From af3baabd058559821afab7d3d44c5c7253f0c9bc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 27 Jun 2018 22:55:52 +0200 Subject: [PATCH] Define max sizes for MAC and signatures This requires defining a maximum RSA key size, since the RSA key size is the signature size. Enforce the maximum RSA key size when importing or generating a key. --- include/psa/crypto_sizes.h | 83 ++++++++++++++++++++++++++++++++++++++ library/psa_crypto.c | 14 ++++--- 2 files changed, 92 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index d7eab4e61..f4d2cd839 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -42,6 +42,14 @@ #include MBEDTLS_CONFIG_FILE #endif +/** \def PSA_HASH_MAX_SIZE + * + * Maximum size of a hash. + * + * This macro must expand to a compile-time constant integer. This value + * should be the maximum size of a hash supported by the implementation, + * in bytes, and must be no smaller than this maximum. + */ #if defined(MBEDTLS_SHA512_C) #define PSA_HASH_MAX_SIZE 64 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 @@ -50,6 +58,81 @@ #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 #endif +/** \def PSA_MAC_MAX_SIZE + * + * Maximum size of a MAC. + * + * This macro must expand to a compile-time constant integer. This value + * should be the maximum size of a MAC supported by the implementation, + * in bytes, and must be no smaller than this maximum. + */ +/* All non-HMAC MACs have a maximum size that's smaller than the + * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */ +#define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE + +/* The maximum size of an RSA key on this implementation, in bits. + * This is a vendor-specific macro. + * + * Mbed TLS does not set a hard limit on the size of RSA keys: any key + * whose parameters fit in a bignum is accepted. However large keys can + * induce a large memory usage and long computation times. Unlike other + * auxiliary macros in this file and in crypto.h, which reflect how the + * library is configured, this macro defines how the library is + * configured. This implementation refuses to import or generate an + * RSA key whose size is larger than the value defined here. + * + * Note that an implementation may set different size limits for different + * operations, and does not need to accept all key sizes up to the limit. */ +#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096 + +/* The maximum size of an ECC key on this implementation, in bits. + * This is a vendor-specific macro. */ +#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 521 +#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 512 +#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 448 +#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384 +#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384 +#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256 +#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256 +#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256 +#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 255 +#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224 +#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224 +#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192 +#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192 +#else +#define PSA_VENDOR_ECC_MAX_CURVE_BITS 0 +#endif + +/** \def PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE + * + * Maximum size of an asymmetric signature. + * + * This macro must expand to a compile-time constant integer. This value + * should be the maximum size of a MAC supported by the implementation, + * in bytes, and must be no smaller than this maximum. + */ +#define PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE \ + PSA_BITS_TO_BYTES( \ + PSA_VENDOR_RSA_MAX_KEY_BITS > PSA_VENDOR_ECC_MAX_CURVE_BITS ? \ + PSA_VENDOR_RSA_MAX_KEY_BITS : \ + PSA_VENDOR_ECC_MAX_CURVE_BITS \ + ) + + /** The size of the output of psa_mac_finish(), in bytes. * diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1d8eb506d..8ce668ce3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -502,7 +502,13 @@ psa_status_t psa_import_key( psa_key_slot_t key, case MBEDTLS_PK_RSA: if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY || type == PSA_KEY_TYPE_RSA_KEYPAIR ) - slot->data.rsa = mbedtls_pk_rsa( pk ); + { + mbedtls_rsa_context *rsa = mbedtls_pk_rsa( pk ); + size_t bits = mbedtls_rsa_get_bitlen( rsa ); + if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS ) + return( PSA_ERROR_NOT_SUPPORTED ); + slot->data.rsa = rsa; + } else status = PSA_ERROR_INVALID_ARGUMENT; break; @@ -1579,10 +1585,6 @@ psa_status_t psa_mac_finish( psa_mac_operation_t *operation, mac_size, mac_length ) ); } -#define PSA_MAC_MAX_SIZE \ - ( MBEDTLS_MD_MAX_SIZE > MBEDTLS_MAX_BLOCK_LENGTH ? \ - MBEDTLS_MD_MAX_SIZE : \ - MBEDTLS_MAX_BLOCK_LENGTH ) psa_status_t psa_mac_verify( psa_mac_operation_t *operation, const uint8_t *mac, size_t mac_length ) @@ -2862,6 +2864,8 @@ psa_status_t psa_generate_key( psa_key_slot_t key, mbedtls_rsa_context *rsa; int ret; int exponent = 65537; + if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS ) + return( PSA_ERROR_NOT_SUPPORTED ); if( parameters != NULL ) { const unsigned *p = parameters;