Commit graph

16382 commits

Author SHA1 Message Date
Bence Szépkúti 358e0ea464 Indicate nonce sizes invalid for ChaCha20-Poly1305
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-17 14:03:08 +01:00
Manuel Pégourié-Gonnard 1a3201a7b9
Merge pull request #5192 from daverodgman/development_2.x
Backport 2.x: PSA error code fix
2021-11-17 13:09:43 +01:00
paul-elliott-arm 0372792415
Merge pull request #5165 from mprse/aps_mem_leak_2x
(Backport 2x) ssl_client2, ssl_server2: add check for psa memory leaks
2021-11-17 11:54:39 +00:00
Dave Rodgman dc4e4b72c0 Fix derive_input test ignoring parameter
Fix derive_input test hardcoding key type instead of using test argument.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-11-17 10:02:52 +00:00
Dave Rodgman bc92abed8c Update test to handle changed error code
Update test to handle changed error code from psa_key_derivation_output_key

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-11-17 10:02:51 +00:00
Dave Rodgman 021e724936 Improve PSA error return code
psa_key_derivation_output_key: prioritize BAD_STATE over NOT_PERMITTED

If psa_key_derivation_output_key() is called on an operation which hasn't been
set up or which has been aborted, return PSA_ERROR_BAD_STATE. Only return
PSA_ERROR_NOT_PERMITTED if the operation state is ok for
psa_key_derivation_input_bytes() or psa_key_derivation_output_bytes() but not
ok to output a key.

Ideally psa_key_derivation_output_key() would return PSA_ERROR_NOT_PERMITTED
only when psa_key_derivation_output_bytes() is possible, but this is clumsier
to implement.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-11-17 10:02:48 +00:00
Gilles Peskine b3f4dd5c81 Lift some code out of parse_identifiers
Make parse_identifiers less complex. Pylint was complaining that it had too
many local variables, and it had a point.

* Lift the constants identifier_regex and exclusion_lines to class
  constants (renamed to uppercase because they're constants).
* Lift the per-file loop into a new function parse_identifiers_in_file.

No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 21:26:08 +01:00
Gilles Peskine 7493c4017a Fix comment parsing
Fix cases like
```
/*short comment*/ /*long
 comment */
int mbedtls_foo;
```
where the previous code thought that the second line started outside of a
comment and ended inside of a comment.

I believe that the new code strips comments correctly. It also strips string
literals, just in case.

Fixes #5191.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 21:25:14 +01:00
Gilles Peskine c0656b43f1 Note the reordered fields in SSL structures
This is technically an API break according to the unwritten rules of API
compatibility for Mbed TLS 2.x. However, it is very unlikely to affect any
realistic application, with the possible exception of applications that
define a global constant of type mbedtls_ssl_config.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 19:00:04 +01:00
Gilles Peskine 7f03d9ecc6 mbedtls_ssl_config: Replace bit-fields by separate bytes
This slightly increases the RAM consumption per context, but saves code
size on architectures with an instruction for direct byte access (which is
most of them).

Although this is technically an API break, in practice, a realistic
application won't break: it would have had to bypass API functions and rely
on the field size (e.g. relying on -1 == 1 in a 1-bit field).

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 19952 -> 19900 (diff: 52)
library/ssl_msg.o: 25810 -> 25798 (diff: 12)
library/ssl_srv.o: 22371 -> 22299 (diff: 72)
library/ssl_tls.o: 23274 -> 23038 (diff: 236)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2868 -> 2848 (diff: 20)
library/ssl_msg.o: 2916 -> 2924 (diff: -8)
library/ssl_srv.o: 3204 -> 3184 (diff: 20)
library/ssl_tls.o: 5860 -> 5756 (diff: 104)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 18:56:49 +01:00
Lukasz Gniadzik 9a0e0affef mbedtls_ssl_config, mbedtls_ssl_session: reorder fields
Move small fields first so that more fields can be within the Arm Thumb
128-element direct access window.

The ordering in this commit is not based on field access frequency.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 20104 -> 19952 (diff: 152)
library/ssl_msg.o: 25942 -> 25810 (diff: 132)
library/ssl_srv.o: 22467 -> 22371 (diff: 96)
library/ssl_tls.o: 23390 -> 23274 (diff: 116)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2928 -> 2868 (diff: 60)
library/ssl_msg.o: 2924 -> 2916 (diff: 8)
library/ssl_srv.o: 3232 -> 3204 (diff: 28)
library/ssl_tls.o: 5904 -> 5860 (diff: 44)

Signed-off-by: Lukasz Gniadzik <lukasz.gniadzik@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 18:05:27 +01:00
Gilles Peskine baccfef741 mbedtls_ssl_handshake_params: reorder fields to save code size
Reorder fields mbedtls_ssl_handshake_params in order to save code on Arm
Thumb builds. The general idea is to put often-used fields in the direct
access window of 128 elements from the beginning of the structure.

The reordering is a human selection based on a report of field offset and
use counts, and informed by measuring the code size with various
arrangements. Some notes:
* I moved most byte-sized fields at the beginning where they're sure to be
  in the direct access window.
* I moved buffering earlier because it can be around the threshold depending
  on the configuration, and it's accessed in a lot of places.
* I moved several fields, including update_checksum and friends, early so
  that they're guaranteed to be in the early access window.
* I tried moving randbytes or premaster to the early access window, but
  I couldn't find a placement which would save code size, presumably because
  they're bumping too many other fields, and they're mostly accessed through
  memcpy and friends which translates to instructions that don't have an
  offset for free anyway.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 20200 -> 20104 (diff: 96)
library/ssl_msg.o: 25978 -> 25942 (diff: 36)
library/ssl_srv.o: 22691 -> 22467 (diff: 224)
library/ssl_tls.o: 23570 -> 23390 (diff: 180)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 3012 -> 2928 (diff: 84)
library/ssl_msg.o: 2932 -> 2924 (diff: 8)
library/ssl_srv.o: 3288 -> 3232 (diff: 56)
library/ssl_tls.o: 6032 -> 5904 (diff: 128)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 17:44:31 +01:00
Gilles Peskine 51070849fa mbedtls_ssl_handshake_params: use bytes for some small values
Replace bitfields mbedtls_ssl_handshake_params by bytes. This saves some
code size, and since the bitfields weren't group, this doesn't increase the
RAM usage.

Replace several ints that only store values in the range 0..255 by uint8_t.
This can increase or decrease the code size depending on the architecture
and on how the field is used. I chose changes that save code size on Arm
Thumb builds and may potentially save more after field reordering.

Leave the bitfields in struct mbedtls_ssl_hs_buffer alone: replacing them by
uint8_t slightly increases the code size.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_srv.o: 22735 -> 22691 (diff: 44)
library/ssl_tls.o: 23566 -> 23570 (diff: -4)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 16:44:00 +01:00
Gilles Peskine 4a13ebff39 Tweak whitespace for readability
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 15:21:44 +01:00
Gilles Peskine b8006a66f2 PSA global data: move fields around to save code size
Move fields around to have fewer accesses outside the 128-element Thumb
direct access window.

In psa_crypto.c's global_data, put the state fields first (-20).

In psa_crypto_slot_management.c's global_data, keep the key slots first
(otherwise it's +24).

In mbedtls_psa_random_context_t, swapping entropy and drbg makes no
difference (at least when the DRBG is mbedtls_ctr_drbg_context).

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/psa_crypto.o: 16166 -> 16146 (diff: 20)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 15:00:45 +01:00
Gilles Peskine f5d7eef11f PSA operation structures: move less-used fields to the end
Move fields around to have fewer accesses outside the 128-element Thumb
direct access window.

In psa_hkdf_key_derivation_t, move the large fields (output_block, prk,
hmac) after the state bit-fields. Experimentally, it's slightly better
to put hmac last.

In aead_operation_t, tag_length was outside the window. The details depend
on the sizes of contexts included in ctx. Make the large ctx be the last
field.

In mbedtls_psa_hmac_operation_t, the opad field is outside the window when
SHA-512 is enabled. Moving opad before hash_ctx only saves 4 bytes and made
the structure clumsy, so I left it alone.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/psa_crypto.o: 16246 -> 16166 (diff: 80)
library/psa_crypto_aead.o: 952 -> 928 (diff: 24)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 15:00:17 +01:00
Gabor Mezei 2dcccbfc19
Fix function name in debug message
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-16 13:34:05 +01:00
Tom Cosgrove 58efe6184e Fix builds when config.h only defines MBEDTLS_BIGNUM_C
Fixes #4929

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2021-11-15 09:59:53 +00:00
Przemyslaw Stekiel a226ac9738 ssl_client2/ssl_server2: Rework ordering of cleanup
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-14 20:03:24 +01:00
Przemyslaw Stekiel e9dea7c3b0 ssl_client2: move memory leak check before rng_free()
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-14 20:03:24 +01:00
Przemyslaw Stekiel b66bc0ad4a Move psa_crypto_slot_management.h out from psa_crypto_helpers.h
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-14 20:03:23 +01:00
Przemyslaw Stekiel d6e0a5824a ssl_client2/ssl_server2: Move is_psa_leaking() before mbedtls_psa_crypto_free() (and rng_free())
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-14 20:03:23 +01:00
Przemyslaw Stekiel 7c7fb877c6 ssl_client2, ssl_server2: add check for psa memory leaks
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-14 20:03:23 +01:00
Bence Szépkúti c1e79fd2e3 Enable CMAC for PSA crypto compliance tests
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-11 20:47:32 +01:00
Bence Szépkúti 24ec529f82 Multipart AEAD is not supported in Mbed TLS 2.x
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-11 20:47:29 +01:00
Bence Szépkúti e30fcb6ed5 Remove superfluous expected failures from list
Issue #5144 doesn't affect development_2.x

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-11 16:24:19 +01:00
Gabor Mezei b9e1f2a3cf
Update generated files
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 15:42:41 +01:00
Gabor Mezei 84d739846c
Update changelog with the new public API
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:33:19 +01:00
Gabor Mezei dbe0f892b3
Fix documentation and comments
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:33:19 +01:00
Gabor Mezei c0ae1cf45a
Rename internal header constant_time.h to constant_time_internal.h
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:33:19 +01:00
Gabor Mezei 18a44949d0
Rename constant-time functions to have mbedtls_ct prefix
Rename functions to better suite with the module name.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:32:01 +01:00
Gabor Mezei f127a0e2b1
Remove unneeded include
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:54 +01:00
Gabor Mezei da20651b73
Fix documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:54 +01:00
Gabor Mezei 61bf64fbd0
Bind functions' availability for config options
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:54 +01:00
Gabor Mezei e24dea8225
Move mbedtls_cf_memcmp to a new public header
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:54 +01:00
Gabor Mezei 6e0e990544
Add macro guard for header file
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei 2b35880d41
Bind functions' availability for config options
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei 4e2de62fef
Remove unused function
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei fd8a42d914
Make functions static
These functions are only used as an auxiliary function for constant-time functions.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei 4b4e4d8880
Update documentation and comments
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei 91deea7765
Rename and reorder function parameters
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei 150bdee126
Use condition for not sensitive data
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:53 +01:00
Gabor Mezei 3c38b6e9e1
Move implementation specific comment
This comment is about how the functions are implemented, not about their
public interface, so it doesn't belong in the header file.
It applies to everything in constant_time.c so moved there.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
Gabor Mezei 2c5ed2244b
Make mbedtls_cf_size_mask_lt function static
The mbedtls_cf_size_mask_lt is solely used as an auxiliary function
for mbedtls_cf_size_mask_ge.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
gabor-mezei-arm d5a392aa2c
Fix missing includes
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
gabor-mezei-arm 10117d673e
Add changelog entry
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
gabor-mezei-arm 7e6a1eaf8f
Add documentation for the functions
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
gabor-mezei-arm 1ffd0ccf02
Unify equality checker functions return value
The equality checker functions always return 0 or 1 value,
thus the type of return value can be the same dispite of the
size of the parameters.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
gabor-mezei-arm 60febd5d8a
Propagate usage of mask generation functions
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
gabor-mezei-arm 2f2c0bead3
Unify mask generation functions
Generate all-bits 0 or all bits 1 mask from a value instead of from a bit.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:51 +01:00