Commit graph

1845 commits

Author SHA1 Message Date
Gilles Peskine 35115f9c1a New algorithm PSA_ALG_RSA_PSS_ANY_SALT
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.

In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).

Changes in this commit:

* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
  PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
  PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
  generate_psa_constant_names).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:06:38 +02:00
Gilles Peskine 3f0722c1af Fix the build of sample programs without mbedtls_strerror
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine 85f3165c6a Fix printf format signedness error
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine 38d41b98b3 load_roots: properly error out on an invalid option
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine 373c54e174 load_roots: fix no-argument detection
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine db92884cd0 load_roots: arguments must be files
I had originally thought to support directories with
mbedtls_x509_crt_parse_path but it would have complicated the code more than
I cared for. Remove a remnant of the original project in the documentation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine 82c04329bf New sample program to benchmark certificate loading
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:17:08 +02:00
Gilles Peskine 95f2324c5e
Merge pull request #4845 from mstarzyk-mobica/ecb-alt-ret-2.2x
Backport 2.2x: Catch failures of mbedtls_aes_crypt_ecb and its DES equivalents
2021-10-14 12:11:04 +02:00
Gilles Peskine 8ad54fa0b4 Update files generated from config.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Gilles Peskine 377a310da4 Catch failures of AES or DES operations
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.

A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.

This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:

* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
  was not properly checking the result of an AES operation:
    * In library code: on failure, goto exit and return ret.
    * In pkey programs: goto exit.
    * In the benchmark program: exit (not ideal since there's no error
      message, but it's what the code currently does for failures).
    * In test code: TEST_ASSERT.
* Changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:31 +02:00
Mateusz Starzyk b3d344c225 Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES option.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:18:53 +02:00
Manuel Pégourié-Gonnard f87422f019
Merge pull request #4427 from gilles-peskine-arm/tls_ext_cid-config-2.x
Backport 2.x: Allow configuring MBEDTLS_TLS_EXT_CID at compile time
2021-08-13 10:50:02 +02:00
Manuel Pégourié-Gonnard 14134281df Fix bug with UDP proxy not forwarding enough
We previously introduced a safety check ensuring that if a datagram had
already been dropped twice, it would no longer be dropped or delayed
after that.

This missed an edge case: if a datagram is dropped once, it can be
delayed any number of times. Since "delay" is not defined in terms of
time (x seconds) but in terms of ordering with respect to other messages
(will be forwarded after the next message is forwarded), depending on
the RNG results this could result in an endless loop where all messages
are delayed until the next, which is itself delayed, etc. and no message
is ever forwarded.

The probability of this happening n times in a row is (1/d)^n, where d
is the value passed as delay=d, so for delay=5 and n=5 it's around 0.03%
which seems small but we still happened on such an occurrence in real
life:

    tests/ssl-opt.sh --seed 1625061502 -f 'DTLS proxy: 3d, min handshake, resumption$'

results (according to debug statements added for the investigation) in
the ClientHello of the second handshake being dropped once then delayed
5 times, after which the client stops re-trying and the test fails for
no interesting reason.

Make sure this doesn't happen again by putting a cap on the number of
times we fail to forward a given datagram immediately.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-07-08 12:42:59 +02:00
Manuel Pégourié-Gonnard 87e8b5ccaa Use distinct variables for distinct purposes
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-07-08 10:30:38 +02:00
Manuel Pégourié-Gonnard 40e26b2600 Fix memory leak on failure path in test code
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-07-08 10:30:38 +02:00
Gilles Peskine a33cb76820
Merge pull request #4493 from netfoundry/gcc11.fixes_2.x
Backport 2.x: build with gcc11
2021-05-20 15:54:20 +02:00
Gilles Peskine 8ce4ab18ab
Merge pull request #4460 from gilles-peskine-arm/generate-tests-python3-make-2.x
Backport 2.x: Use Python 3 instead of Python 2 to generate test files
2021-05-18 13:30:40 +02:00
Shawn Carey 4e54f25cc6 avoid "maybe-uninitialized" and "free-nonheap-object" errors/warnings with gcc11
Signed-off-by: Shawn Carey <shawn.carey@netfoundry.io>
2021-05-12 09:37:00 -04:00
gabor-mezei-arm e8efa3911c
Implement psa_sign_message and psa_verify_message functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:47:41 +02:00
Gilles Peskine 99cce1dd4f Remove copy-pasted definition of PYTHON that wasn't used
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-06 11:36:50 +02:00
Gilles Peskine 222921830a
Merge pull request #4438 from gilles-peskine-arm/aes2crypt-removal-2.x
Backport 2.x: Remove the sample program aescrypt2
2021-04-30 11:15:25 +02:00
Gilles Peskine 98b3cd6b23 Remove the sample program aescrypt2
The sample program aescrypt2 shows bad practice: hand-rolled CBC
implementation, CBC+HMAC for AEAD, hand-rolled iterated SHA-2 for key
stretching, no algorithm agility. The new sample program pbcrypt does
the same thing, but better. So remove aescrypt2.

Fix #1906

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-28 15:57:30 +02:00
Ronald Cron 931d91e307
Merge pull request #4243 from bensze01/psa_vararg
PSA: Update AEAD output buffer macros to PSA API version 1.0
2021-04-28 08:36:06 +02:00
Gilles Peskine 065a1c8e3d Allow configuring MBEDTLS_TLS_EXT_CID at compile time
The numerical identifier of the CID extension hasn't been settled yet
and different implementations use values from different drafts. Allow
configuring the value at compile time.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-27 11:34:37 +02:00
Bence Szépkúti ec174e292d Update all uses of old AEAD output size macros
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-04-15 17:32:06 +02:00
Steven Cooreman 6801f08973 Implement support for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:04:26 +02:00
Gilles Peskine b420259777
Merge pull request #4174 from gilles-peskine-arm/psa-eddsa-spec
PSA Encodings for EdDSA
2021-04-07 11:20:27 +02:00
Gilles Peskine d5200371ec
Merge pull request #3512 from gilles-peskine-arm/ecp-alloc-202007
Reduce the number of allocations in ECP operations
2021-04-02 00:08:35 +02:00
Ronald Cron 17fbf5b3c4
Merge pull request #4237 from paul-elliott-arm/fix_printf_extra
Fix printf missed issues
2021-03-30 16:40:56 +02:00
Gilles Peskine 27354690cb Use a bit-size in the algorithm name
Call it “SHAKE256-512”, just like SHA3-512 has 512 bits of output.
SHAKE256-64 looks like it's 64 bits of output, but this is 64 bytes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-29 14:55:44 +02:00
Gilles Peskine 3a1101a122 Define algorithms for EdDSA
Define algorithms for PureEdDSA and for HashEdDSA, the EdDSA variants
defined by RFC 8032.

The encoding for HashEdDSA needs to encode the hash algorithm so that
the hash can be calculated by passing PSA_ALG_SIGN_GET_HASH(sig_alg)
to psa_hash_compute() or psa_hash_setup(). As a consequence,
Ed25519ph (using SHA-512) and Ed448ph (using SHAKE256) need to have
different algorithm encodings (the key is enough to tell them apart,
but it is not known while hashing). Another consequence is that the
API needs to recognize the Ed448 prehash (64 bytes of SHAKE256 output)
as a hash algorithm.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-29 14:55:44 +02:00
Gilles Peskine 67546802fe New elliptic curve family: twisted Edwards
Add an elliptic curve family for the twisted Edwards curves
Edwards25519 and Edwards448 ("Goldilocks"). As with Montgomery curves,
since these are the only two curves in common use, the family has a
generic name.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-29 14:55:44 +02:00
Gilles Peskine 4a7074022a Add a compile-time dependency to psa_constant_names_generated.c
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-29 14:55:44 +02:00
Paul Elliott 29b641688d Fix printf format issue in programs
Fix issues that were missed as part of previous printf attribute
cleanup

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-17 13:08:10 +00:00
Ryan LaPointe dbb192d157 Fix inaccurate comment in sample DTLS server
Signed-off-by: Ryan LaPointe <ryan@ryanlapointe.org>
2021-03-15 16:43:27 -04:00
Ryan LaPointe 59244e87e1 Actually use the READ_TIMEOUT_MS in the sample DTLS client and server
Signed-off-by: Ryan LaPointe <ryan@ryanlapointe.org>
2021-03-15 16:43:08 -04:00
Paul Elliott 61d2209e42 Fix missed invalid specifier in PSA Crypto build
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Paul Elliott 9e3256aead Adding printf format warning flags to makefiles
Add printf format warning flags that are supported by GCC 3.0 or later
to the makefiles

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-10 17:00:32 +00:00
Steven Cooreman 947bb0b06f Code readability improvements
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:09:24 +01:00
Steven Cooreman d927ed7901 Rename _MINIMUM_LENGTH flags to _AT_LEAST_THIS_LENGTH
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:39 +01:00
Steven Cooreman 4400c3a44a Add _AT_LEAST_THIS_LENGTH_ macros to PSA constants test
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:39 +01:00
Gilles Peskine 7f3d10de02
Merge pull request #4159 from d3zd3z/header-list
Add missing header to cpp_dummy_build.cpp test
2021-02-24 18:36:41 +01:00
Gilles Peskine 60fe6606bf Only define test_hooks_xxx under MBEDTLS_TEST_HOOKS
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine 00d0ad4036 Clarify the advice about reporting errors in test hooks
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine 76e9c64c3e Clarify the advice about reporting errors in test hooks
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine 414e717036 Deinitialize the PSA subsystem
The PSA subsystem may consume global resources. It currently doesn't
consume any heap when no keys are registered, but it may do so in the
future. It does consume mutexes, which are reported as leaks when
mutex usage checking is enabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine e374b95fe1 Detect and report mutex usage errors in SSL test programs
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine d0a46e5c7f ssl_server2: don't check test hooks failure in query_config mode
Test hook failure checks may print information to stdout, which messes
up the usage of query_config mode. Nothing interesting happens in
query_config mode anyway, so that's no loss.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine 53dea743d5 SSL test programs: allow for test hooks init and error reports
Create utility functions to set up test hooks and report errors that
the test hooks might detect. Call them in ssl_client2 and ssl_server2.

Test hooks are potentially enabled by compiling with
MBEDTLS_TEST_HOOKS.

This commit only sets up the functions. It doesn't make them do
anything yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Dave Rodgman d6ee36ed04
Merge pull request #4110 from gilles-peskine-arm/psa-external-random-in-mbedtls
Expose the PSA RNG in mbedtls
2021-02-22 14:47:29 +00:00