Commit graph

4363 commits

Author SHA1 Message Date
Gilles Peskine a2536092b2 Support PSA_ALG_RSA_PSS_ANY_SALT iff PSA_ALG_RSA_PSS is supported
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:07:07 +02:00
Gilles Peskine 35115f9c1a New algorithm PSA_ALG_RSA_PSS_ANY_SALT
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.

In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).

Changes in this commit:

* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
  PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
  PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
  generate_psa_constant_names).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:06:38 +02:00
Gilles Peskine 95f2324c5e
Merge pull request #4845 from mstarzyk-mobica/ecb-alt-ret-2.2x
Backport 2.2x: Catch failures of mbedtls_aes_crypt_ecb and its DES equivalents
2021-10-14 12:11:04 +02:00
Gilles Peskine a4e060b87b
Merge pull request #5000 from mprse/mbedtls_cipher_setup_psa_ECB_2x
Backport 2.x: Fix test gap: mbedtls_cipher_setup_psa() with ECB
2021-10-01 14:49:25 +02:00
Gilles Peskine c79e4abaef Fix typo in comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 20:34:29 +02:00
Gilles Peskine c2779328bf Make MBEDTLS_IGNORE_RETURN configurable
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Gilles Peskine 327cb72e76 Cleaner implementation of MBEDTLS_IGNORE_RETURN
The previous implementation was misparsed in constructs like
`if (condition) MBEDTLS_IGNORE_RETURN(...); else ...;`.

Implement it as an expression, tested with GCC, Clang and MSVC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Gilles Peskine 9110809c46 Fix mistake in the sample implementation of MBEDTLS_CHECK_RETURN
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Przemyslaw Stekiel 39f4e75120 Address review comments
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-30 12:29:27 +02:00
Przemyslaw Stekiel f0fa86eee5 Add PSA support for MBEDTLS_CIPHER_AES_128_ECB
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-30 12:29:22 +02:00
Mateusz Starzyk 15a7420d3c Silence warnings about unused return value
This macro is introduced here for use in deprecated functions. It may also
be useful in user code, so it is in a public header.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:57:33 +02:00
Gilles Peskine 8472a10594 New configuration option MBEDTLS_CHECK_RETURN_WARNING
MBEDTLS_CHECK_RETURN_TYPICAL defaults off, but is enabled if
MBEDTLS_CHECK_RETURN_WARNING is enabled at compile time.
(MBEDTLS_CHECK_RETURN_CRITICAL is always enabled.)

The default is off so that a plausible program that builds with one version
of Mbed TLS in the default configuration will still build under the next
version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:42:51 +02:00
Gilles Peskine e568ebade1 Use reserved identifier for warn_unused_result
This is normally equivalent, but works even if some other header defines a
macro called warn_unused_result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:41:01 +02:00
Gilles Peskine 6b5c0f0e44 Better default for MBEDTLS_CHECK_RETURN in config.h
An empty expansion is possible, but as documented its effect is to disable
the feature, so that isn't a good example. Instead, use the GCC
implementation as the default: it's plausible that it could work even on
compilers that don't advertise themselves as sufficiently GCC-like to define
__GNUC__, and if not it gives users a concrete idea of what the macro is
supposed to do.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:55 +02:00
Gilles Peskine ce555e4fad Change DES and AES functions to MBEDTLS_CHECK_RETURN_TYPICAL
For all of these functions, the only possible failures are a hardware
accelerator (not possible unless using an ALT implementation), an internal
error or runtime corruption.

Exception: the self-tests, which serve little purpose if their status isn't
tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:45 +02:00
Gilles Peskine ee0a4435f7 Define indirection macros MBEDTLS_CHECK_RETURN_xxx
Define macros MBEDTLS_CHECK_RETURN_CRITICAL, MBEDTLS_CHECK_RETURN_TYPICAL
and MBEDTLS_CHECK_RETURN_OPTIONAL so that we can indicate on a
function-by-function basis whether checking the function's return value is
almost always necessary (CRITICAL), typically necessary in portable
applications but unnecessary in some reasonable cases (TYPICAL), or
typically unnecessary (OPTIONAL).

Update the documentation of MBEDTLS_CHECK_RETURN accordingly. This is split
between the user documentation (Doxygen, in config.h) and the internal
documentation (non-Doxygen, in platform_util.h, of minor importance since
the macro isn't meant to be used directly).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:33 +02:00
Mateusz Starzyk 1ef29fcf47 Add MBEDTLS_CHECK_RETURN description to config.h
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:33 +02:00
Gilles Peskine 377a310da4 Catch failures of AES or DES operations
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.

A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.

This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:

* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
  was not properly checking the result of an AES operation:
    * In library code: on failure, goto exit and return ret.
    * In pkey programs: goto exit.
    * In the benchmark program: exit (not ideal since there's no error
      message, but it's what the code currently does for failures).
    * In test code: TEST_ASSERT.
* Changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:31 +02:00
Yuto Takano 5b4caf21de Fix typos pointed out by check_names
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-09-27 20:08:01 +02:00
Gilles Peskine 186c0216b0
Merge pull request #4978 from davidhorstmann-arm/2.x-fix-aarch64-asm-constraints
Backport 2.x: Fix aarch64 assembly for bignum multiplication
2021-09-27 09:01:12 +02:00
Manuel Pégourié-Gonnard b52b91d949 Remove warning about PSA Crypto being beta
The API reached 1.0.0 some time ago, and we've caught up with the
incompatible changes already.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-09-24 20:44:03 +02:00
Manuel Pégourié-Gonnard 00b72fc35f Add docs/use-psa-crypto.md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-09-24 20:44:03 +02:00
David Horstmann a23be22308 Fix aarch64 assembly for bignum multiplication
Add memory constraints to the aarch64 inline assembly in MULADDC_STOP.
This fixes an issue where Clang 12 and 13 were generating
non-functional code on aarch64 platforms. See #4962, #4943
for further details.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-09-24 09:47:01 +01:00
Gilles Peskine 02e17c0aa5
Merge pull request #4941 from gilles-peskine-arm/muladdc-amd64-memory-2.x
Backport 2.x: Fix x86_64 assembly for bignum multiplication
2021-09-20 22:23:53 +02:00
Gilles Peskine c6d977eae5 x86_64 MULADDC assembly: add missing constraints about memory
MULADDC_CORE reads from (%%rsi) and writes to (%%rdi). This fragment is
repeated up to 16 times, and %%rsi and %%rdi are s and d on entry
respectively. Hence the complete asm statement reads 16 64-bit words
from memory starting at s, and writes 16 64-bit words starting at d.

Without any declaration of modified memory, Clang 12 and Clang 13 generated
non-working code for mbedtls_mpi_mod_exp. The constraints make the unit
tests pass with Clang 12.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-15 15:47:37 +02:00
Mateusz Starzyk 7d13539d1b Disable MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE in default config.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:19:25 +02:00
Mateusz Starzyk b3d344c225 Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES option.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:18:53 +02:00
Hanno Becker c8ac785fc3 Document that returning 0 from the recv callback means EOF
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-16 13:00:06 +02:00
Manuel Pégourié-Gonnard f87422f019
Merge pull request #4427 from gilles-peskine-arm/tls_ext_cid-config-2.x
Backport 2.x: Allow configuring MBEDTLS_TLS_EXT_CID at compile time
2021-08-13 10:50:02 +02:00
Gilles Peskine 7b8571fcb5 New macro MBEDTLS_CHECK_RETURN
Put this macro before a function declaration to indicate that its result
must be checked. This commit supports GCC-like compilers and MSVC >=2012.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-05 13:49:44 +02:00
Gilles Peskine a92a3e9290
Merge pull request #4827 from gilles-peskine-arm/generate_errors-multiline-2.2x
Backport 2.2x: Move MBEDTLS_ERR_xxx Doxygen comments before the definition
2021-08-03 13:46:23 +02:00
Spencer Burke 30dc0b5386 Remove the duplicate code in mbedtls/include/mbedtls/check_config.h
Removing the extra preprocessor directives found within the specified
source file.

Signed-off-by: Spencer Burke <info.spencer.burke@gmail.com>
2021-08-03 09:36:15 +02:00
Gilles Peskine a3974435ea Move MBEDTLS_ERR_xxx Doxygen comments before the definition
Now that descriptions of error codes no longer have to be on the same line
for the sake of generate_errors.pl, move them to their own line before the
definition. This aligns them with what we do for other definitions, and
means that we no longer need to have very long lines containing both the C
definition and the comment.

```
perl -i -pe 's~^(#define +MBEDTLS_ERR_\w+ +-\w+) */\*[*!]<(.*)\*/~/**$2*/\n$1~' include/mbedtls/*.h
```

This commit does not change the output of generate_errors.pl.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-02 22:57:46 +02:00
Gilles Peskine 9274d4691d
Merge pull request #4759 from paul-elliott-arm/fix_cipher_output_size_2.x
Backport 2.x: Fix divide by zero if macro used with wrong key type
2021-07-30 18:56:22 +02:00
Paul Elliott c183f20056 Add fix to update output size macro as well.
Same issue with zero block length applies here.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-23 18:58:18 +01:00
Paul Elliott 9bc9659cfb Change PSA Cipher macro safety to use block length
Although checking if the key was symmetric was correct, its easier to
read if we just check the block length is not zero before we use it in a
division.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-23 18:58:18 +01:00
Yuto Takano 284857ee55 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:30:34 +01:00
Paul Elliott 7fe62cc88b Fix divide by zero if macro used with wrong key
If PSA_CIPHER_ENCRYPT_OUTPUT_SIZE was called on a non symmetric key,
then a divide by zero could happen, as PSA_CIPHER_BLOCK_LENGTH will
return 0 for such a key, and PSA_ROUND_UP_TO_MULTIPLE will divide by
the block length.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-08 11:28:15 +01:00
Paul Elliott bece7374ce Bump Library Version Number
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:52:07 +01:00
Paul Elliott 4128c2032e Merge remote-tracking branch 'restricted/development_2.x-restricted' into mbedtls-2.27.0rc0-pr 2021-07-01 17:26:38 +01:00
Dave Rodgman ba940cc695
Merge pull request #4182 from gabor-mezei-arm/3258_implement_one-shot_MAC_and_cipher
[Backport 2.x] Implement one-shot cipher
2021-06-30 17:04:11 +01:00
Dave Rodgman af9b4841fb
Merge pull request #4605 from gabor-mezei-arm/3267_sign_verify_key_policies
[Backport 2.x] Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:51:03 +01:00
gabor-mezei-arm 05dac4a20b
Give a better name for struct member
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:31:18 +02:00
Janos Follath bc58902a32 Add prefix to BYTES_TO_T_UINT_*
These macros were moved into a header and now check-names.sh is failing.
Add an MBEDTLS_ prefix to the macro names to make it pass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath bc96a79854 Move mpi constant macros to bn_mul.h
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:01 +01:00
Ronald Cron 132e8c3cab
Merge pull request #4715 from gilles-peskine-arm/psa_crypto_spm-from_platform_h-2.x
Backport 2.x: Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
Straightforward backport from development to developement_2.x plus one trivial commit, only one approval is enough.
2021-06-25 09:00:58 +02:00
gabor-mezei-arm f67d8af106
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:58:27 +02:00
gabor-mezei-arm 6439e85094 Do key usage policy extension when loading keys
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 11:58:19 +02:00
gabor-mezei-arm eeaeef4d58 Extend PSA_USAGE_SIGN/VERIFY_HASH key policies
According to the PSA specification the PSA_USAGE_SIGN_HASH has the
permission to sign a message as PSA_USAGE_SIGN_MESSAGE. Similarly the
PSA_USAGE_VERIFY_HASH has the permission to verify a message as
PSA_USAGE_VERIFY_MESSAGE. These permission will also be present when
the application queries the usage flags of the key.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 11:58:18 +02:00
Ronald Cron eaacabf98d
Merge pull request #4392 from gilles-peskine-arm/psa-storage-format-test-lifetimes
Backport 2.x: PSA storage format: test lifetimes
2021-06-23 15:22:24 +02:00