Commit graph

11559 commits

Author SHA1 Message Date
Janos Follath
dca667ac80 Add a safer deterministic ECDSA function
`mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to
implement blinding. The advantage of this is that the algorithm is
deterministic too, not just the resulting signature. The drawback is
that the blinding is always the same for the same key and message.
This diminishes the efficiency of blinding and leaks information about
the private key.

A function that takes external randomness fixes this weakness.
2019-09-05 11:18:58 +01:00
Jaeden Amero
c04305f036 Merge remote-tracking branch 'crypto/development' into development-restricted
* crypto/development: (863 commits)
  crypto_platform: Fix typo
  des: Reduce number of self-test iterations
  Fix -O0 build for Aarch64 bignum multiplication.
  Make GNUC-compatible compilers use the right mbedtls_t_udbl again on Aarch64 builds.
  Add optimized bignum multiplication for Aarch64.
  Enable 64-bit limbs for all Aarch64 builds.
  HMAC DRBG: Split entropy-gathering requests to reduce request sizes
  psa: Use application key ID where necessary
  psa: Adapt set_key_id() for when owner is included
  psa: Add PSA_KEY_ID_INIT
  psa: Don't duplicate policy initializer
  crypto_extra: Use const seed for entropy injection
  getting_started: Update for PSA Crypto API 1.0b3
  Editorial fixes.
  Cross reference 'key handles' from INVALID_HANDLE
  Update documentation for psa_destroy_key
  Update documentation for psa_close_key
  Update psa_open_key documentation
  Remove duplicated information in psa_open_key
  Initialize key bits to max size + 1 in psa_import_key
  ...
2019-09-05 11:11:38 +01:00
Jaeden Amero
8096969905
Merge pull request #139 from Patater/des-faster-and-typo-fix
Make DES self-test faster, and fix a typo
2019-09-04 12:18:39 +01:00
Jaeden Amero
5656623d9e
Merge pull request #240 from Ko-/development
Enable 64-bit bignum limbs and add optimized multiplication for Aarch64
2019-09-04 11:11:51 +01:00
Jaeden Amero
f66e7ea7f3
Merge pull request #178 from mpg/sha512-smaller
New config.h option to make SHA-512 smaller
2019-09-04 10:19:28 +01:00
Jaeden Amero
4013b98df0
Merge pull request #166 from k-stachowiak/IOTCRYPT-440-add-missing-dec_empty_buf-tests
Add missing dec_empty_buf tests
2019-09-04 10:18:11 +01:00
Jaeden Amero
95d8438138 crypto_platform: Fix typo 2019-09-04 10:11:45 +01:00
Jaeden Amero
355b4b0c25 des: Reduce number of self-test iterations
Tiny slow processors take a long time to go through 10,000 iterations.
Try with 100 iterations instead.

Fixes https://github.com/ARMmbed/mbedtls/issues/807
2019-09-04 10:11:45 +01:00
Jaeden Amero
3d7005f851 Merge remote-tracking branch 'tls/pr/2363' into development
* origin/pr/2363:
  Add ChangeLog entry
  fix memory leak in mpi_miller_rabin()
2019-09-03 19:32:45 +01:00
Ko-
cb260bb30d Fix -O0 build for Aarch64 bignum multiplication. 2019-09-02 13:44:57 +02:00
Ko-
05cff953c9 Make GNUC-compatible compilers use the right mbedtls_t_udbl again on Aarch64 builds. 2019-09-02 13:44:57 +02:00
Ko-
cc1871e674 Add optimized bignum multiplication for Aarch64.
x0-x3 are skipped such that function parameters to not have to be moved.
MULADDC_INIT and MULADDC_STOP are mostly empty because it is more
efficient to keep everything in registers (and that should easily be
possible). I considered a MULADDC_HUIT implementation, but could not
think of something that would be more efficient than basically 8
consecutive MULADDC_CORE. You could combine the loads and stores, but
it's probably more efficient to interleave them with arithmetic,
depending on the specific microarchitecture. NEON allows to do a
64x64->128 bit multiplication (and optional accumulation) in one
instruction, but is not great at handling carries.
2019-09-02 13:44:57 +02:00
Ko-
03d2daf55c Enable 64-bit limbs for all Aarch64 builds.
GCC and Clang do not define __ARMCC_VERSION when building for Aarch64.
Yet they should also use 64-bit limbs for Aarch64 builds.
2019-09-02 13:44:57 +02:00
Jaeden Amero
822b8f65bd
Merge pull request #238 from hanno-arm/hmac_drbg_entropy_incompatibility_fix-crypto
HMAC DRBG: Split entropy-gathering requests to reduce request sizes
2019-08-30 12:15:16 +01:00
Hanno Becker
a823d4c7f0 HMAC DRBG: Split entropy-gathering requests to reduce request sizes
According to SP800-90A, the DRBG seeding process should use a nonce
of length `security_strength / 2` bits as part of the DRBG seed. It
further notes that this nonce may be drawn from the same source of
entropy that is used for the first `security_strength` bits of the
DRBG seed. The present HMAC DRBG implementation does that, requesting
`security_strength * 3 / 2` bits of entropy from the configured entropy
source in total to form the initial part of the DRBG seed.

However, some entropy sources may have thresholds in terms of how much
entropy they can provide in a single call to their entropy gathering
function which may be exceeded by the present HMAC DRBG implementation
even if the threshold is not smaller than `security_strength` bits.
Specifically, this is the case for our own entropy module implementation
which only allows requesting at most 32 Bytes of entropy at a time
in configurations disabling SHA-512, and this leads to runtime failure
of HMAC DRBG when used with Mbed Crypto' own entropy callbacks in such
configurations.

This commit fixes this by splitting the seed entropy acquisition into
two calls, one requesting `security_strength` bits first, and another
one requesting `security_strength / 2` bits for the nonce.

Fixes #237.
2019-08-30 11:16:24 +01:00
Jaeden Amero
f0716542c4
Merge pull request #140 from yanesca/everest_integration
Everest integration
2019-08-29 16:02:49 +01:00
Jaeden Amero
98d5685b70
Merge pull request #232 from Patater/psa-crypto-api-1.0b3
Make fixes related to using Mbed Crypto as a service
2019-08-29 13:50:10 +01:00
Jaeden Amero
21db2a94a4
Merge pull request #229 from k-stachowiak/IOTCRYPT-791-remove-legacy-psa-key-derivation
Remove legacy psa key derivation
2019-08-29 11:31:23 +01:00
Jaeden Amero
6fa62a5b8f psa: Use application key ID where necessary
Avoid compiler errors when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
is set by using the application ID type.

    [Error] psa_crypto_slot_management.c@175,9: used type 'psa_key_id_t' (aka 'psa_key_file_id_t') where arithmetic or pointer type is required
2019-08-28 17:24:27 +01:00
Jaeden Amero
e3cdf284b2 psa: Adapt set_key_id() for when owner is included 2019-08-28 17:24:27 +01:00
Jaeden Amero
39f03fcf1a psa: Add PSA_KEY_ID_INIT
A macro useful for initializing psa_key_id_t, whether
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set or not. Without this
macro, it is necessary to know if
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER as with it the key ID is
non-scalar and needs to be initialized with {0, 0}, and 0 otherwise when
key ID is scalar.
2019-08-28 17:24:27 +01:00
Jaeden Amero
f89cc69660 psa: Don't duplicate policy initializer
Use the PSA_KEY_POLICY_INIT macro in the definition of
PSA_CORE_KEY_ATTRIBUTES_INIT in order to avoid duplicating the key
policy initializer.
2019-08-28 17:24:27 +01:00
Jaeden Amero
c7529c910b crypto_extra: Use const seed for entropy injection
The crypto.c implementation of psa_inject_entropy() didn't match the
declaration in crypto_extra.h. Use a const seed in both files.
2019-08-28 17:24:27 +01:00
Jaeden Amero
884738a2d6 getting_started: Update for PSA Crypto API 1.0b3 2019-08-28 17:24:27 +01:00
Jaeden Amero
932e496ef5
Merge pull request #224 from tempesta-tech/development
Remove unused TG variable in mbedtls_mpi_gcd()
2019-08-27 12:05:21 +01:00
Jaeden Amero
85c78b48a9
Merge pull request #225 from RonEld/iotssl_2739
Remove a redundant function call
2019-08-23 17:43:58 +01:00
Jaeden Amero
b14a48baac
Merge pull request #235 from athoelke/at-key-handles
Clarify the documented behavior and lifetime of key handles [v2]
2019-08-23 17:31:01 +01:00
Andrew Thoelke
8824daec6f Editorial fixes. 2019-08-22 15:52:32 +01:00
Andrew Thoelke
3c2b80377b Cross reference 'key handles' from INVALID_HANDLE 2019-08-22 15:52:32 +01:00
Andrew Thoelke
07f16b78ff Update documentation for psa_destroy_key
Define the affect on handles to the key and on active multipart 
operations.
2019-08-22 15:52:32 +01:00
Andrew Thoelke
3daba812d7 Update documentation for psa_close_key
Adjust the wording to permit multiple handles to a single key - closing
a handle does not necessarily release volatile memory associated with
the key, that only occurs when the last handle is closed.
2019-08-22 15:52:32 +01:00
Andrew Thoelke
9741b11440 Update psa_open_key documentation
- Describe the implementation defined behavior for opening multiple 
keys, and provide a reference to the relevant section.

- Describe the use of INSUFFICENT_MEMORY error to indicate additional 
implementation resource constaints.

- Clarify the distinction between DOES_NOT_EXIST and INVALID_HANDLE 
error conditions.
2019-08-22 15:52:32 +01:00
Andrew Thoelke
203491c65d Remove duplicated information in psa_open_key
The information about implmementation keys is duplicated.
2019-08-22 15:52:31 +01:00
Jaeden Amero
de4453d960
Merge pull request #174 from dgreen-arm/psa-se-driver-hooks
Add mock tests for hooks for secure element drivers
2019-08-22 14:10:37 +01:00
Darryl Green
0892d0fbbf Initialize key bits to max size + 1 in psa_import_key
In psa_import_key, the key bits value was uninitialized before
calling the secure element driver import function. There is a
potential issue if the driver returns PSA_SUCCESS without setting
the key bits. This shouldn't happen, but shouldn't be discounted
either, so we initialize the key bits to an invalid issue.
2019-08-21 16:56:16 +01:00
Darryl Green
74c932e596 Parametrize key bits in import mock test 2019-08-21 16:56:16 +01:00
Jaeden Amero
4abb40cab3 Clean up core storage between tests 2019-08-21 16:56:16 +01:00
Unknown
f740b0abbb crypto_se_driver: add verification mock test 2019-08-21 16:56:16 +01:00
Unknown
b7656a8a85 crypto_se_driver: add signing mock test 2019-08-21 16:56:16 +01:00
Unknown
136901c24c crypto_se_driver: add public key exporting test 2019-08-21 16:56:16 +01:00
Unknown
903b5da51c crypto_se_driver: add an error injection mechanism to the mocks 2019-08-21 16:56:16 +01:00
Unknown
9fd6b0cb6f crypto_se_driver: add key generation mock and test 2019-08-21 16:56:16 +01:00
Unknown
c9ad5910aa crypto_se_driver: add mock tests
Mock key importing and exporting
2019-08-21 16:56:16 +01:00
Janos Follath
71dcefbb8a Remove Mbed Crypto headers from everest_inc
At this point Mbed TLS and Mbed Crypto headers with the same name,
including the Mbed Crypto headers in `everest_inc` breaks Mbed TLS
builds.
2019-08-21 13:01:18 +01:00
Jaeden Amero
8013f44e1a Make crypto_struct C++ compatible
Avoid an error with differing linkages being expressed for
psa_set_key_domain_parameters() between crypto_extra.h and
crypto_struct.h in C++ builds.

    [Error] crypto_extra.h@456,14: conflicting declaration of 'psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t*, psa_key_type_t, const uint8_t *, size_t)' with 'C' linkage
2019-08-21 12:24:40 +01:00
Jaeden Amero
b090d5dc2a
Merge pull request #231 from dgreen-arm/api-to-development
Merge psa api branch into development
2019-08-21 11:50:57 +01:00
Darryl Green
ecfd050633
Merge pull request #230 from AndrzejKurek/remove-double-underscore
Remove double underscores from macro and add a check for it
2019-08-21 11:23:32 +01:00
Darryl Green
572a16e694 Merge branch 'psa-api-1.0-beta' into api-to-development 2019-08-21 10:31:12 +01:00
Unknown
712f7a804e Add a check for double underscores in identifiers in check-names.sh 2019-08-21 03:34:00 -04:00
Unknown
e2e19959d7 Rename AEAD macro to not use double underscores
This pattern (identifiers containing a double underscore anywhere in them)
is reserved.
2019-08-21 03:33:04 -04:00