Commit graph

14360 commits

Author SHA1 Message Date
Gilles Peskine 24cebf6671 Add a section for transparent drivers
No strategy yet, just state some basic requirements.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-08 15:19:04 +01:00
Gilles Peskine f0e2853d46 Minimal update to mention unified-interface opaque drivers
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-08 15:19:04 +01:00
Gilles Peskine 6d5c7bc69a
Merge pull request #3898 from paul-elliott-arm/fix_pem_write
Remove Extraneous bytes from buffer post pem write
2020-12-08 12:31:40 +01:00
Bence Szépkúti 4af6560860 Improve documentation in test_psa_constant_names.py
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 11:10:21 +01:00
Gilles Peskine 2b759626a9
Merge pull request #3948 from bensze01/update_psa_values
Update the values of PSA Crypto API macros to version 1.0.0
2020-12-08 11:03:33 +01:00
Bence Szépkúti 7e37bf97ee Update test_psa_constant_names.py for new values
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 07:33:08 +01:00
Bence Szépkúti 6879f42be4 Add changelog
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 00:24:41 +01:00
Bence Szépkúti 99ffb2b275 Simplify description of PSA_ALG_STREAM_CIPHER
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 00:09:08 +01:00
Bence Szépkúti cbe395332c Substitute PSA_ALG_STREAM_CIPHER into all files
Deprecate PSA_ALG_ARC4 and PSA_ALG_CHACHA20.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 00:01:31 +01:00
Bence Szépkúti c6a26c940c Update PSA Crypto persistent key storage tests
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-07 23:03:59 +01:00
Bence Szépkúti a294551446 Update PSA Crypto macro values to version 1.0.0
This should be everything that's needed for the stable storage format.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-07 21:03:05 +01:00
Bence Szépkúti 1de907d4a4 Introduce PSA_ALG_STREAM_CIPHER
This algorithm replaces the pre-existing stream cipher algorithms.
The underlying stream cipher is determined by the key type.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-07 21:03:05 +01:00
Gilles Peskine e995b9b3f0 Clarify statuses from mbedtls_psa_external_get_random
Add and document PSA_ERROR_INSUFFICIENT_ENTROPY.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 20:42:57 +01:00
Gilles Peskine ae7772d0f3 Clarifications around reseed_entropy_size
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:39 +01:00
Gilles Peskine 43100e3fcb Add section on combining get_entropy with add_entropy
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:29 +01:00
Gilles Peskine 32e584c38a Copyediting and minor clarifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:29 +01:00
Gilles Peskine 3ff79066b1 Note an interrogation about integer value representation
Especially 0 values may need special treatment since they can't be
used as an array size.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:29 +01:00
Gilles Peskine 6a530e8d26 Random driver: make initial_entropy_size mandatory
If a random driver has a built-in entropy source and doesn't need an
external entropy source, make the driver author declare this
explicitly, rather than it being a less secure default.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:22 +01:00
Gilles Peskine ee914f34fa Minor clarifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:14 +01:00
Gilles Peskine 609394c1cf Open question: can there be multiple RNG instances?
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:48:06 +01:00
Gilles Peskine 8d5092c11f get_random: no output on error
The get_random entry point was allowed to return partial data on both
PSA_SUCCESS and PSA_ERROR_INSUFFICIENT_ENTROPY, but there was no
meaningful difference between the two. Keep it simple: PSA_SUCCESS is
success but can be partial, and PSA_ERROR_INSUFFICIENT_ENTROPY is an
error with no output.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:56 +01:00
Gilles Peskine 1ef6ad48d1 Note that I'm not completly sure about the get_entropy flags
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:45 +01:00
Gilles Peskine 3eb65fbba6 Open question: should add_entropy take an estimated_entropy_bits parameter?
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:45 +01:00
Gilles Peskine b89b4b9025 get_entropy: recommendations on conditioning and entropy estimates
Explicitly recommend that the driver accounts for environmental
conditions that can affect the amount of entropy.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:36 +01:00
Gilles Peskine 05ab2646a3 get_entropy: recommendations on the output_size
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:36 +01:00
Gilles Peskine a14326f054 Make add_entropy optional
A random generation driver does not need to support entropy injection.
This will limit it to platforms where the RNG peripheral is the sole
entropy source and without an RNG seed saved into persistent storage.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:27 +01:00
Gilles Peskine 390c5a2c6f It is not meaningful for reseed_entropy_size to be 0
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:19 +01:00
Gilles Peskine 0e3b7ced4c Don't require a call to add_entropy when 0 bytes are needed
If an RNG peripheral includes an entropy source, it would presumably
declare "initial_entropy_size" and "reseed_entropy_size" to be 0. In
this case, don't require the core to call "add_entropy".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:47:10 +01:00
Gilles Peskine 5263e1ecdd Transparent drivers can have get_entropy as well
The `get_entropy` entry point can be provided by multiple transparent
drivers, and the core will call all of them. But apart from that,
`get_entropy` doesn't involve an opaque key or a location, so it can
be in a transparent driver.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:46:58 +01:00
Gilles Peskine e80978a260 Specification for random generation and entropy drivers
Transparent drivers may provide a DRBG interface through "add_entropy"
and "get_random" entry points. This interface may also be used with a
non-deterministic generator, for chips that include a TRNG.

Opaque driver may provide a "get_entropy" entry point.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 18:46:42 +01:00
Paul Elliott 557b8d663a Remove Extraneous bytes from buffer post pem write
In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 17:29:42 +00:00
Gilles Peskine 51977355dc Remove the time stamp
Having a time stamp identifying each revision of the document is
useful, but it's also a pain because it creates a conflict whenever
there are multiple pending changes at the same time. The gain isn't
worth the pain, so I'm removing the time stamp.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 17:01:17 +01:00
Gilles Peskine 450dbd6d2d
Merge pull request #785 from gilles-peskine-arm/cipher-nist_kw-changelog
NIST_KW in cipher: credit the reporter
2020-12-07 14:47:48 +01:00
Ronald Cron 771090659e
Merge pull request #3393 from geecrypt/development
Support set *_drbg reseed interval before seed
2020-12-07 14:29:52 +01:00
Gilles Peskine 22a191199d NIST_KW in cipher: credit the reporter
This issue was found by Guido Vranken's Cryptofuzz running on the
OSS-Fuzz platform.

Fix #3665

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 14:26:07 +01:00
Janos Follath 3aae5d4ed7
Merge pull request #781 from mpg/cipher-auth-crypt-restricted
Fix buffer overflow with NIST-KW in cipher layer
2020-12-07 12:58:36 +00:00
Gilles Peskine 3a0535b465
Merge pull request #3916 from jdurkop/psa-crypto-config-hashes-3672
Add support to crypto config for hashes
2020-12-07 13:50:56 +01:00
Gilles Peskine d33aabf388
Merge pull request #3942 from gilles-peskine-arm/ecp-bignum-error-checks-development
Add missing some error checks in ECP and bignum
2020-12-07 13:06:47 +01:00
Manuel Pégourié-Gonnard 841b6fa97f Fix unused param warnings in auth_xxcrypt_ext()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-07 10:42:21 +01:00
Janos Follath 7973e2b358
Merge pull request #772 from chris-jones-arm/development-restricted
Fix Diffie-Hellman large key size DoS
2020-12-07 09:28:55 +00:00
Gilles Peskine 4e0a4d444d Clarifying comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:08:30 +01:00
Gilles Peskine a56d3d9e75 cipher_auth_xxcrypt_ext: Make NIST_KW case more robust
Don't invoke classic NIST_KW in case PSA gains support for NIST_KW.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:08:10 +01:00
Gilles Peskine e09aeb4923 Remove redundant NIST_KW checks in cipher_auth_xxcrypt()
The internal functions mbedtls_cipher_aead_{encrypt,decrypt} reject
unsupported algorithms, so there's no need for an additional check in
the legacy wrappers.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:07:26 +01:00
Gilles Peskine 8a3d234859 Fail the test case immediately if cipher_reset_key fails
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:02:13 +01:00
Gilles Peskine a2971ea62c Simplify some buffer comparisons in tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:47 +01:00
Gilles Peskine 70edd689a8 cipher_auth_xxcrypt(): fix some null pointer handling
Make sure that if a buffer is allowed to be empty, a null pointer is
accepted if the buffer length is 0. This was already the case for most
but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}.

Make sure to pass NULL for an empty buffer in the tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:26 +01:00
Manuel Pégourié-Gonnard b23e31d86a Minor documentation/comment fixes
typos, overlong lines

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-07 09:57:35 +01:00
Gilles Peskine e410bf7320 Add changelog entry for the memory management fixes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Gilles Peskine e54be3a9c3 Fix uncaught error if fix_negative fails
fix_negative allocates memory for its result. The calling site didn't
check the return value, so an out-of-memory error could lead to an
incorrect calculation. Fix this.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Gilles Peskine 89b4130098 Fix memory leak in mbedtls_mpi_sub_abs
Fix a memory leak in mbedtls_mpi_sub_abs when the output parameter is
aliased to the second operand (X = A - X) and the result is negative.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00