Commit graph

7502 commits

Author SHA1 Message Date
Mateusz Starzyk
f337850738 Use const size buffer for local output in CCM decryption.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:59:36 +02:00
Mateusz Starzyk
c562788068 Fix local buffer allocation conditions.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
c8bdf36a72 Validate tag pointer in ccm function.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
1bda9451ef Factor out common code from ccm decrypt functions.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
eb395c00c9 Move 'Authenticated decryption' comment.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
22f7a35ca4 Do not use output buffer for internal XOR during decryption.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
36d3b89c84 Verify input data lengths.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
2d5652acee Move ccm error state handling.
Remove error clearing from ccm_starts() and ccm_set_lengths().
Add error check in ccm_update_ad(), ccm_update() and ccm_finish().

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
5d97601e81 Remove ccm input validation.
VALIDATE and VALIDATE_RET macros are obsolete.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
ca9dc8d1d7 Rename ccm_calculate_first_block function.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
c52220d775 Clear temporary buffer after block crypt operation.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
a9cbdfbb34 Replace ccm status flags with bitshifts.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
663055f784 Remove UPDATE_CBC macro and working b buffer.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
20bac2fbe4 Fix chunked ccm update.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
05e92d67bb Fix crypt mode configuration. Validate parameters in chunked input functions.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
6a15bcf61b Add support for chunked plaintext/cyphertext input.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
2ad7d8e1ff Replace CCM_CRYPT macro with a more versatile static function.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
33392450b7 Add chunked auth data support
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
eb2ca96d69 Store set lenghts in ccm context.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
88c4d624f8 Clear context state if previous operation failed.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
793692cbcb Split ccm_auth function.
Move logic to ccm_starts, ccm_set_lengths, ccm_update_ad,
ccm_update and ccm_finish
Use separate variable to track context state.
Encode first block only if both mbedtls_ccm_starts() and
mbedtls_ccm_set_lengths() were called.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
89d469cdb4 Move working variables to ccm context structure
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Hanno Becker
3aa186f946 Add transforms to be used for TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:24:19 +01:00
Jerry Yu
b9930e7d70 Add dummy tls1.3 handshake dispatch functions
Base on version config, `handshack_{clinet,server}_step`
will call different step function. TLS1.3 features will
be gradully added base on it.

And a new test cases is added to make sure it reports
`feature is not available`.

Change-Id: I4f0e36cb610f5aa59f97910fb8204bfbf2825949
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-10 13:34:32 +08:00
Jerry Yu
3cc4c2a506 Add dummy ssl_tls13_{client,server}.c
Change-Id: Ic1cd1d55b097f5a31c9f48e9d55733d75ab49982
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-10 13:34:32 +08:00
Jerry Yu
60835a88c3 Add config check utils functions
Check configuration parameter in structure setup
function to make sure the config data is available
and valid.

Current implementation checks the version config.
Available version configs are
- tls1_3 only
- tls1_2 only

issues: #4844

Change-Id: Ia762bd3d817440ae130b45f19b80a2868afae924
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-10 13:34:32 +08:00
Hanno Becker
41934dd20a Share preparatory code between client and server handshake steps
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-07 19:13:43 +01:00
Hanno Becker
f3cce8b0e1 Add handshake message writing variant that doesn't update checksum
The helper `mbedtls_ssl_write_handshake_msg` writes a handshake message
and updates the handshake transcript.

With TLS 1.3, we need finer control over the checksum: updating
at message granularity is not sufficient. To allow for manual maintenance
of the checksum in those cases, refine `mbedtls_ssl_write_handshake_msg()`
into `mbedtls_ssl_write_handshake_msg_ext()` which takes a parameter
determining whether the checksum should be updated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-07 14:29:49 +01:00
Hanno Becker
b0302c4c7b Move messaging related session reset into separate helper function
- Improves readability
- Will be useful when we introduce MPS as an alternative msg layer.
- Will be useful when we need to reset the messaging layer upon
  receipt of a HelloRetryRequest in TLS 1.3.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-03 09:41:34 +01:00
Gilles Peskine
8bb9b80d18
Merge pull request #4806 from hanno-arm/ssl_session_serialization_version
Store TLS version in SSL session structure
2021-08-02 12:45:55 +02:00
Hanno Becker
fa0d61e559 Fix typo
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 08:56:14 +01:00
Hanno Becker
dfba065d80 Adjust ssl_tls13_keys.c to consolidated CID/1.3 padding granularity
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:54:03 +01:00
Hanno Becker
c0da10dc3a Remove TLS 1.3 specific code from TLS <= 1.2 transform generator
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:54:03 +01:00
Hanno Becker
f62a730e80 Add missing semicolon in TLS 1.3 transform generation code
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:54:03 +01:00
Hanno Becker
edd5bf0a95 Fix and document minimum length of record ciphertext in TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:54:03 +01:00
Hanno Becker
7887a77c25 Match parameter check in TLS 1.3 populate transform to 1.2 version
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:54:03 +01:00
Hanno Becker
79e2d1b6f6 Fix AEAD additional data computation for TLS 1.3
The AEAD additional data (AAD) is computed differently in TLS 1.3
compared to TLS 1.2, but this change hasn't yet been reflected in
the codee, rendering the current implementation of

```
   mbedtls_ssl_{encrypt,decrypt}_buf()
```

not standard compliant.

This commit fixes this by adjusting the AAD extraction function
ssl_extract_add_data_from_record() and its call-sites.

Please see the documentation of the code for an explanation
of how the AAD has changed from TLS 1.2 to TLS 1.3.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:52:49 +01:00
Hanno Becker
c94060c641 Add TLS 1.3 specific key to SSL transform conversion function
This commit adds the TLS 1.3 specific internal function

```
  mbedtls_ssl_tls13_populate_transform()
```

which creates an instance of the SSL transform structure
`mbedtls_ssl_transform` representing a TLS 1.3 record protection
mechanism.

It is analogous to the existing internal helper function

```
   ssl_tls12_populate_transform()
```

which creates transform structures representing record
protection mechanisms in TLS 1.2 and earlier.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:52:49 +01:00
Hanno Becker
bd25755d2a Rename ssl_populate_transform() -> ssl_tls12_populate_transform()
In TLS 1.2 specific code, the internal helper functions
ssl_populate_transform() builds an SSL transform structure,
representing a specific record protection mechanism.

In preparation for a subsequent commit which will introduce
a similar helper function specific to TLS 1.3, this commmit
renames ssl_populate_transform() to ssl_tls12_populate_transform().

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-02 04:52:45 +01:00
Hanno Becker
dce50974bf Prefix "version" with "library" or "protocol" to avoid ambiguity
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-01 05:39:23 +01:00
Hanno Becker
37bdbe6c4d Remove mentions of truncated HMAC from ssl_tls.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-01 05:38:58 +01:00
Manuel Pégourié-Gonnard
8da9dc05e8
Merge pull request #4748 from TRodziewicz/re-introduce_ext_checks_for_psa_unlock-wipe_key_slot
Re-introduction of key slot checks
2021-07-29 13:45:57 +02:00
Manuel Pégourié-Gonnard
b637150dfe
Merge pull request #4730 from TRodziewicz/finish_removing_tls_1.0_and_1.1
Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
2021-07-27 09:42:53 +02:00
Paul Elliott
ecce901907 Change over to specific per algorith size checks
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-23 18:53:53 +01:00
Hanno Becker
fadbdbb576 Store TLS version in SSL session structure
Instances of `mbedtls_ssl_session` represent data enabling session resumption.

With the introduction of TLS 1.3, the format of this data changes. We therefore
need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish
1.2 and 1.3 sessions.

This commit introduces such a TLS-version field to mbedtls_ssl_session.

The change has a few ramifications:

- Session serialization/deserialization routines need to be adjusted.

  This is achieved by adding the TLS-version after the header of
  Mbed TLS version+config, and by having the subsequent structure
  of the serialized data depend on the value of this field.

  The details are described in terms of the RFC 8446 presentation language.

  The 1.2 session (de)serialization are moved into static helper functions,
  while the top-level session (de)serialization only parses the Mbed TLS
  version+config header and the TLS-version field, and dispatches according
  to the found version.

  This way, it will be easy to add support for TLS 1.3 sessions in the future.

- Tests for session serialization need to be adjusted

- Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3,
  we will need to have some logic comparing the TLS version of the proposed session
  to the negotiated TLS version. For now, however, we only support TLS 1.2,
  and no such logic is needed. Instead, we just store the TLS version in the
  session structure at the same point when we populate mbedtls_ssl_context.minor_ver.

The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and
`mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved.
However, with both fields being private and explicitly marked so, this can happen
in a later change.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 06:25:48 +01:00
Paul Elliott
ed08cf884a Add safety check to chachapoly finish
Previous code checked that the buffer was big enough for the tag size
for the given algorithm, however chachapoly finish expects a 16 byte
buffer passed in, no matter what. If we start supporting smaller
chachapoly tags in the future, this could potentially end up in buffer
overflow, so add a safety check.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-22 18:52:20 +01:00
Paul Elliott
2fe5db87d5 Fix passing wrong tag size to GCM finish
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-22 18:52:20 +01:00
Paul Elliott
99f548d974 Fix format issues with check nonce size
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-22 18:52:20 +01:00
Gilles Peskine
3b9bea0757
Merge pull request #4750 from yutotakano/fix-reserved-identifier-clash
Replace reserved identifier clashes with suitable replacements
2021-07-22 16:20:56 +02:00
Paul Elliott
315628d91a Remove internal aead_verify endpoint
The internal verify endpoint was only calling the finish endpoint to get
a tag to compare against the tag passed in. Moved this logic to the
driver wrapper (still allowing a driver to call verify if required) and
removed the internal implementation endpoint.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-21 18:51:23 +01:00
Paul Elliott
32925b9e5b Make sure unused parts of tag buffer are cleared
We already did this on failure, but make sure the buffer does not leak
what was in it previously on success

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-21 18:51:23 +01:00
Paul Elliott
96b0173cec Add common nonce checking to oneshot encrypt
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-21 18:51:23 +01:00
Paul Elliott
a561444561 Add missing space
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-21 18:51:23 +01:00
Yuto Takano
538a0cbcf4 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 10:20:09 +01:00
TRodziewicz
c9890e9a8c Rewording comments
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-14 10:16:26 +02:00
TRodziewicz
829fe7038d Correction to callback declaration and usage
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-13 12:23:12 +02:00
TRodziewicz
18cddc08c7 Reverting comments deleted in previous PR
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-13 12:19:15 +02:00
Yuto Takano
36c8ddc4cc Replace _B with B to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-12 16:02:07 +01:00
Archana
277572fa2b Fix coding style issue
Signed-off-by: Archana <archana.madhavan@silabs.com>
2021-07-12 09:00:57 +05:30
Archana
1d2e2bb8cc Add missing Curve448 support for PSA keys
mbedtls_ecp_read_key and mbedtls_ecp_write_key are updated to include
support for Curve448 as prescribed by RFC 7748 §5.

Test suites have been updated to validate curve448 under Montgomery
curves.

Signed-off-by: Archana <archana.madhavan@silabs.com>
2021-07-12 08:02:54 +05:30
TRodziewicz
299510e889 Correction to comments and changelog removed
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-09 16:55:11 +02:00
TRodziewicz
7871c2e736 Adding new macro for tests failing
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-09 14:27:04 +02:00
David Horstmann
44f6390c32 Remove redundant hash len check
Remove a check in rsa_rsassa_pkcs1_v15_encode() that
is not needed because the same check is performed
earlier. This check was added in #4707.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-07-08 12:46:26 +01:00
TRodziewicz
458280e67c Correction to outdated comment
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-07 11:33:06 +02:00
Dave Rodgman
45419c1ee5 Revert "Add auto-generated files"
This reverts commit 3e84187132.
2021-07-06 20:44:59 +01:00
TRodziewicz
345165c1f7 Reverting deleted macros
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-06 13:42:11 +02:00
TRodziewicz
302ed2bf7d Reverting the TLS 1.3 compatibility
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-05 16:55:27 +02:00
TRodziewicz
d9be65277d Corrections to the new functions names and error message wording
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-05 15:16:00 +02:00
TRodziewicz
053b99b90b Re-introduction of key slot chekcs
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-05 12:06:03 +02:00
Dave Rodgman
527b82a34c Bump .so version numbers to stay ahead of 2.x
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-07-02 15:19:38 +01:00
Dave Rodgman
3e84187132 Add auto-generated files
Add files generated by running make generated_files

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-07-01 09:45:38 +01:00
Dave Rodgman
7601657418 Bump library version numbers
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-30 23:09:51 +01:00
Dave Rodgman
34d8cd2892 Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-3.0.0rc0-pr 2021-06-30 22:51:02 +01:00
Dave Rodgman
9f5774f56d
Merge pull request #4739 from gabor-mezei-arm/3258_fp30_implement_one-shot_MAC_and_cipher
Implement one-shot cipher
2021-06-30 17:04:23 +01:00
Dave Rodgman
0a7ff4a4e2
Merge pull request #4741 from gabor-mezei-arm/3267_fp30_sign_verify_key_policies
Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:50:57 +01:00
gabor-mezei-arm
5ce25d7806
Remove obsolete comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:46:00 +02:00
Dave Rodgman
dc1a3b2d70
Merge pull request #4724 from hanno-arm/ssl_hs_parse_error_3_0
Cleanup SSL error code space
2021-06-30 09:02:55 +01:00
gabor-mezei-arm
00e54f1133
Fix minor issues
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:55:25 +02:00
gabor-mezei-arm
6158e283cc
Check the return status of the functions first
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:55:24 +02:00
gabor-mezei-arm
58c1727775
Add buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:55:24 +02:00
gabor-mezei-arm
3f860e4c18
Remove invalid buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:55:24 +02:00
gabor-mezei-arm
47a8e14bb7
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:01 +02:00
gabor-mezei-arm
0a93b665f7
Fix possible unreachable code
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:01 +02:00
gabor-mezei-arm
90fceea268
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:01 +02:00
gabor-mezei-arm
258ae07fb0
Add checks for buffer size
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
e5ff8f430c
Use local variable instead of an ouput parameter
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
6f4e5bbe37
Initialize output buffer length to 0
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
0dfeaaf5c9
Remove confising comments
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
9951b50b8a
Remove comments
These comment cannot bring more information than the code does.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
42cdb2a90b
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
a9449a0b07
Dispatch cipher functions through the driver interface
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:48:59 +02:00
gabor-mezei-arm
ba0fa75eae
Implement one-shot cipher
Implement one-shot cipher APIs, psa_cipher_encrypt and psa_cipher_decrypt, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:14:34 +02:00
gabor-mezei-arm
95180fe808
Fix comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:06:33 +02:00
gabor-mezei-arm
43110b6b2c Do key usage policy extension when loading keys
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:49 +02:00
Dave Rodgman
39bd5a655e Address review comment
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 15:25:21 +01:00
Dave Rodgman
c50b717a19 Update a couple of ssl error codes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 14:40:23 +01:00
Dave Rodgman
bed8927538 Correct some TLS alerts and error codes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 12:06:44 +01:00
Dave Rodgman
bb05cd09b7 Remove MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 10:41:06 +01:00
Dave Rodgman
53c8689e88 Introduce new TLS error codes
Introduce new codes:
* MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION
* MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL

These are returned when the corresponding alert is raised.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 10:02:06 +01:00
Dave Rodgman
096c41111e Remove MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 09:52:06 +01:00
Dave Rodgman
43fcb8d7c1 Address review feedback
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 08:57:19 +01:00
Ronald Cron
8682faeb09
Merge pull request #4694 from gilles-peskine-arm/out_size-3.0
Add output size parameter to signature functions
2021-06-29 09:43:17 +02:00
TRodziewicz
2abf03c551 Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-28 14:36:37 +02:00
Dave Rodgman
e8dbd53966 Update error code for cert parsing failure
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-28 12:35:08 +01:00
Dave Rodgman
5f8c18b0d0 Update error code from ssl_parse_signature_algorithm
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-28 12:35:08 +01:00
Dave Rodgman
8f127397f8 Update alert message for parsing PSK hint
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
77b4a6592a Address review feedback
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
2fc9a652bc Address review feedback
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
90d59dddf5 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
c3411d4041 Remove MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
9ed1ba5926 Rename MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
New name MBEDTLS_ERR_SSL_BAD_CERTIFICATE

Also, replace some instances of MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
by MBEDTLS_ERR_SSL_DECODE_ERROR and MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
as fit.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
5697af0d3d Remove MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
cbc8f6fd5d Remove MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
a0ca87eb68 Remove MBEDTLS_ERR_SSL_BAD_HS_FINISHED
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
d934a2aafc Remove MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
d3eec78258 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
666b5b45f7 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
029cc2f97b Remove MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
b24e74bff7 Remove MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP error code
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
241c19707b Remove MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Hanno Becker
bc00044279 Rename MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
New name is MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:07 +01:00
Bence Szépkúti
bb0cfeb2d4 Rename config.h to mbedtls_config.h
This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^ChangeLog' | xargs sed -b -E -i '
s/((check|crypto|full|mbedtls|query)_config)\.h/\1\nh/g
s/config\.h/mbedtls_config.h/g
y/\n/./
'
mv include/mbedtls/config.h include/mbedtls/mbedtls_config.h
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:33 +01:00
Bence Szépkúti
c662b36af2 Replace all inclusions of config.h
Also remove preprocessor logic for MBEDTLS_CONFIG_FILE, since
build_info.h alreadyy handles it.

This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^include/mbedtls/build_info\.h$' | xargs sed -b -E -i '
/^#if !?defined\(MBEDTLS_CONFIG_FILE\)/i#include "mbedtls/build_info.h"
//,/^#endif/d
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:24:07 +01:00
Dave Rodgman
10bda58b49
Merge pull request #4259 from CJKay/cmake-config
Add CMake package config file
2021-06-25 20:32:13 +01:00
Dave Rodgman
63ad854de8
Merge pull request #4712 from daverodgman/psa_cipher_and_mac_abort_on_error
Psa cipher and mac abort on error
2021-06-25 15:39:59 +01:00
Janos Follath
83e384da59 Fix unused parameter warning
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 15:29:56 +01:00
Janos Follath
1107ee4e44 Add prefix to BYTES_TO_T_UINT_*
These macros were moved into a header and now check-names.sh is failing.
Add an MBEDTL_ prefix to the macro names to make it pass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 12:46:40 +01:00
Dave Rodgman
90d1cb83a0 Use more standard label name
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-25 09:09:02 +01:00
Ronald Cron
3698fa1043
Merge pull request #4673 from gilles-peskine-arm/psa_crypto_spm-from_platform_h
Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
2021-06-25 09:01:08 +02:00
Gilles Peskine
f9f1bdfa7b Translate MBEDTLS_ERR_PK_BUFFER_TOO_SMALL for PSA
The error is currently never returned to any function that PSA calls,
but keep mbedtls_to_psa_error up to date in case this changes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-25 00:46:22 +02:00
Gilles Peskine
908982b275 Fix the build with MBEDTLS_ECP_RESTARTABLE enabled
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-25 00:46:22 +02:00
Gilles Peskine
16fe8fcef3 Fix unused variable warning
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-25 00:46:22 +02:00
Gilles Peskine
f00f152444 Add output size parameter to signature functions
The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
mbedtls_ecdsa_write_signature() and mbedtls_ecdsa_write_signature_restartable()
now take an extra parameter indicating the size of the output buffer for the
signature.

No change to RSA because for RSA, the output size is trivial to calculate.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-25 00:46:22 +02:00
Paul Elliott
ed68d7464d Move buffer size checks up to psa_crypto layer
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-24 20:40:47 +01:00
Paul Elliott
c2b7144da0 Simplify logic and factor out initial checks
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-24 20:40:47 +01:00
Paul Elliott
7f429b747b Remove code duplication and fix formatting
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-24 20:40:47 +01:00
Paul Elliott
a8940ed876 Fix documented error codes
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-24 20:40:47 +01:00
Gilles Peskine
1fed4b8324
Merge pull request #4720 from gilles-peskine-arm/gcm-finish-outlen
Add output_length parameter to mbedtls_gcm_finish
2021-06-24 20:02:40 +02:00
Dave Rodgman
8036bddb01 Tidy up logic in psa_mac_sign_finish
Simplify the logic in psa_mac_sign_finish.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:19:08 +01:00
Dave Rodgman
b5dd7c794d Correct coding style issues
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:17:43 +01:00
Janos Follath
865a75e95b Reject low-order points on Curve448 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources (RFC
7748 say we MAY reject 0 as a result) and recommended by some to reject
those points (either to ensure contributory behaviour, or to protect
against timing attack when the underlying field arithmetic is not
constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-24 15:34:59 +01:00
Janos Follath
8b8b781524 Use mbedtls_mpi_lset() more
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-24 15:00:33 +01:00
Janos Follath
8c70e815dd Move mpi constant macros to bn_mul.h
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-24 14:48:38 +01:00
Janos Follath
8081ced91d Prevent memory leak in ecp_check_pubkey_x25519()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-24 14:24:13 +01:00
Dave Rodgman
54648243cd Call abort on error in psa_mac/cipher setup
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:49:45 +01:00
Dave Rodgman
685b6a742b Update multipart hash operations to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:49:14 +01:00
Gilles Peskine
fedd52ca19
Merge pull request #4707 from gilles-peskine-arm/require-matching-hashlen-rsa-implementation
Require matching hashlen in RSA functions: implementation
2021-06-24 10:28:20 +02:00
Gilles Peskine
5a7be10419 Add output_length parameter to mbedtls_gcm_finish
Without this parameter, it would be hard for callers to know how many bytes
of output the function wrote into the output buffer. It would be possible,
since the cumulated output must have the same length as the cumulated input,
but it would be cumbersome for the caller to keep track.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 21:51:32 +02:00
Dave Rodgman
38e62aebc3 Update cipher and mac functions to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-23 18:59:17 +01:00
Paul Elliott
cf2d66e022 Remove permitting of 8 byte nonce with PolyChaCha
Also unify nonce length checking

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-23 18:50:59 +01:00
Gilles Peskine
f06b92d724
Merge pull request #4567 from mstarzyk-mobica/gcm_ad
Enable multiple calls to mbedtls_gcm_update_ad
2021-06-23 19:36:23 +02:00
Paul Elliott
95271f10c3 Call set_nonce direct rather than by wrapper
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-23 18:30:20 +01:00
Dave Rodgman
cb17fc34cf
Merge pull request #4671 from mpg/x509-crt-profile-public
Make the fields of mbedtls_x509_crt_profile public
2021-06-23 16:06:12 +01:00
Ronald Cron
4f7cc1bb63
Merge pull request #4713 from gilles-peskine-arm/psa-storage-format-test-lifetimes-3.0
PSA storage format: test lifetimes
Almost straightforward of #4392 thus merging with only one approval.
2021-06-23 15:22:03 +02:00
Janos Follath
aa5938edb3
Merge pull request #4703 from gilles-peskine-arm/mpi_montmul-null-3.0
Fix several bugs with the value 0 in bignum
2021-06-23 13:40:14 +01:00
Mateusz Starzyk
939a54cda3 Fix typos and style issues.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-23 14:30:15 +02:00
Gilles Peskine
f9a046ecb5 Remove duplicate wipe call in psa_destroy_key
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
6687cd07f3 Refuse to destroy read-only keys
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:44:35 +02:00
Gilles Peskine
87bc91c13b Forbid creating a read-only key
The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used
as intended, for keys that cannot be modified through normal use of the API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:43:08 +02:00
Gilles Peskine
f5f07c847a Fix mbedtls_psa_get_stats for keys with fancy lifetimes
mbedtls_psa_get_stats() was written back before lifetimes were
structured as persistence and location. Fix its classification of
volatile external keys and internal keys with a non-default
persistence.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:43:08 +02:00
Manuel Pégourié-Gonnard
06215eaa3e Avoid complaints about undeclared non-static symbols
Clang was complaining and check-names.sh too

This only duplicates macros, so no impact on code size. In 3.0 we can
probably avoid the duplication by using an internal header under
library/ but this won't work for 2.16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-23 12:59:02 +02:00
Manuel Pégourié-Gonnard
2d457b8fca Use more compact encoding of Montgomery curve constants
Base 256 beats base 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-23 12:44:21 +02:00
Manuel Pégourié-Gonnard
2389a6000e Use a more compact encoding of bad points
Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-23 12:25:48 +02:00
Gilles Peskine
c9d86a05ce
Merge pull request #4665 from yanesca/issue-3990-fix_psa_verify_with_alt
Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:38 +02:00
Paul Elliott
d7ab9f1260 Move the setting of id in driver wrappers
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-23 09:58:05 +01:00
Manuel Pégourié-Gonnard
f29857ca0a Reject low-order points on Curve25519 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources
(RFC 7748 say we MAY reject 0 as a result) and recommended by some to
reject those points (either to ensure contributory behaviour, or to
protect against timing attack when the underlying field arithmetic is
not constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-23 10:14:58 +02:00
Paul Elliott
ad53dcc975 Move common final checks to function
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-23 08:51:29 +01:00
Manuel Pégourié-Gonnard
92f387777d Merge branch 'development' into development-restricted
* development: (66 commits)
  Document the return type change in the migration guide
  Fix return type of example key export callbacks
  Add change log
  psa: mac: Add driver dispatch tests for psa_mac_verify
  psa: mac: Add driver delegation support for psa_mac_verify()
  psa: mac: Introduce psa_mac_compute_internal
  psa: mac: Add driver dispatch tests for psa_mac_compute
  psa: mac: Improve MAC finalization code
  psa: mac: Add driver delegation support for psa_mac_compute()
  psa: mac: Add MAC compute builtin implementation
  psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
  psa: mac: Split psa_mac_setup()
  psa: mac: Re-organize psa_mac_setup() internal function
  Move export callback and context to the end of SSL context
  Improve ChangeLog wording for key export
  Remove return value from key export callback
  Make key export callback and context connection-specific
  Remove all occurrences of TLS < 1.2 PRF identifier
  Remote key export identifier used for TLS < 1.2.
  Add missing documentation for key export callback parameters
  ...
2021-06-23 09:04:42 +02:00
Paul Elliott
534d0b4484 Finish / Verify state checks
Ensure finish only called when encrypting and verify only called for
decrypting, and add tests to ensure this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:48 +01:00
Paul Elliott
f88a565f18 Better tag size default for m-aead finish
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:48 +01:00
Paul Elliott
d89304ebb7 Fix formatting issues
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:48 +01:00
Paul Elliott
e4030f2cd1 Replace function with macro that already exists
I wrote a function to determine the base algorithm given a variant,
however this is already implemented by
PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:48 +01:00
Paul Elliott
7220cae93c Ensure generate nonce unavailable in decrypt
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:47 +01:00
Gilles Peskine
e9bc857327
Merge pull request #4552 from hanno-arm/mbedtls_3_0_key_export
Implement modified key export API for Mbed TLS 3.0
2021-06-22 18:52:37 +02:00
Gilles Peskine
6e3187b212 RSA: Use hashlen as the hash input size as documented
Where hashlen was previously ignored when the hash length could be
inferred from an md_alg parameter, the two must now match.

Adapt the existing tests accordingly. Adapt the sample programs accordingly.

This commit does not add any negative testing.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 18:39:53 +02:00
Paul Elliott
8eb9dafda1 Add generate nonce test
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 16:31:09 +01:00
Paul Elliott
1c8de15490 Update documentation to tally with recent changes
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 16:31:09 +01:00
Paul Elliott
bc94978d8c Add missing unused arguments
No algorithm defined case generally doesn't use the operation.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 16:31:09 +01:00
Gilles Peskine
b09c7eea97 Correct some statements about the ordering of A and B
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
4d3fd36c44 Clarification in a comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
4169c32d6c Simplify is-zero check
The loop exits early iff there is a nonzero limb, so i==0 means that
all limbs are 0, whether the number of limbs is 0 or not.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
2a63c5b781 Write a proof of correctness for mbedtls_mpi_gcd
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
4df3f1f250 Explain how the code relates to the description in HAC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
997be0aba3 Fix multiplication with negative result and a low-order 0 limb
Fix a bug introduced in "Fix multiplication producing a negative zero" that
caused the sign to be forced to +1 when A > 0, B < 0 and B's low-order limb
is 0.

Add a non-regression test. More generally, systematically test combinations
of leading zeros, trailing zeros and signs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
2aa3f16512 Whitespace fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
7cba859235 mbedtls_mpi_read_string: make an empty bignum for an empty string
In mbedtls_mpi_read_string, if the string is empty, return an empty bignum
rather than a bignum with one limb with the value 0.

Both representations are correct, so this is not, in principle, a
user-visible change. The change does leak however through
mbedtls_mpi_write_string in base 16 (but not in other bases), as it writes a
bignum with 0 limbs as "" but a bignum with the value 0 and at least one
limb as "00".

This change makes it possible to construct an empty bignum through
mbedtls_mpi_read_string, which is especially useful to construct test
cases (a common use of mbedtls_mpi_read_string, as most formats use in
production encode numbers in binary, to be read with mbedtls_mpi_read_binary
or mbedtls_mpi_read_binary_le).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
f4998b0a20 Fix multiplication producing a negative zero
Fix mbedtls_mpi_mul_mpi() when one of the operands is zero and the
other is negative. The sign of the result must be 1, since some
library functions do not treat {-1, 0, NULL} or {-1, n, {0}} as
representing the value 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:47:21 +02:00
Gilles Peskine
b4347d859b mbedtls_mpi_gcd: small optimization
Shifting TA and TB before the loop is not necessary. If A != 0, it will be
done at the start of the loop iteration. If A == 0, then lz==0 and G is
correctly set to B after 0 loop iterations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:44:05 +02:00
Gilles Peskine
27253bc885 mbedtls_mpi_gcd: fix the case B==0
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:44:05 +02:00
Gilles Peskine
3da1a8ff39 Fix null pointer dereference in mbedtls_mpi_exp_mod
Fix a null pointer dereference in mbedtls_mpi_exp_mod(X, A, N, E, _RR) when
A is the value 0 represented with 0 limbs.

Make the code a little more robust against similar bugs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:44:05 +02:00
Gilles Peskine
36ff66c4b4
Merge pull request #4316 from gabor-mezei-arm/3258_implement_one-shot_MAC
Implement one-shot MAC
2021-06-22 12:18:25 +02:00
Manuel Pégourié-Gonnard
3e7ddb2bb6
Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0
Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00
Manuel Pégourié-Gonnard
508d3a5824
Merge pull request #4664 from tom-daubney-arm/rm_truncated_HMAC_ext
Remove truncated HMAC extension
2021-06-22 11:53:10 +02:00
Manuel Pégourié-Gonnard
21efe44af3 Merge branch 'development' into development-restricted
* development: (236 commits)
  Changing the key length to 32 bytes in one of the PSA cipher setup tests
  Removal of RC4 certs and fixes to docs and tests
  Fix fd range for select on Windows
  Refactor file descriptor checks into a common function
  Removing global variable and moving variant function comment block
  Fix typo in doc'n of session resumption API
  Code review fixes
  Fix warning in some configurations
  Fix cmake build of fuzz_privkey
  Fix async support in ssl_server2
  Improve ChangeLog and migration guide entries
  Use a proper DRBG in programs
  Use the dedicated dummy_random in fuzzing programs
  Fix cmake build of programs
  Add ChangeLog and migration guide entries
  Simplify internal code
  Remove "internal RNG" code from ECP
  Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
  Add RNG params to private key parsing
  Add RNG parameter to check_pair functions
  ...
2021-06-22 10:20:48 +02:00
Manuel Pégourié-Gonnard
da1eab3c3f
Merge pull request #828 from mpg/rsa-lookup-restricted
Use constant-time look-up in modular exponentiation
2021-06-22 09:33:20 +02:00
Manuel Pégourié-Gonnard
ffafae4f51
Merge pull request #4687 from gilles-peskine-arm/winsock-fd-range-3.0
Fix net_sockets regression on Windows
2021-06-22 09:29:23 +02:00
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
Janos Follath
ab97e003f3 Improve psa_rsa_decode_md_type()
Remove a case that cannot be triggered as PSA_ALG_SIGN_GET_HASH always
returns 0 for raw algorithms.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-21 10:56:29 +01:00
Janos Follath
0af093b6c8 PSA RSA PSS: pass pre-hash algorithm to Mbed TLS
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well
as Mbed TLS does not use this parameter for anything beyond determining
the input lengths.

Some alternative implementations however check the consistency of the
algorithm used for pre-hash and for other uses in verification (verify
operation and mask generation) and fail if they don't match. This makes
all such verifications fail.

Furthermore, the PSA Crypto API mandates that the pre-hash and internal
uses are aligned as well.

Fixes #3990.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-21 10:39:36 +01:00
Ronald Cron
a587cbc3a4 psa: mac: Add driver delegation support for psa_mac_verify()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-21 09:19:22 +02:00
Ronald Cron
cd989b5598 psa: mac: Introduce psa_mac_compute_internal
Introduce psa_mac_compute_internal with an
additional `is_sign` parameter compared to
the psa_mac_compute API. The intent is to
call psa_mac_compute_internal() from
psa_mac_verify() as well to compute the
message MAC.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-21 09:19:22 +02:00
Ronald Cron
c3dd75f71b psa: mac: Improve MAC finalization code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-21 09:19:22 +02:00
Ronald Cron
51131b53fe psa: mac: Add driver delegation support for psa_mac_compute()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-21 09:19:09 +02:00
Gilles Peskine
a5dd7bded8 Fix fd range for select on Windows
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows: they were testing that the file
descriptor is in range for fd_set, but on Windows socket descriptors are not
limited to a small range. Fixes #4465.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:14:36 +02:00
Gilles Peskine
05360005e3 Refactor file descriptor checks into a common function
This will make it easier to change the behavior uniformly.

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:10:15 +02:00
Ronald Cron
76be3e08a6 psa: mac: Add MAC compute builtin implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-18 22:18:35 +02:00
Ronald Cron
79bdd82eaa psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-18 22:18:06 +02:00
Ronald Cron
2dff3b2a18 psa: mac: Split psa_mac_setup()
Split out of psa_mac_setup() the final checks on
the requested algorithm and the key attributes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-18 22:09:28 +02:00
Ronald Cron
28ea050cf4 psa: mac: Re-organize psa_mac_setup() internal function
Re-organize psa_mac_setup() to prepare the move
to a dedicated function of the additional checks
on the algorithm and the key attributes done by
this function. We want to move those checks in
a dedicated function to be able to do them
without duplicating them in psa_mac_compute().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-18 21:02:32 +02:00
Hanno Becker
7e6c178b6d Make key export callback and context connection-specific
Fixes #2188

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
457d61602f Define and implement new key export API for Mbed TLS 3.0
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
2d6e6f8fec Remove '_ext' suffix from SSL key exporter API
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
78ba2af7c2 Remove old key export API
Seems to be an oversight that this wasn't marked deprecated.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Manuel Pégourié-Gonnard
9a32d45819
Merge pull request #4517 from hanno-arm/ticket_api_3_0
Implement 3.0-API for SSL session resumption
2021-06-18 18:34:45 +02:00
Manuel Pégourié-Gonnard
ae35830295
Merge pull request #4661 from mpg/make-blinding-mandatory
Make blinding mandatory
2021-06-18 18:32:13 +02:00
Dave Rodgman
8c8166a7f1
Merge pull request #4640 from TRodziewicz/move_part_of_timing_module_out_of_the_library_and_to_test
Move part of timing module out of the library
2021-06-18 16:35:58 +01:00
TRodziewicz
963bb810f4 Removing global variable and moving variant function comment block
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 13:22:57 +02:00
Manuel Pégourié-Gonnard
9d4c2c4e42 Clarify how to create custom profiles
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-18 13:19:34 +02:00
TRodziewicz
75628d51b3 Code review fixes
Reverting some deleted tests and changing the deprecated algo
Deleting deprecated headers from /alt-dummy dir
Corrections to the comments
Removal of deleted functions from compat-2.x.h
Corrections to tests/data_files/Makefile

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-18 12:59:38 +02:00
Gilles Peskine
39957503c5 Remove secp256k1 from the default X.509 and TLS profiles
For TLS, secp256k1 is deprecated by RFC 8422 §5.1.1. For X.509,
secp256k1 is not deprecated, but it isn't used in practice, especially
in the context of TLS where there isn't much point in having an X.509
certificate which most peers do not support. So remove it from the
default profile. We can add it back later if there is demand.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:52 +02:00
Gilles Peskine
55cb9af910 Add missing parentheses
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
3b3aa36962 Indicate that the truncation from size_t to int is deliberate
MPI sizes do fit in int. Let MSVC know this conversion is deliberate.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b26696bafb Simplify mbedtls_debug_print_mpi and fix the case of empty bignums
Rewrite mbedtls_debug_print_mpi to be simpler and smaller. Leverage
mbedtls_mpi_bitlen() instead of manually looking for the leading
zeros.

Fix #4608: the old code made an invalid memory dereference when
X->n==0 (freshly initialized bignum with the value 0).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
a28f0f5082 Leave the preference order for hashes unspecified
We don't seem to have strong feelings about this, so allow ourselves to
change the order later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b1940a76ad In TLS, order curves by resource usage, not size
TLS used to prefer larger curves, under the idea that a larger curve has a
higher security strength and is therefore harder to attack. However, brute
force attacks are not a practical concern, so this was not particularly
meaningful. If a curve is considered secure enough to be allowed, then we
might as well use it.

So order curves by resource usage. The exact definition of what this means
is purposefully left open. It may include criteria such as performance and
memory usage. Risk of side channels could be a factor as well, although it
didn't affect the current choice.

The current list happens to exactly correspond to the numbers reported by
one run of the benchmark program for "full handshake/s" on my machine.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
2c69fa245c Initializer element was not constant
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
ae270bf386 Upgrade the default TLS hash and curve selection, matching X.509
Upgrade the default list of hashes and curves allowed for TLS. The list is
now aligned with X.509 certificate verification: hashes and curves with at
least 255 bits (Curve25519 included), and RSA 2048 and above.

Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE which would no
longer do anything.

Document more precisely what is allowed by default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Gilles Peskine
ffb92da622 Upgrade the default X.509 profile to the former "next" profile
Upgrade the default X.509 certificate verification profile
mbedtls_x509_crt_profile_default to the former value of
mbedtls_x509_crt_profile_next, which is hashes and curves with at least 255
bits (Curve25519 included), and RSA 2048 and above.

Document more precisely what goes into the default profile.

Keep the "next" profile unchanged for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Manuel Pégourié-Gonnard
a48b16a449 Homogenize coding patterns
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 13:25:03 +02:00
Gilles Peskine
e96c5854d0 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:43:58 +02:00
Gilles Peskine
532327b429
Merge pull request #4576 from gilles-peskine-arm/psa_key_derivation-bad_workflow-20210527
PSA key derivation bad-workflow tests
2021-06-17 09:55:39 +02:00
Manuel Pégourié-Gonnard
609ab6478b Fix warning in some configurations
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:41:01 +02:00
Manuel Pégourié-Gonnard
02b5705aa3 Simplify internal code
We know that Montgomery multiplication will never be called without an
RNG, so make that clear from the beginning of the function.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
7962bfaa79 Remove "internal RNG" code from ECP
This is no longer needed, as the RNG param is now mandatory.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
84dea01f36 Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
39be1410fd Add RNG parameter to check_pair functions
- mbedtls_ecp_check_pub_priv() because it calls ecp_mul()
- mbedtls_pk_check_pair() because it calls the former

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f8c24bf507 Fix signature of check_pub_priv
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
75525aec52 Fix mbedtls_ecp_muladd()
It was indirectly calling ecp_mul() without an RNG. That's actually the
rare case where this should be allowed, as ecp_muladd() is typically
used on non-secret data (to verify signatures or ZKPs) and documented as
not being constant-time.

Refactor a bit in order to keep the ability to call ecp_mul() without a
RNG, but not exposed publicly (except though muladd).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
aa3ed6f987 Make RNG parameters mandatory in ECP functions
Fix trivial faulty calls in ECP test suite and ECP/ECJPAKE self-tests (by
adding a dummy RNG).

Several tests suites are not passing yet, as a couple of library
function do call ecp_mul() with a NULL RNG. The complexity of the fixes
range from "simple refactoring" to "requires API changes", so these will
be addressed in separate commits.

This makes the option MBEDTLS_ECP_NO_INTERNAL_RNG, as well as the whole
"internal RNG" code, obsolete. This will be addressed in a future
commit, after getting the test suites to pass again.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
1a87722bb6 Make RNG parameters mandatory in DHM functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Manuel Pégourié-Gonnard
f035904060 Check for mandatory RNG parameters in RSA private
(This commit is best reviewed using `git show -b` as indentation levels
have changed.)

The documentation already states that the RNG parameter is mandatory,
since PRs #4488 and #4515. There are several families of functions to
consider here:

- private-key operations (sign, decrypt) all call
mbedtls_rsa_private() where this commit adds a non-NULL check;
- encrypt operations need an RNG for masking/padding and already had a
non-NULL check since #4515 (conditional on \p mode before that)
- verify operations no longer take an RNG parameter since #4515

So, after this commit, all RSA functions that accept an RNG will reach a
non-NULL check before the RNG is used.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:37:55 +02:00
Thomas Daubney
e1c9a40bc4 Removes truncated HMAC code from ssl_X.c
Removes conditional code blocks relating
to MBEDTLS_SSL_TRUNCATED_HMAC from ssl_cli.c
and ssl_srv.c.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:19:53 +01:00
Thomas Daubney
32fb900eee Removes truncated HMAC code from ssl_tls.c
Removes conditional code compilation blocks
and code paths relating to the
MBEDTLS_SSL_TRUNCATED_HMAC config option.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:19:53 +01:00
gabor-mezei-arm
4076d3e9f3 Implement one-shot MAC functions
Implement one-shot MAC APIs, psa_mac_compute and psa_mac_verify, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-16 16:28:07 +02:00
Mateusz Starzyk
3d0bbeef0c Reword description of the authentation tag computation stages
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
25a571e076 Code style fix
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
3443bd2570 Add comment on exiting early from mbedtls_gcm_update().
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
b45b57eec6 Add comment on how mbedtls_gcm_context::buf data depends on
values of add_len and len.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
333f48f407 Fix code style.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
Mateusz Starzyk
bd513bb53d Enable multiple calls to mbedtls_gcm_update_ad.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00