Commit graph

5255 commits

Author SHA1 Message Date
Gilles Peskine
1f13e984ad
Merge pull request #5529 from superna9999/5514-translate-psa-errs-to-mbedtls
Rename, move and refine PSA to mbedtls PK errors mappings
2022-03-03 13:30:29 +01:00
Gilles Peskine
d929dbbb25
Merge pull request #5368 from mfil/feature/additional_md_getters
Add function to get message digest info from context
2022-03-02 16:44:26 +01:00
Neil Armstrong
19915c2c00 Rename error translation functions and move them to library/pk_wrap.*
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-01 15:21:02 +01:00
Gilles Peskine
f48bd4bccb
Merge pull request #5371 from AndrzejKurek/doxygen-duplicate-parameter-docs
doxygen: merge multiple descriptions of the same return codes
2022-02-28 17:09:45 +01:00
Gilles Peskine
0037fcd6c7
Merge pull request #4910 from gilles-peskine-arm/check_config-chachapoly-development
Add check_config checks for AEAD
2022-02-28 17:07:48 +01:00
Glenn Strauss
0ebf24a668 Adjust comment describing mbedtls_ssl_conf_sni()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 19:55:53 -05:00
Glenn Strauss
6989407261 Add accessor to retrieve SNI during handshake
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 19:55:53 -05:00
Glenn Strauss
36872dbd0b Provide means to reset handshake cert list
Extend mbedtls_ssl_set_hs_own_cert() to reset handshake cert list
if cert provided is null.  Previously, mbedtls_ssl_set_hs_own_cert()
only provided a way to append to the handshake certificate list,
without providing a way to replace the handshake certificate list.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 19:55:48 -05:00
Glenn Strauss
2ed95279c0 Add server certificate selection callback
https://github.com/ARMmbed/mbedtls/issues/5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 17:31:49 -05:00
Neil Armstrong
3f9cef4547 Remove actual and use new PSA to mbedtls PK errors mapping functions
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 15:44:39 +01:00
Neil Armstrong
ea761963c5 Add specialized PSA to mbedtls PK/RSA error mapping function
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 14:37:00 +01:00
Neil Armstrong
cd501f406e Add specialized PSA to mbedtls PK/ECDSA error mapping function
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 14:37:00 +01:00
Neil Armstrong
a3fdfb4925 Introduce new PSA to mbedtls PK error mapping function
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 14:37:00 +01:00
Przemyslaw Stekiel
6d3d18b2dc psa_generate_derived_key_internal, psa_generate_derived_ecc_key_weierstrass_helper: optimize the code
Perform the following optimizations:
- fix used flags for conditional compilation
- remove redundant N variable
- move loop used to generate valid k value to helper function
- fix initial value of status
- fix comments

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-22 13:35:27 +01:00
Gilles Peskine
57bf02bd58 ssl_conf_{min,max}_version documentation: update for 1.3 and improve
Mention that TLS 1.3 is supported, in addition to (D)TLS 1.2.

Improve and clarify the documentation. In particular, emphasise that the
minor version numbers are the internal numbers which are off by one from the
human numbers.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:02 +01:00
Gilles Peskine
ce4f00de69 Reference get_version_number from the conf_xxx_version documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:02 +01:00
Gilles Peskine
d44e050339 get_version_number documentation: explicitly mention VERSION_UNKNOWN
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:02 +01:00
Gilles Peskine
ded2a42ac1 Use a union instead of casts
Same intended semantics, no casts.

Limitation: this doesn't work on architectures where
sizeof(uintptr_t) < sizeof(void*), which is somewhat weird but possible if
pointers contain redundant information.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:02 +01:00
Gilles Peskine
1e265d2e68 Fix swapped documentation of set_user_data_{n,p}
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:02 +01:00
Gilles Peskine
49d7ddf7f3 Serializing a context does not save the user data
The user data is typically a pointer to a data structure or a handle which
may no longer be valid after the session is restored. If the user data needs
to be preserved, let the application do it. This way, it is a conscious
decision for the application to save/restore either the pointer/handle
itself or the object it refers to.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
80dae04f24 Make user_data fields private
Add accessor functions.

Add unit tests for the accessor functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
e1a0c25f71 New function to access the TLS version from a context as an enum
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
915896f03c Add accessor function from mbedtls_ssl_context to the configuration
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
69477b5706 Add a field for application data to TLS structures
In structure types that are passed to user callbacks, add a field that the
library won't ever care about. The application can use this field to either
identify an instance of the structure with a handle, or store a pointer to
extra data.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Tom Cosgrove
b9987fc344 Handle MBEDTLS_SHA256_USE_A64_* on Windows on ARM64 too
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-02-21 12:26:11 +00:00
Tom Cosgrove
f3ebd90a1c SECLIB-667: Accelerate SHA-256 with A64 crypto extensions
Provide an additional pair of #defines, MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
and MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. At most one of them may be
specified. If used, it is necessary to compile with -march=armv8-a+crypto.

The MBEDTLS_SHA256_PROCESS_ALT and MBEDTLS_SHA256_ALT mechanisms
continue to work, and are mutually exclusive with A64_CRYPTO.

There should be minimal code size impact if no A64_CRYPTO option is set.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-02-21 08:37:26 +00:00
Jerry Yu
e0a6412d8d tls13_only: check_config pass
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Manuel Pégourié-Gonnard
e14b644f4d
Merge pull request #5456 from mpg/cleanup-ecdh-psa
Cleanup PSA-based ECDHE in TLS 1.2
2022-02-15 09:09:07 +01:00
Gilles Peskine
bebeae9428
Merge pull request #5504 from gstrauss/mbedtls_pem_get_der
Add accessor to get der from mbedtls_pem_context
2022-02-10 23:56:57 +01:00
Przemyslaw Stekiel
b15f33d496 Enable ecdh_psa_xxx fields in struct mbedtls_ssl_handshake_params for TLS 1.3
These fields need to be enabled for 1.3 even if MBEDTLS_USE_PSA_CRYPTO isn't (1.3 should always use PSA).

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-10 15:24:27 +01:00
Glenn Strauss
a941b62985 Create public macros for ssl_ticket key,name sizes
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-09 15:28:28 -05:00
Glenn Strauss
a950938ff0 Add mbedtls_ssl_ticket_rotate for ticket rotation.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-09 14:33:15 -05:00
Manuel Pégourié-Gonnard
62b49cd06a
Merge pull request #5472 from yuhaoth/pr/move-client-auth
Move client_auth to handshake
2022-02-09 10:57:00 +01:00
Glenn Strauss
72bd4e4d6a Add accessor to get buf from mbedtls_pem_context
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-08 14:53:46 -05:00
Jerry Yu
0ff8ac89f5 fix comments issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-08 10:10:48 +08:00
Andrzej Kurek
f7c1f747e2 doxygen: merge multiple descriptions of the same return codes
Organize some of the errors in a better way.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-02-03 11:30:54 -05:00
Manuel Pégourié-Gonnard
4a0ac1f160 Remove mbedtls_psa_tls_ecpoint_to_psa_ec()
Same reasons as for the previous commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:15 +01:00
Manuel Pégourié-Gonnard
58d2383ef4 Remove mbedtls_psa_tls_psa_ec_to_ecpoint()
Initially this function was doing something because the output format of
psa_export_public() didn't match the ECPoint format that TLS wants.

Then it became a no-op then the output format of psa_export_public()
changed, but it made sense to still keep the function in case the format
changed again. Now that the PSA Crypto API has reached 1.0 status, this
is unlikely to happen, so the no-op function is no longer useful.

Removing it de-clutters the code a bit; while at it we can remove a
temporary stack buffer (that was up to 133 bytes).

It's OK to remove this function even if it was declared in a public
header, as there's a warning at the top of the file saying it's not part
of the public API.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:14 +01:00
Manuel Pégourié-Gonnard
59753768f0 Simplify the definition of a macro
Relying on a PSA_VENDOR macro is not ideal, since the standard doesn't
guarantee this macro exists, but OTOH relying on
MBEDTLS_ECP_DP_xxx_ENABLED was even less ideal, so I believe this is
still an improvement.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:14 +01:00
Manuel Pégourié-Gonnard
bc4069596b Group related functions together
We had ECC then PK then ECC, move PK to the end, now all ECC things are
together. (The comments suggest that was the intention all along.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:13 +01:00
Manuel Pégourié-Gonnard
1ab2d6966c
Merge pull request #5385 from AndrzejKurek/use-psa-crypto-reduced-configs
Resolve problems with reduced configs using USE_PSA_CRYPTO
2022-02-02 10:20:26 +01:00
Jerry Yu
fb28b88e26 move client_auth to handshake
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-28 11:05:58 +08:00
Jerry Yu
7ce0f2aa6b Wrap client_auth.
The variable is used for client side only

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-27 18:26:06 +08:00
XiaokangQian
647719a172 Add hello retry request in client side
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-01-26 10:50:06 +00:00
Ronald Cron
f51b79c297
Merge pull request #5355 from yuhaoth/pr/remove-duplicate-sig-alg-ext
Remove duplicate write signature algorithms extension
The failure of ABI-API-checking is expected.
2022-01-26 10:05:26 +01:00
Gilles Peskine
cfb151889f
Merge pull request #5457 from AndrzejKurek/key-id-encodes-owner-psa-fixes-follow-up
Remove incorrect incompatibility information about `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` from mbedtls_config.h
2022-01-25 17:02:35 +01:00
Andrzej Kurek
cfc920a960 Remove incorrect incompatibility information from mbedtls_config.h
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-25 06:33:08 -05:00
Jerry Yu
7ddc38cedb fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-25 12:46:17 +08:00
Jerry Yu
713013fa80 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-25 12:46:17 +08:00
Jerry Yu
6106fdc085 fix build fail without TLS13
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-25 12:46:17 +08:00
Jerry Yu
f017ee4203 merge write sig_alg of tls12 and tls13
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

# Conflicts:
#	library/ssl_misc.h
2022-01-25 12:46:17 +08:00
Gilles Peskine
a5c1bf0b8d
Merge pull request #5367 from AndrzejKurek/doxygen-closure-fixes
doxygen: add missing asterisk to group closures
2022-01-24 21:40:39 +01:00
Andrzej Kurek
cead70dbe5 doxygen: fix missing asterisk in ecp.h
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-24 10:48:10 -05:00
Manuel Pégourié-Gonnard
fcca7cfa97
Merge pull request #5428 from gstrauss/mbedtls_ssl_ciphersuite
Add accessors for ciphersuite info
2022-01-24 11:13:31 +01:00
Gilles Peskine
6249603e7c
Merge pull request #5438 from SebastianBoe/check_config
Add missing config check for PKCS5.
2022-01-22 00:52:07 +01:00
Andrzej Kurek
8d2864d6bc Force usage of MBEDTLS_PK_WRITE_C when PK_C and USE_PSA_CRYPTO is used
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-19 12:34:30 -05:00
Sebastian Bøe
24e88018d2 Add missing config check for PKCS5.
PKCS5 depends on MD, but is missing a config check resulting in
obscure errors on invalid configurations.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2022-01-19 12:04:35 +01:00
Glenn Strauss
8f52690956 Add accessors for ciphersuite info
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-13 00:05:48 -05:00
Manuel Pégourié-Gonnard
6ced002a69 Count allocs without side-effects
At the end of the benchmark program, heap stats are printed, and these
stats will be wrong if we reset counters in the middle.

Also remove the function to reset counters, in order to encourage other
programs to behave correctly as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-01-05 10:08:59 +01:00
Manuel Pégourié-Gonnard
35415a0c46 Add counter access to memory debug API
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-01-04 10:23:34 +01:00
Andrzej Kurek
03e01461ad Make KEY_ID_ENCODES_OWNER compatible with USE_PSA_CRYPTO
Fix library references, tests and programs.
Testing is performed in the already present all.sh test.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-03 12:53:24 +01:00
Andrzej Kurek
01404dfaa2 doxygen: remove empty platform_time configuration section
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-30 12:34:00 +01:00
Andrzej Kurek
a0defed667 doxygen: move addtogroup closures to include more elements
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-30 12:33:31 +01:00
Max Fillinger
62e5514b8b Remove extra newline
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-12-28 17:42:30 +01:00
Max Fillinger
0bb38336a5 Add function to get md info from md context
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-12-28 16:32:00 +01:00
Andrzej Kurek
38d4fddcd8 Add missing asterisk to doxygen closures
Clarify section names next to closing braces
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-28 16:22:52 +01:00
Ronald Cron
17b1e2f6c3 Bump version to 3.1.0
Executed ./scripts/bump_version.sh --version 3.1.0 --so-crypto 11 --so-tls 17
+ fix of build_info.h

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:53 +01:00
Gilles Peskine
a5c18512b9
Merge pull request #5155 from paul-elliott-arm/pcks12_fix
Fixes for pkcs12 with NULL and/or zero length password
2021-12-13 14:52:36 +01:00
Dave Rodgman
050ad4bb50
Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac
Check HMAC return values
2021-12-13 10:51:27 +00:00
Gilles Peskine
ecf6bebb9c Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:00:57 +01:00
Ronald Cron
bb27b43013 build: Fix TLS 1.3 prerequisites
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:22:52 +01:00
Ronald Cron
6f135e1148 Rename MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL to MBEDTLS_SSL_PROTO_TLS1_3
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:47:55 +01:00
Ronald Cron
0abf07ca2c Make PSA crypto mandatory for TLS 1.3
As we want to move to PSA for cryptographic operations
let's mandate PSA crypto from the start.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
6b07916e40
Merge pull request #5230 from ronald-cron-arm/tls13_ccs_client
Add initial support for "Middlebox Compatibility Mode"
2021-12-10 11:58:05 +01:00
Gilles Peskine
d31da1c673
Merge pull request #5270 from davidhorstmann-arm/improve-cmac-docs
Reword documentation of CMAC operations
2021-12-09 23:28:36 +01:00
Ronald Cron
49ad6197ca Add injection of dummy's ChangeCipherSpec for middlebox compatibility
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-09 13:40:22 +01:00
Ronald Cron
ab65c52944 Add MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE config option
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-09 13:40:22 +01:00
Manuel Pégourié-Gonnard
c38c1f2411
Merge pull request #5268 from gilles-peskine-arm/struct_reordering_3.0
Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:09 +01:00
Gilles Peskine
b3ec69dba5 mbedtls_ssl_config: better document former bit-fields
Ensure that the documentation of fields affected by
"mbedtls_ssl_config: Replace bit-fields by separate bytes"
conveys information that may have been lost by removing the exact size of
the type. Extend the preexisting pattern "do this?" for formerly 1-bit
boolean fields. Indicate the possible values for non-boolean fields.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-08 18:32:12 +01:00
Gilles Peskine
392113434a
Merge pull request #5263 from ronald-cron-arm/psa-test-driver_3.x
Forward port to 3.x: Introduce PSA test driver library to test PSA configuration
2021-12-07 12:52:20 +01:00
David Horstmann
3d5dfa598b Reword documentation of CMAC operations
Change the wording of the documentation for some CMAC functions,
as the existing wording, while technically correct, can be
easy to misunderstand. The reworded docs explain the flow of
a CMAC computation a little more fully.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-06 18:58:02 +00:00
Dave Rodgman
351c71b7f2 Fix builds when config.h only defines MBEDTLS_BIGNUM_C
Fixes #4929

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-06 17:50:53 +00:00
Ronald Cron
8c8cea25c7
Merge pull request #5166 from xffbai/code-align
Align the TLS 1.3 code with coding rules
2021-12-06 10:54:00 +01:00
Ronald Cron
d4c2c9bf94 psa: Fix some dependencies in config_psa.h
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
ef6ffe3033 psa: Fix Mbed TLS hash operation definition
Use PSA_BUILTIN macros instead of the Mbed TLS ones
as in the hash operation contexts the context for a
given hash is needed only if the support for it
through PSA is enabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
7975fae6bd Move to separately compiled PSA test driver library
This commit removes the test_psa_crypto_config_basic
all.sh component that can no longer work without
adapting it to the separately compiled test driver
library. This component is replaced by several
components in the following commits to test various
type of acceleration independently.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
fcaba24697 psa: Fix hash max sizes
The PSA max hash size has to be 64 if SHA512 or
SHA384 is supported by the library or an
accelerator, not just in case of the library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-03 18:55:33 +01:00
Gilles Peskine
28de59c50a
Merge pull request #5246 from adeaarm/development
Align function parameter names for mbedtls_set_key_owner_id
2021-12-03 17:24:46 +01:00
Gilles Peskine
1bbf6d645b
Merge pull request #5149 from mfil/feature/additional_cipher_info_getters
Additional cipher_info getters
2021-12-03 17:21:51 +01:00
Paul Elliott
ad7e8a7092 Documentation fixes
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-30 15:37:49 +00:00
Antonio de Angelis
e2b6866e0b Align function parameter names for mbedtls_set_key_owner_id in PSA headers
static function mbedtls_set_key_owner() is declared in psa/crypto.h
and defined in psa/crypto_struct.h with different parameter name for
the  mbedtls_key_owner_id_t parameter and that may trigger errors
from static code analysis tool as cppcheck.

Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
2021-11-30 12:26:58 +00:00
Gilles Peskine
533a728392 mbedtls_ssl_config: Replace bit-fields by separate bytes
This slightly increases the RAM consumption per context, but saves code
size on architectures with an instruction for direct byte access (which is
most of them).

Although this is technically an API break, in practice, a realistic
application won't break: it would have had to bypass API functions and rely
on the field size (e.g. relying on -1 == 1 in a 1-bit field).

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 19543 -> 19559 (diff: -16)
library/ssl_msg.o: 24726 -> 24690 (diff: 36)
library/ssl_srv.o: 20462 -> 20418 (diff: 44)
library/ssl_tls.o: 20707 -> 20555 (diff: 152)
library/ssl_tls13_client.o: 7252 -> 7244 (diff: 8)
library/ssl_tls13_generic.o: 4705 -> 4693 (diff: 12)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2876 -> 2864 (diff: 12)
library/ssl_msg.o: 3068 -> 3080 (diff: -12)
library/ssl_srv.o: 3372 -> 3340 (diff: 32)
library/ssl_tls.o: 6658 -> 6566 (diff: 92)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-29 12:44:49 +01:00
Gilles Peskine
8834d87ef6 mbedtls_ssl_config, mbedtls_ssl_session: reorder fields
Move small fields first so that more fields can be within the Arm Thumb
128-element direct access window.

Keep the int section after the pointer section: moving int fields first cost
a few bytes on the reference baremetal-m0plus build.

The ordering in this commit is not based on field access frequency.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 19687 -> 19543 (diff: 144)
library/ssl_msg.o: 24834 -> 24726 (diff: 108)
library/ssl_srv.o: 20562 -> 20462 (diff: 100)
library/ssl_tls.o: 20907 -> 20707 (diff: 200)
library/ssl_tls13_client.o: 7272 -> 7252 (diff: 20)
library/ssl_tls13_generic.o: 4721 -> 4705 (diff: 16)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2936 -> 2876 (diff: 60)
library/ssl_msg.o: 3080 -> 3068 (diff: 12)
library/ssl_srv.o: 3400 -> 3372 (diff: 28)
library/ssl_tls.o: 6730 -> 6658 (diff: 72)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-29 12:39:29 +01:00
Max Fillinger
c3cffae420 Document return value for IV size getter on NULL
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-11-28 14:13:43 +01:00
Gilles Peskine
e3d9c9d99b PSA operation structures: move less-used fields to the end
Move fields around to have fewer accesses outside the 128-element Thumb
direct access window.

In psa_hkdf_key_derivation_t, move the large fields (output_block, prk,
hmac) after the state bit-fields. Experimentally, it's slightly better
to put hmac last.

Other operations structures don't go outside the window, at least when not
considering nested structures.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/psa_crypto.o: 16510 -> 16434 (diff: 76)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-26 12:44:08 +01:00
Xiaofei Bai
746f9481ea Fix 1_3/13 usages in macros and function names
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2021-11-26 08:08:36 +00:00
Gilles Peskine
09c02ee95f Make PSA headers more self-contained
Several files among include/psa/crypto_*.h are not meant to be included
directly, and are not guaranteed to be valid if included directly. This
makes it harder to perform some static analyses. So make these files more
self-contained so that at least, if included on their own, there is no
missing macro or type definition (excluding the deliberate use of forward
declarations of structs and unions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 20:49:09 +01:00
Gabor Mezei
be7b21da22
Merge branch 'development' into 3649_move_constant_time_functions_into_separate_module 2021-11-24 10:44:13 +01:00
Gilles Peskine
9264428266
Merge pull request #5105 from AaronErhardt/doc-fixes
doc improvements in aes and sha256 includes
2021-11-22 22:22:00 +01:00
Max Fillinger
e85bb7096f Fix documentation for block size getters
- Document unit (bytes)
- Explain what happens for stream ciphers

Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-11-21 16:33:44 +01:00
Max Fillinger
5fee208ff2 Make new IV and block size getters return size_t
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-11-21 16:33:35 +01:00
Paul Elliott
fb5fdb5007 Further documentation improvements
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-18 22:39:16 +00:00
Ronald Cron
28777db226
Merge pull request #4952 from xkqian/add_server_finished
Add server finished
2021-11-12 12:30:10 +01:00
Paul Elliott
853c0da8de Fix for pkcs12 with NULL or zero length password
Previously passing a NULL or zero length password into either
mbedtls_pkcs12_pbe() or mbedtls_pkcs12_derive() could cause an infinate
loop, and it was also possible to pass a NULL password, with a non-zero
length, which would cause memory corruption.
I have fixed these errors, and improved the documentation to reflect the
changes and further explain what is expected of the inputs.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-11 19:26:37 +00:00
XiaokangQian
3306284776 Change code base on comments
Remove client certificate verify in tests.
Change the layout of structure to fix abi_api check issues.
Add comments of Finished.
Align with the coding styles.

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-11 03:37:45 +00:00
XiaokangQian
d6d234f698 Solve the ABI_API check issue for mbedtls_ssl_session
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-11 02:22:12 +00:00
Max Fillinger
f057893035 Allow checking variable IV/key size in cipher_info
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-11-10 14:20:50 +01:00
Max Fillinger
3a782a0fe4 Add IV and block size getters for cipher_info
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2021-11-10 14:20:38 +01:00
Manuel Pégourié-Gonnard
087f04783d
Merge pull request #5076 from mstarzyk-mobica/psa_ccm_no_tag
PSA CCM*-no-tag
2021-11-10 10:18:55 +01:00
XiaokangQian
c5c39d5800 Change code for styles and comments .etc
Remove useless code in union.
Rename functions and parameters.
Move definitions into othe files.

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-10 01:47:23 +00:00
XiaokangQian
1aef02ee20 Fix initialized issues and remove useless code
Fix the variable not inialized issue, remove the client
certificate related code, remove early data related code.

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-10 01:47:23 +00:00
XiaokangQian
f13c56032f Revert some changes about tls13 and macros
There is one PR #4988 to change it in the future

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-10 01:47:23 +00:00
XiaokangQian
a763498490 Change code based on commetns
Focus on the code style, naming rule,etc.

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-10 01:47:23 +00:00
XiaokangQian
aa5f5c1f5d TLS1.3: Add server finish processing in client side
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-11-10 01:47:22 +00:00
Gabor Mezei
642eeb2879
Fix documentation and comments
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-03 16:13:32 +01:00
Gilles Peskine
f2fe31ab4e Reorder macro definitions
Definition before mention

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:48:15 +01:00
Gilles Peskine
f7b4137e69 Untangle PSA_ALG_IS_HASH_AND_SIGN and PSA_ALG_IS_SIGN_HASH
The current definition of PSA_ALG_IS_HASH_AND_SIGN includes
PSA_ALG_RSA_PKCS1V15_SIGN_RAW and PSA_ALG_ECDSA_ANY, which don't strictly
follow the hash-and-sign paradigm: the algorithm does not encode a hash
algorithm that is applied prior to the signature step. The definition in
fact encompasses what can be used with psa_sign_hash/psa_verify_hash, so
it's the correct definition for PSA_ALG_IS_SIGN_HASH. Therefore this commit
moves definition of PSA_ALG_IS_HASH_AND_SIGN to PSA_ALG_IS_SIGN_HASH, and
replace the definition of PSA_ALG_IS_HASH_AND_SIGN by a correct one (based
on PSA_ALG_IS_SIGN_HASH, excluding the algorithms where the pre-signature
step isn't to apply the hash encoded in the algorithm).

In the definition of PSA_ALG_SIGN_GET_HASH, keep the condition for a nonzero
output to be PSA_ALG_IS_HASH_AND_SIGN.

Everywhere else in the code base (definition of PSA_ALG_IS_SIGN_MESSAGE, and
every use of PSA_ALG_IS_HASH_AND_SIGN outside of crypto_values.h), we meant
PSA_ALG_IS_SIGN_HASH where we wrote PSA_ALG_IS_HASH_AND_SIGN, so do a
global replacement.
```
git grep -l IS_HASH_AND_SIGN ':!include/psa/crypto_values.h' | xargs perl -i -pe 's/ALG_IS_HASH_AND_SIGN/ALG_IS_SIGN_HASH/g'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:48:15 +01:00
Mateusz Starzyk
c5c5b93611 Add missing PSA_KEY_ID_NULL macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
7d262dd1ee Add missing PSA_HASH_BLOCK_LENGTH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
359b5ab6ea Add missing PSA_ALG_NONE macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
e6d3edaf32 Add missing PSA_ALG_IS_SIGN_HASH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Manuel Pégourié-Gonnard
0dbe1dfa1c
Merge pull request #4859 from brett-warren-arm/supported_groups
Add mbedtls_ssl_conf_groups to API
2021-11-02 10:49:09 +01:00
Manuel Pégourié-Gonnard
4313d3ac87
Merge pull request #5010 from gilles-peskine-arm/psa-rsa-pss_any_salt
PSA: fix salt length for PSS verification
2021-10-29 16:36:36 +02:00
Brett Warren
e0edc8407b Add mbedtls_ssl_conf_groups to API
mbedtls_ssl_conf_groups allows supported groups for key
sharing to be configured via their IANA NamedGroup ID.

This is added in anticipation of PQC and Hybrid key
sharing algorithms being integrated into Mbed TLS.

mbedtls_ssl_conf_curves is deprecated in favor of
mbedtls_ssl_conf_groups. handshake_init has been
modified to translate and copy curves configured
via conf_curves into a heap allocatied array of
NamedGroup IDs. This allows the refactoring of code
interacting with conf_curve related variables (such
as curve_list) to use NamedGroup IDs while retaining
the deprecated API.

Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-29 11:27:00 +01:00
Manuel Pégourié-Gonnard
136819fe6e
Merge pull request #4959 from gilles-peskine-arm/psa-add-aria
Add ARIA to the PSA API
2021-10-29 09:38:06 +02:00
Mateusz Starzyk
a706e5e317 Add missing cipher mode translations for PSA
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-28 17:59:06 +02:00
Brett Warren
36b70b2a4e Change MBEDTLS_ECP_DP_MAX to 14
Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-28 16:00:13 +01:00
XiaokangQian
7b2d4efee8 Change the buffer boundary check and alert type
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-10-28 01:49:37 +00:00
XiaokangQian
2d5c72be0b TLS1.3: Add Encrypted Extensions
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2021-10-28 01:49:37 +00:00
Mateusz Starzyk
7de19ddaf5 Remove invalid comments in CCM API
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-27 11:25:08 +02:00
Mateusz Starzyk
4cb9739038 Use separate MBEDTLS_MODE for the CCM*.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-27 10:42:31 +02:00
Gilles Peskine
4fa0725936
Merge pull request #5002 from mstarzyk-mobica/psa_output_buffer_limitation
Remove output buffer limitation for PSA with GCM.
2021-10-25 19:37:33 +02:00
Aaron Erhardt
9bb56dc6be Add return info to sha256 docs
Signed-off-by: Aaron Erhardt <aaron.erhardt@t-online.de>
2021-10-22 22:05:10 +02:00
Aaron Erhardt
a5a2399cb0 Remove mode param from AES-CTR docs
Signed-off-by: Aaron Erhardt <aaron.erhardt@t-online.de>
2021-10-22 22:05:04 +02:00
Mateusz Starzyk
30bd7fa607 Change error code for MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-22 10:33:32 +02:00
Mateusz Starzyk
594215be6e Add support for CCM*-no-tag to PSA.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-21 11:33:41 +02:00
Mateusz Starzyk
bb2ced33dd Ignore plaintext length for CCM*-no-tag.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-21 11:33:37 +02:00
Brett Warren
9e98573ca2 fix build fail with MBEDTLS_DEPRECATED
When deprecated functions are allowed

Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-20 23:33:15 +01:00
Brett Warren
3a96d09898 export MBEDTLS_DEPRECATED from platform_util.h
Since there are no longer any alternative
MBEDTLS_DEPRECATED definitions in the codebase,
MBEDTLS_DEPRECATED can now be exported without breaking
anything.

Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-20 23:33:15 +01:00
Gabor Mezei
90437e3762
Rename constant-time functions to have mbedtls_ct prefix
Rename functions to better suite with the module name.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-10-20 11:59:27 +02:00
Gabor Mezei
53dd04c13b
Remove unneeded include
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-10-20 11:19:16 +02:00
Gabor Mezei
765862c4f3
Move mbedtls_cf_memcmp to a new public header
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-10-19 12:22:25 +02:00
Gilles Peskine
6210320215
Merge pull request #4989 from AndrzejKurek/remove-ssl-export-keys
Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on
2021-10-18 17:53:56 +02:00
Gilles Peskine
2bb5e9c973
Merge pull request #4760 from gilles-peskine-arm/ecb-alt-ret-3.0
Catch failures of mbedtls_aes_crypt_ecb and its DES equivalents
2021-10-14 12:11:20 +02:00
Ronald Cron
e23bba04ee
Merge pull request #4927 from yuhaoth/pr/add-tls13-serverhello-utils
TLS 1.3: ServerHello: add  utils functions used by ServerHello
Regarding the merge job, there was only one of the failure we currently encounter on almost all PR (Session resume using tickets, DTLS: openssl client test case see #5012) thus we can consider that this PR passed CI.
2021-10-11 11:01:11 +02:00
Gilles Peskine
f6892dec2a Readability improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 16:28:32 +02:00
Gilles Peskine
09c46da27e Implement PSA_WANT_KEY_TYPE_ARIA
Follow what has been done for CAMELLIA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 15:48:16 +02:00
Jerry Yu
88b756bacb move tls1_3 max md size
It should be internal definition

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-08 18:41:38 +08:00
Jerry Yu
d1ab262844 define max md size for tls1_3
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-08 16:19:24 +08:00
Jerry Yu
ae0b2e2a2f Rename counter_len
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-08 15:40:14 +08:00
Gilles Peskine
44c96aa046 Support PSA_ALG_RSA_PSS_ANY_SALT iff PSA_ALG_RSA_PSS is supported
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-05 14:26:25 +02:00
Gilles Peskine
acd2d0e923 New algorithm PSA_ALG_RSA_PSS_ANY_SALT
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.

In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).

Changes in this commit:

* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
  PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
  PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
  generate_psa_constant_names).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-05 14:26:25 +02:00
Mateusz Starzyk
f28261fc14 Remove output buffer limitation for PSA with GCM.
The requirement of minimum 15 bytes for output buffer in
psa_aead_finish() and psa_aead_verify() does not apply
to the built-in implementation of the GCM.

Alternative implementations are expected to verify the
length of the provided output buffers and to return
the MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the
buffer length is too small.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-04 13:54:54 +02:00
Gilles Peskine
023aa11760
Merge pull request #4996 from mprse/mbedtls_cipher_setup_psa_ECB
Fix test gap: mbedtls_cipher_setup_psa() with ECB
2021-10-01 14:49:10 +02:00
Gilles Peskine
2aefc9ef2e Fix typo in comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 20:34:53 +02:00
Gilles Peskine
fcc93d797b Make MBEDTLS_IGNORE_RETURN configurable
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 18:56:17 +02:00
Gilles Peskine
252b758dd6 Cleaner implementation of MBEDTLS_IGNORE_RETURN
The previous implementation was misparsed in constructs like
`if (condition) MBEDTLS_IGNORE_RETURN(...); else ...;`.

Implement it as an expression, tested with GCC, Clang and MSVC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 18:54:51 +02:00
Gilles Peskine
cd79dfc4bb Fix mistake in the sample implementation of MBEDTLS_CHECK_RETURN
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 18:53:36 +02:00
Ronald Cron
cd51e76583
Merge pull request #4338 from paul-elliott-arm/psa-m-aead
Implement multipart PSA AEAD
2021-09-29 22:48:33 +02:00
Mateusz Starzyk
5c4ca32f93 Silence warnings about unused return value
This macro is not used inside the library yet, but may be used in deprecated
functions in the future, if a function returning void has to change to
returning an error. It may also be useful in user code, so it is in a public
header.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 21:04:40 +02:00
Przemyslaw Stekiel
86de1b76d8 Address review comments
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-29 19:50:07 +02:00
Andrzej Kurek
5902cd64e2 Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on
This option only gated an ability to set a callback,
but was deemed unnecessary as it was yet another define to
remember when writing tests, or test configurations. Fixes #4653.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-09-29 10:15:42 -04:00
Przemyslaw Stekiel
80c6a8e1a6 Add PSA support for MBEDTLS_CIPHER_AES_128_ECB
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-29 12:39:21 +02:00
Gilles Peskine
bfe3d87f24
Merge pull request #4842 from gilles-peskine-arm/public_fields-3.0-info
Make some structure fields public: key info, ASN.1 and X.509 parsing, socket fd
2021-09-29 12:37:09 +02:00
Jerry Yu
d96a5c2d86 Fix wrong usage of counter len macro
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-29 17:46:51 +08:00
Manuel Pégourié-Gonnard
1869377146
Merge pull request #4942 from yuhaoth/pr/add-tls13-client-dummy-state-handlers
add tls13 client dummy state handlers and improve dispatch test
2021-09-29 10:45:16 +02:00
Jerry Yu
d9a94fe3d0 Add counter length macro
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-28 20:10:26 +08:00
Ronald Cron
45cb82fac4
Merge pull request #4918 from yuhaoth/pr/add-send-alert-message-macro
Add send alert message macro
2021-09-28 13:34:55 +02:00
Gilles Peskine
5b8618b44c fixup: Make the fields of mbedtls_ecp_curve_info public
Remove more places where MBEDTLS_PRIVATE() was used on grp_id, which is now
public.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-28 12:34:53 +02:00
Gilles Peskine
409fbbe4a2 Minor documentation fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:16:28 +02:00
Gilles Peskine
9a7d4c2734 New configuration option MBEDTLS_CHECK_RETURN_WARNING
MBEDTLS_CHECK_RETURN_TYPICAL defaults off, but is enabled if
MBEDTLS_CHECK_RETURN_WARNING is enabled at compile time.
(MBEDTLS_CHECK_RETURN_CRITICAL is always enabled.)

The default is off so that a plausible program that builds with one version
of Mbed TLS in the default configuration will still build under the next
version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:15:56 +02:00
Gilles Peskine
a33e6935bc Use reserved identifier for warn_unused_result
This is normally equivalent, but works even if some other header defines a
macro called warn_unused_result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:15:56 +02:00
Gilles Peskine
913fc5fff3 Better default for MBEDTLS_CHECK_RETURN in config.h
An empty expansion is possible, but as documented its effect is to disable
the feature, so that isn't a good example. Instead, use the GCC
implementation as the default: it's plausible that it could work even on
compilers that don't advertise themselves as sufficiently GCC-like to define
__GNUC__, and if not it gives users a concrete idea of what the macro is
supposed to do.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:15:56 +02:00
Gilles Peskine
3f106f762d Move MBEDTLS_CHECK_RETURN to the correct section
This is not a boolean macro: it's useful for what it expands to.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:15:56 +02:00
Gilles Peskine
e41803af9c Change DES and AES functions to MBEDTLS_CHECK_RETURN_TYPICAL
For all of these functions, the only possible failures are a hardware
accelerator (not possible unless using an ALT implementation), an internal
error or runtime corruption.

Exception: the self-tests, which serve little purpose if their status isn't
tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:15:56 +02:00
Gilles Peskine
463adf4536 Define indirection macros MBEDTLS_CHECK_RETURN_xxx
Define macros MBEDTLS_CHECK_RETURN_CRITICAL, MBEDTLS_CHECK_RETURN_TYPICAL
and MBEDTLS_CHECK_RETURN_OPTIONAL so that we can indicate on a
function-by-function basis whether checking the function's return value is
almost always necessary (CRITICAL), typically necessary in portable
applications but unnecessary in some reasonable cases (TYPICAL), or
typically unnecessary (OPTIONAL).

Update the documentation of MBEDTLS_CHECK_RETURN accordingly. This is split
between the user documentation (Doxygen, in config.h) and the internal
documentation (non-Doxygen, in platform_util.h, of minor importance since
the macro isn't meant to be used directly).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 19:15:56 +02:00
Mateusz Starzyk
2a25804fd4 Add MBEDTLS_CHECK_RETURN description to mbedtls_config.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-27 19:15:56 +02:00
Mateusz Starzyk
e35f8f6a77 Move MBEDTLS_CHECK_RETURN to platform_util.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-27 19:15:56 +02:00
Gilles Peskine
7820a574f1 Catch failures of AES or DES operations
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.

A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.

This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:

* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
  was not properly checking the result of an AES operation:
    * In library code: on failure, goto exit and return ret.
    * In pkey programs: goto exit.
    * In the benchmark program: exit (not ideal since there's no error
      message, but it's what the code currently does for failures).
    * In test code: TEST_ASSERT.
* Changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 16:22:08 +02:00
Gilles Peskine
4b627af36c New macro MBEDTLS_CHECK_RETURN
Put this macro before a function declaration to indicate that its result
must be checked. This commit supports GCC-like compilers and MSVC >=2012.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 16:22:08 +02:00
Gilles Peskine
b19be6b5f3
Merge pull request #1638 from dgreen-arm/check-names-rewrite
Rewrite check-names.sh in python
2021-09-27 12:28:53 +02:00
Jerry Yu
957f0fa1f7 Add length macro for in_ctr
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:34:58 +08:00
Jerry Yu
394ece6cdd Add function for set pending alert flag
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Jerry Yu
33cedca8aa fix comments issue
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Jerry Yu
e7047819ee add pend fatal alert
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:38 +08:00
Jerry Yu
6c983524a8 Move msvc compatible fix to common.h
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:05 +08:00
Jerry Yu
687101b2e6 tls13: add dummy state machine handler
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-27 16:25:05 +08:00
Paul Elliott
c7e7fe5c05 Add missing MBEDTLS_PRIVATE
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-09-27 09:23:40 +01:00
Gilles Peskine
bd4960c8c8
Merge pull request #4961 from mpg/doc-use-psa-crypto
Document effects of  `MBEDTLS_USE_PSA_CRYPTO`
2021-09-24 20:42:30 +02:00
Yuto Takano
c3a6f63c99 Merge updates from upstream development branch into check-names-rewrite
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-09-24 18:02:56 +01:00
Paul Elliott
5977bc9e39 Add MBEDTLS_PRIVATE to new structs
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-09-24 11:20:04 +01:00
Paul Elliott
71b0567c87 Merge remote-tracking branch 'upstream/development' into psa-m-aead-merge
Also fiixed the following merge problems:

crypto_struct.h   : Added MBEDTLS_PRIVATE to psa_aead_operation_s
                    members (merge conflict)
psa_crypto_aead.c : Added ciphertext_length to mbedtls_gcm_finish
                    call (change of API during development)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-09-24 11:18:13 +01:00
Ronald Cron
f2cb19f921
Merge pull request #4891 from yuhaoth/pr/enable-key-exchange-in-client-hello
TLS1.3: Client Hello : Add  extensions and test case.
2021-09-23 18:45:01 +02:00
Gilles Peskine
f0f2294f57
Merge pull request #4708 from mstarzyk-mobica/ccm_chunked
Ccm chunked - enable multipart CCM in PSA
2021-09-21 13:46:52 +02:00
Manuel Pégourié-Gonnard
200bcf77f8 Remove warning about PSA Crypto being beta
The API reached 1.0.0 some time ago, and we've caught up with the
incompatible changes already.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-09-21 12:59:26 +02:00
Manuel Pégourié-Gonnard
13b0bebf7d Add docs/use-psa-crypto.md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-09-21 12:59:25 +02:00
Gilles Peskine
6c12a1e9f2 Add ARIA to the PSA API
Use the encoding from an upcoming version of the specification.

Add as much (or as little) testing as is currently present for Camellia.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-21 11:59:39 +02:00
Gilles Peskine
104f6def2a Fix indentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-09 20:39:47 +02:00
Jerry Yu
e226cef124 Add NamedGroup IANA values and helper functions
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-08 09:52:15 +08:00
Jerry Yu
1bc2c1f1a3 fix various issues
fix comments, format and name conversion issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:20 +08:00
Jerry Yu
a2cf7bd243 fix comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:20 +08:00
Jerry Yu
995ecd396f fix wrong iana values and comments
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:20 +08:00
Jerry Yu
b3317e1a01 Add extension types in rfc8446
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:19 +08:00
Jerry Yu
7984d9931e Add tls1.3 extension IANA values
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:19 +08:00
Jerry Yu
a13c7e739c add dummy client hello process
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-09-03 16:29:19 +08:00
Gilles Peskine
1984800f70 Add check_config checks for AEAD
CCM requires one of the 128-bit-block block ciphers to be useful, just like GCM.

GCM and CCM need the cipher module.

ChaChaPoly needs ChaCha20 and Poly1305.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-02 10:33:57 +02:00
Mateusz Starzyk
7251eda6ff Replace BAD_SEQUENCE error with BAD_INPUT
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-01 13:26:44 +02:00
Mateusz Starzyk
e40ae6bbed Fix typo
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-01 12:47:49 +02:00
Gilles Peskine
ca939959e4 Allow read-only access to lists of certificates, CRL, CRL entries
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 23:18:07 +02:00
Gilles Peskine
2e9d65f928 Note that custom info structures are not supported
This was already documented for mbedtls_md_info_t. Also document it for
mbedtls_pk_info_t (where it's fairly obvious since the structure is not
defined in a public header) and for mbedtls_cipher_info_t (where it's not
obvious since the structure is defined in a public header).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 23:08:55 +02:00
Gilles Peskine
44ffc79d29 Copyediting in comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 23:08:55 +02:00
Gilles Peskine
842edf474c Make many fields of X.509 structures public
The structures mbedtls_x509_time, mbedtls_x509_crl_entry, mbedtls_x509_crl,
mbedtls_x509_crt, mbedtls_x509_san_other_name,
mbedtls_x509_subject_alternative_name, mbedtls_x509_csr are designed to
expose the result of parsing X.509 data. Document many of their fields as
being publicly readable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:54:27 +02:00
Gilles Peskine
b89d9c0599 Make fields of ASN.1 data structures public
The structures mbedtls_asn1_buf, mbedtls_asn1_bitstring,
mbedtls_asn1_sequence and mbedtls_asn1_named_data are designed to allow
access to data after parsing. Make their fields public.

Document that chaining fields are essentially read-only.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:54:27 +02:00
Gilles Peskine
b11d61e095 mbedtls_net_context: make fd public on Unix/POSIX platforms
On platforms with BSD-like sockets, it is useful for applications to have
access to the underlying file descriptor so that they can use functions like
select() and poll().

Do not promise that the field will exist on other platforms such as
Windows (where the type and name of the field are technically wrong because
Windows socket handles are actually not file descriptors).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:54:27 +02:00
Gilles Peskine
0be02bd823 Add accessor functions for cipher_info fields
Add functions to read the type, mode, name and key_bitlen fields from
mbedtls_cipher_info_t. These are the fields that applications are most
likely to care about.

TLS code also uses iv_size and block_size, which it might make sense to
expose, but most applications shouldn't need those, so I'm not exposing them
for now.

Call the new functions in unit tests, so they're at least smoke-tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:52:41 +02:00
Gilles Peskine
a73b577744 Make the fields of mbedtls_ecp_curve_info public
The whole point of this structure is to provide information, both for the
library's own sake and to applications.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-31 22:52:41 +02:00
Manuel Pégourié-Gonnard
e45ee40f7e
Merge pull request #4811 from hanno-arm/tls13_ciphersuite_api
Add TLS 1.3 ciphersuite and key exchange identifiers and API
2021-08-30 09:47:46 +02:00
Jerry Yu
cadebe5343 fix several format and comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-25 18:13:42 +08:00
Mateusz Starzyk
cbefb6ba4d Merge branch 'development' into ccm_chunked
Conflicts:
	library/ccm.c

Conflict resolved by re-applying the MBEDTLS_BYTE_0 macro.
Conflict resolved by ignoring the MBEDTLS_PUT_UINT16_BE macro
used in development branch on the 'b' buffer, because the 'b'
buffer is removed in current branch.
2021-08-24 15:14:23 +02:00
Andrey Starodubtsev
90cc33aad6 Misprint was fixed
Signed-off-by: Andrey Starodubtsev <andrey.starodubtsev@gmail.com>
2021-08-23 12:20:41 +03:00
Manuel Pégourié-Gonnard
01a78599b0
Merge pull request #4864 from hanno-arm/upstream_sig_alg_identifers
TLS 1.3 MVP: Upstream TLS 1.3 SignatureAlgorithm identifiers and configuration API
2021-08-19 09:12:59 +02:00
Jerry Yu
447a3bee17 fix wrong typo and format issues
Change-Id: I99a4c7d28c26bfcc43bc8947485d1dfafb6974dc
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-18 09:55:36 +08:00
Manuel Pégourié-Gonnard
684543a3a8
Merge pull request #4807 from hanno-arm/bio_recv_ret_0_eof
Document that returning 0 from the recv callback means EOF
2021-08-17 10:30:46 +02:00
Jerry Yu
7899de839c fix comments and format issues
Change-Id: I927d97f9d788389d6abb9edbda0f7c3e2f8e9b63
CustomizedGitHooks: yes
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-17 13:26:59 +08:00
Manuel Pégourié-Gonnard
93a3ca6caf
Merge pull request #4413 from gilles-peskine-arm/tls_ext_cid-config
Allow configuring MBEDTLS_TLS_EXT_CID at compile time
2021-08-13 10:49:50 +02:00
Gilles Peskine
7dd2f504b3 Allow configuring MBEDTLS_TLS_EXT_CID at compile time
The numerical identifier of the CID extension hasn't been settled yet
and different implementations use values from different drafts. Allow
configuring the value at compile time.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-12 10:31:01 +02:00
Hanno Becker
5d045a8b89 Stick to 'ephemeral' instead of ECDHE for TLS 1.3 key exchanges
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
674f9480cf Fix typo: algorithmc -> algorithms
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
d4fa9bc710 Remove outdated mentioning of version-specific ciphersuite config
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
a2535931ac Add Doxygen documentation for TLS 1.3 key exchange macros
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:31:14 +01:00
Hanno Becker
71f1ed66c2 Add identifiers and API for configuration of TLS 1.3 key exchanges
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Hanno Becker
e486b2d7bb Document use of mbedtls_ssl_conf_ciphersuites() for TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Hanno Becker
8ca26923eb Add TLS 1.3 ciphersuites
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:28:45 +01:00
Hanno Becker
e043d15d75 Turn comments of 1.3 record transforms into Doxygen documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-12 06:22:52 +01:00
Hanno Becker
1cd6e0021f Add experimental API for configuration of TLS 1.3 sig algs
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 13:55:43 +01:00
Hanno Becker
551265f879 Add TLS 1.3 IANA signature-algorithm values
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 13:03:48 +01:00
Mateusz Starzyk
a42f9537b5 Improve documentation for CCM's processed variable.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 14:00:14 +02:00
Mateusz Starzyk
4f2dd8aada Fix errors returned by CCM functions.
Add new error code for calling functions in wrong order.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 14:00:14 +02:00
Mateusz Starzyk
f337850738 Use const size buffer for local output in CCM decryption.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:59:36 +02:00
Mateusz Starzyk
22f7a35ca4 Do not use output buffer for internal XOR during decryption.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:58:39 +02:00
Mateusz Starzyk
4df9ac4882 Reorganize ccm context structure.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
663055f784 Remove UPDATE_CBC macro and working b buffer.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
eb2ca96d69 Store set lenghts in ccm context.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
793692cbcb Split ccm_auth function.
Move logic to ccm_starts, ccm_set_lengths, ccm_update_ad,
ccm_update and ccm_finish
Use separate variable to track context state.
Encode first block only if both mbedtls_ccm_starts() and
mbedtls_ccm_set_lengths() were called.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Mateusz Starzyk
89d469cdb4 Move working variables to ccm context structure
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-08-10 13:56:37 +02:00
Yuto Takano
7828ca2ea4 Fix typos pointed out by check_names
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-08-10 11:26:15 +01:00
Hanno Becker
3aa186f946 Add transforms to be used for TLS 1.3
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:24:19 +01:00
Hanno Becker
0e719ff341 Improve the documentation of legacy msg layer transforms
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:24:08 +01:00
Hanno Becker
b6bbbb174d Fix typo in documentation of ssl->transform_out
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-10 09:00:14 +01:00
Gilles Peskine
3fbc5d3cf2
Merge pull request #4815 from gilles-peskine-arm/generate_errors-multiline-3.0
Move MBEDTLS_ERR_xxx Doxygen comments before the definition
2021-08-03 13:46:21 +02:00