipart CCM
is properaly implemented
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Move CCM to update all data at update step, as final step can only
output at most a block length, so outputting all data at this step
significantly breaks the tests. Had to add unpleasant workaround for the
validate stage, but this is the only way I can do things without
breaking CCM Alt implementations.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
For the time being CCM and GCM are not entirely implemented correctly
due to issues with their underlying implentations, which would be
difficult to fix in 2.x, and thus require all the AD and data to be
passed in in one go.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Multipart AEAD operation struct has to be public as it's allocated by
the caller, so to save duplication of code, switch oneshot AEAD over to
using the multipart operation struct.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
mbedtls_ssl_{get,set}_session() exhibited idempotent behaviour
in Mbed TLS 2.x. Multiple calls to those functions are not useful
in TLS 1.2, and the idempotent nature is unsuitable for support of
TLS 1.3 which introduces the availabilty to offer multiple tickets
for resumption, as well as receive multiple tickets.
In preparation for TLS 1.3 support, this commit relaxes the semantics
of `mbedtls_ssl_{get,set}_session()` by allowing implementations to
fail gracefully, and leveraging this freedom by modifying the
existing TLS 1.2 implementation to only accept one call to
`mbedtls_ssl_{get,set}_session()` per context, and non-fatally
failing all subsequent invocations.
For TLS 1.3, it will be leveraged by making multiple calls to
`mbedtls_ssl_get_session()` issue one ticket a time until no more
tickets are available, and by using multiple calls to
`mbedtls_ssl_set_session()` to allow the client to offer multiple
tickets to the server.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The output parameter of mbedtls_sha256_finish_ret and mbedtls_sha256_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-224 hash into a
28-byte buffer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The output parameter of mbedtls_sha512_finish_ret and mbedtls_sha512_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-384 hash into a
48-byte buffer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove mode param from mbedtls_rsa_rsaes_pkcs1_v15_decrypt
and also modify and remove relevant tests.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Removing the mode parameter from the mbedtls_rsa_rsaes_oaep_decrypt
function. The change is progagated to all function calls, including in
test suite .function files. Additionally fully removing one test
where the wrong mode was being tested.
Signed-off-by: Tom Daubney <Thomas.Daubney@arm.com>
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
The mode parameter has been removed from the
mbedtls_rsa_pkcs1_decrypt function. The change
has been progagated to all function calls,
including in test suite .function files.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Removed a conditional compilation block
relating to MBEDTLS_PKCS1_V15 in
rsa_pkcs1_verify_raw function that was no
longer relevant.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Building the library without entropy sources negates any and all security
provided by the library.
This option was originally requested a relatively long time ago and it
does not provide any tangible benefit for users any more.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Rework SHA224 and SHA283 documentation.
Define MBEDTLS_SHAxxx_C options in alphabetic order.
Fix SHA224 and SHA384 dependencies in test suites.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
It makes sense to do the length checking in the core rather than expect
each driver to deal with it themselves. This puts the onus on the core to
dictate which algorithm/key combinations are valid before calling a driver.
Additionally, this commit also updates the psa_mac_sign_finish function
to better deal with output buffer sanitation, as per the review comments
on #4247.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This means there is no longer a need to have an internal HMAC API, so
it is being removed in this commit as well.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Prefix with 'mbedtls_psa' as per the other types which implement some
sort of algorithm in software.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
The purpose of key_set was to guard the operation structure from being
used for update/finish before a key was set. Now that the implementation
fully adheres to the PSA API, that function is covered by the `alg`
variable instead. It's set to the algorithm in use when a key is set, and
is zero when the operation is reset/invalid.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Apparently it was at some point assumed that there would be
support for MAC algorithms with IV, but that hasn't been
implemented yet. Until that time, these context structure
members are superfluous and can be removed.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Typedef'ed structures are suffixed _t
Also updated the initialiser macro with content that actually
matches the structure's content.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Since HMAC moved into its own compilation unit, the internal API needed
to be documented and finalized. This means no more reaching deep into
the operation structure from within the PSA Crypto core. This will make
future refactoring work easier, since internal HMAC is now opaque to the
core.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Modeled after the include chain of the primitive operation contexts.
Also moved the HMAC context structure to the builtin composites file,
since that is where it conceptually belongs. This is a preparatory
step for implementing driver dispatch of MAC multipart operations.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This was probably included by mistake, because the file itself is part
of the inclusion chain starting with crypto.h.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This is a preparatory step in order to be able to organize the include
chain from crypto_struct in such a way that the MAC operation structure
for the PSA 'software' driver can make use of the hash operation structure.
Conceptually:
* Primitives:
* Hash
* Cipher
* Composites:
* AEAD (can use cipher)
* MAC (can use cipher and/or hash)
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This algorithm is used for example by the Thread 1.1.1 specification,
which is not public but can be obtained free of charge at
https://www.threadgroup.org/ThreadSpec
Here it doesn't really make sense to define a parametrised family, as
this really seems to be the only use of PBKDF2 with a CMAC-based PRF (or
with any PRF other than HMAC with SHA1 or SHA2, for that matter).
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Might make the implementer's life a bit simpler, and is not a big
constraint on applications.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
No change of behaviour, encoding or naming intended in this commit: just
describe the same behaviour, but in a way that's hopefully clearer and
more complete.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit removes the unused error code
```
MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
```
from the public API for Mbed TLS 3.0.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This error is used when the output buffer isn't large enough
to hold our own certificate.
In the interest of cleaning up the error space for 3.0, this commit
removes MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and replaces its single
use by MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The SSL error code MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED is unused.
Remove it for Mbed TLS 3.0.
The code being unused comes as a surprise, at is seems to be
reasonable to report it to the user upon peer CRT verification
failure. However, this study (can potentially re-introduction
of the code) can be left for 3.x, while the error code removal
can only happen in 3.0.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The SSL error code MBEDTLS_ERR_SSL_UNKNOWN_CIPHER is unused.
Remove it for Mbed TLS 3.0 and leave a comment indicating the
gap in the error code space it creates.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.
check_config is the only module which enforces that SHA512 is
enabled together with SHA384.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Fix an issue where `MBEDTLS_X509_REMOVE_INFO` was defined/enabled by default
in `include/mbedtls/config.h`. This should also fix the `context-info.sh` test
where it ran the default config and expected to see some output from the x509
info functions that were removed.
Also updated relevant comments to more accurately explain how the
configuration option works.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
The new compile-time option MBEDTLS_X509_REMOVE_INFO removes various
X.509 debugging strings and functionality, including
```
mbedtls_x509_crt_verify_info()
```
which ssl_client2.c and ssl_server2.c use to print human readable
descriptions of X.509 verification failure conditions. Those
conditions are also grepped for in numerous ssl-opt.sh tests.
Instead of disabling those tests if MBEDTLS_X509_REMOVE_INFO is set,
this commit essentially moves mbedtls_x509_crt_verify_info() to
ssl_client2.c and ssl_server2.c. However, instead of just copy-pasting
the code from x509_crt.c, the following approach is used:
A macro MBEDTLS_X509_CRT_ERROR_INFO_LIST is introduced which for each
verification failure condition invokes a user-defined macro X509_CRT_ERROR_INFO
with (a) the numerical error code, (b) the string presentation of the
corresponding error macro, (c) the info string for the error condition.
This macro can thus be used to generate code which somehow iterates over
the verifiation failure conditions, but the list of error conditions and
information strings is nowhere duplicated.
This is then used to re-implement mbedtls_x509_crt_verify_info() in
x509_crt.c and to provide a functionally equivalent (yet slightly different)
version in ssl_client2.c and ssl_server2.c in case MBEDTLS_X509_REMOVE_INFO
is set.
This way, little changes to ssl-opt.sh will be necessary in case
MBEDTLS_X509_REMOVE_INFO is set because the info strings for the
verification failure conditions will be printed regardless of whether
MBEDTLS_X509_REMOVE_INFO is set or not.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The introduction of positive options to control the presence
of pre-existing functionality breaks the build for users of
handwritten configurations.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
This function was previously called mbedtls_error_add_ext because there
was a macro called mbedtls_error_add. That later got capitalised which
allows the function to now be named mbedtls_error_add.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Improve comments explaining error code checking, fix incorrect comments
and make a small formatting fix.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
If the compile-time configuration enables an option that was removed
in Mbed TLS 3.0, and the effect of removing the option would likely
not be detected at build time, #error out in check_config.h.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Note on naming: previously considered input_numeric but then thought the
other two input function are "input <name>" not "input <adjective>" so
decided to follow that pattern. input_int would be shorter but sounds
too much like the C type, which could be confusing as that's not the
type of the parameter; IMO "integer" avoids that problem.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
For the numeric values, I followed the apparent existing convention:
- first byte is 01 for secret inputs, 02 for non-secret inputs
- then second by is just incremented for each new input type
The documentation references a function that will be introduced in the
next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The documentation references functions that will be introduced in later
commits, but hopefully from the naming it's already clear what those
function will do.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Question to reviewers: regarding the numeric values, I'm not sure I've
incremented the right byte/nibble. Should this be 0x1201, 0x1202
instead, or something else? Is there a convention I should be aware of?
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Specifically allow the driver to override the persistency level of a
builtin key in cases where the driver is persistency-aware.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
The GCM interface now has separate functions to start the operation
and to pass the associated data.
This is in preparation for allowing the associated data to be passed
in chunks with repeatated calls to mbedtls_gcm_update_ad().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Alternative implementations of GCM may delay the output of partial
blocks from mbedtls_gcm_update(). Add an output length parameter to
mbedtls_gcm_update() to allow such implementations to delay the output
of partial blocks. With the software implementation, there is no such
delay.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Alternative implementations of GCM may delay the output of partial
blocks from mbedtls_gcm_update(). Add an output parameter to
mbedtls_gcm_finish() to allow such implementations to pass the final
partial block back to the caller. With the software implementation,
this final output is always empty.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Due to repeated calls to PSA_AEAD_NONCE_LENGTH, which in turn calls
PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG several times, some macros updated
in this PR expanded to over 6000 characters, more than the 4095 that ISO
C99 compilers are guaranteed to support.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Instead of the full attributes struct, it now only takes/returns what it
actually needs to.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Where a change was necessary, the new documentation was copied from the
PSA Crypto API spec exactly, with the exception of PSA_AEAD_TAG_LENGTH,
which needed some adjustment.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
This reverts commit c75d9f589b.
This was merged by mistake in development instead of development_3.0.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
MSVC is not fully compliant with C99 where the 'inline' keyword is defined.
Add a macro to define an alternative for non-compliant compilers.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add a missing guard for the definition and declaration of
mbedtls_test_hook_error_add.
Also make the declaration always visible when MBEDTLS_TEST_HOOKS is
enabled. This fixes an issue when MBEDTLS_ERROR_C is not defined but
MBEDTLS_TEST_HOOKS is.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Improve documentation by:
- Fixing off by one errors in binary representations of error codes.
- Clarifying combinations of zero.
- Linking references to variables/macros via doxygen.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Fix unused parameter warnings when MBEDTLS_TEST_HOOKS is not enabled.
A few issues were caught by check-names.sh namely:
- mbedtls_error_add was not capitalised.
- mbedtls_test_hook_error_add was being defined multiple times as the
definition was in a header.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
The previous implementation of the error addition interface did not comply
with the invasive testing architecture guidelines. This commit fixes that
by:
- Renaming functions/macros/variables to follow the mbedtls_error_xxx or
mbedtls_test_hook_xxx convention.
- Making mbedtls_test_hook_error_add a global variable that can be set
by the testing code.
- Using a static inline function call, as opposed to macro, to keep
discrepancies between debug and production version to a minimum.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Fix builds where `MBEDTLS_ERROR_C` is not defined but `MBEDTLS_TEST_HOOKS`
is defined. This was previously causing undefined reference errors in
these builds.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Change the signature of the `hook` parameter of `mbedtls_set_err_add_hook`
to use the actual signature of the function as opposed to `void *`. This
fixes a warning when compiling with clang `-pedantic`.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
`error.c` and error.h are the more logical place to keep this code and it
prevents issues with building `common.c` and conflicts with other projects
that use mbedtls (such as mbedOS).
`error.c` has been automatically generated by first adding the code to
`error.fmt` and then running `./scripts/generate_errors.pl`.
Also add parenthesis to the addition in `MBEDTLS_ERR_ADD`.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
`error.c` is a file generated from `error.h` and thus cannot contain the code
that was previously added. This commit fixes that issue by moving the
`MBEDTLS_ERR_ADD` macro and associated function and function pointer into
`common.h` and `common.c`.
Also fix a typo in `tests/include/test/helpers.h` where tabs were accidentally
used instead of spaces.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Adds a macro (`MBEDTLS_ERR_ADD`) to add error codes together and check that the
result will not be corrupted. This additional check is only enabled during
testing when `MBEDTLS_TEST_HOOKS` is defined.
Also includes a reference usage example in `rsa.c` where two high-level error
codes could be incorrectly added together under the right conditions. This now
ensures that when this error occurs during testing it will be correctly
reported.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Fix expected error code when importing a persistent key or
registering a key with an invalid key identifier:
PSA_ERROR_INVALID_ARGUMENT instead of PSA_ERROR_INVALID_HANDLE.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Implementers and users would have to refer to the RFC for the detailed
specification of the algorithm anyway.
Keep a mention of the curves and hashes involved for avoidance of doubt.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The coordinates are over $F_{2^{255}-19}$, so by the general
definition of the bit size associated with the curve in the
specification, the value for size attribute of keys is 255.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The size attribute of a key is expressed in bits, so use bits in the
documentation. (The documentation of psa_export_key() describes the
export format, so it counts in bytes.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Call it “SHAKE256-512”, just like SHA3-512 has 512 bits of output.
SHAKE256-64 looks like it's 64 bits of output, but this is 64 bytes.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define algorithms for PureEdDSA and for HashEdDSA, the EdDSA variants
defined by RFC 8032.
The encoding for HashEdDSA needs to encode the hash algorithm so that
the hash can be calculated by passing PSA_ALG_SIGN_GET_HASH(sig_alg)
to psa_hash_compute() or psa_hash_setup(). As a consequence,
Ed25519ph (using SHA-512) and Ed448ph (using SHAKE256) need to have
different algorithm encodings (the key is enough to tell them apart,
but it is not known while hashing). Another consequence is that the
API needs to recognize the Ed448 prehash (64 bytes of SHAKE256 output)
as a hash algorithm.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add an elliptic curve family for the twisted Edwards curves
Edwards25519 and Edwards448 ("Goldilocks"). As with Montgomery curves,
since these are the only two curves in common use, the family has a
generic name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove cipher_generate_iv driver entry point as there
is no known use case to delegate this to a driver.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move members that are of no use to the PSA crypto core
to the Mbed TLS implementation specific operation context.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For cipher multi-part operations, dispatch based on
the driver identifier even in the case of the
Mbed TLS software implementation (viewed as a driver).
Also use the driver identifier to check that an
cipher operation context is active or not.
This aligns the way hash and cipher multi-part
operations are dispatched.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add missing PSA_WANT_CCM/GCM/CMAC. This completes
the set of PSA_WANT config options given the
current support of PSA crypto in Mbed TLS.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When these names were changed, the definition got misaligned with the
rest of the fields. Fix this alignment.
Signed-off-by: David Brown <david.brown@linaro.org>
The hash driver entry points (and consequentially the hash driver core)
are now always compiled on when PSA_CRYPTO_DRIVER_TEST is turned on.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Drivers (both built-in and external) need to declare their context
structures in a way such that they are accessible by the
to-be-autogenerated crypto_driver_contexts.h file. That file lives in
include/psa, which means all builtin driver context structure
declarations also need to live in include/psa.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
`entropy_poll.h` and `md_wrap.h` were still being used in some of the
example programs. As these headers are now internal, remove their
references and replace them with publicly available functions.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
psa_aead_generate_nonce() could generate a nonce of up to 13 bytes,
depending on the inputs to psa_aead_set_lengths().
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Fix SEC to SECP as the curve name. This fixes failing tests that
verified the config option was working.
Signed-off-by: David Brown <david.brown@linaro.org>
An earlier commit fixes the names of the PSA_WANT_ECC_ macros. Update
the crypto_config.h file to match these new names.
Signed-off-by: David Brown <david.brown@linaro.org>
Use the names as described in
`docs/proposed/psa-conditional-inclusion-c.md which use a transform
like: SECP256R1 -> SECP_R1_256. The CURVE25519 and CURVE448 become
MONTGOMERY_255 and MONTGOMERY_448.
Signed-off-by: David Brown <david.brown@linaro.org>
