Commit graph

7053 commits

Author SHA1 Message Date
Paul Elliott 610a9cc43f Bump SO version for libmbedcrypto
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 14:59:26 +01:00
Paul Elliott bece7374ce Bump Library Version Number
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:52:07 +01:00
Paul Elliott 4128c2032e Merge remote-tracking branch 'restricted/development_2.x-restricted' into mbedtls-2.27.0rc0-pr 2021-07-01 17:26:38 +01:00
Dave Rodgman ba940cc695
Merge pull request #4182 from gabor-mezei-arm/3258_implement_one-shot_MAC_and_cipher
[Backport 2.x] Implement one-shot cipher
2021-06-30 17:04:11 +01:00
Dave Rodgman af9b4841fb
Merge pull request #4605 from gabor-mezei-arm/3267_sign_verify_key_policies
[Backport 2.x] Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:51:03 +01:00
gabor-mezei-arm e4be8a3bea
Remove obsolete comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:34:28 +02:00
Dave Rodgman 0a4046e9ca
Merge pull request #4736 from daverodgman/alert_bugfixes_2.x
Backport 2.x: Fix alert raised for invalid fragment length
2021-06-30 09:02:49 +01:00
gabor-mezei-arm 252304594b
Fix minor issues
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:06:30 +02:00
gabor-mezei-arm 809634d5d9
Check the return status of the functions first
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm 42373bdde7
Add buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm 6f8d43df20
Remove invalid buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:39:49 +02:00
Dave Rodgman 0dfb7dbe15 TLS UNSUPPORTED_EXTENSION error code changes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 15:21:44 +01:00
Nick Child b6d5693be2 pk.c: Ensure hash_len equals hash in pk_hashlen_helper
The function `pk_hashlen_helper` exists to ensure a valid hash_len is
used in pk_verify and pk_sign functions. This function has been
used to adjust to the corrsponding hash_len if the user passes in 0
for the hash_len argument based on the md algorithm given. If the user
does not pass in 0 as the hash_len, then it is not adjusted. This is
problematic if the user gives a hash_len and hash buffer that is less than the
associated length of the md algorithm. This error would go unchecked
and eventually lead to buffer overread when given to specific pk_sign/verify
functions, since they both ignore the hash_len argument if md_alg is not MBEDTLS_MD_NONE.

This commit, adds a conditional to `pk_hashlen_helper` so that an
error is thrown if the user specifies a hash_length (not 0) and it is
not equal to the expected for the associated message digest algorithm.
This aligns better with the api documentation where it states "If
hash_len is 0, then the length associated with md_alg is used instead,
or an error returned if it is invalid"

Signed-off-by: Nick Child <nick.child@ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2021-06-29 09:31:06 -04:00
Dave Rodgman dd5f624f32 Fix TLS alert codes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 09:45:08 +01:00
gabor-mezei-arm 6c18541a5e
Fix comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 16:41:31 +02:00
Dave Rodgman 78c601b529
Merge pull request #4717 from daverodgman/psa_cipher_and_mac_abort_on_error_2.x
Backport 2.x: Psa cipher and mac abort on error
2021-06-25 15:39:43 +01:00
Janos Follath 2667fb708e Fix unused parameter warning
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 15:36:55 +01:00
Janos Follath bc58902a32 Add prefix to BYTES_TO_T_UINT_*
These macros were moved into a header and now check-names.sh is failing.
Add an MBEDTLS_ prefix to the macro names to make it pass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath 7d4ebddbb6 Reject low-order points on Curve448 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources (RFC
7748 say we MAY reject 0 as a result) and recommended by some to reject
those points (either to ensure contributory behaviour, or to protect
against timing attack when the underlying field arithmetic is not
constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath 1c6a439783 Use mbedtls_mpi_lset() more
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath bc96a79854 Move mpi constant macros to bn_mul.h
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:01 +01:00
gabor-mezei-arm 0e1d31bf06
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm d52c8dc783
Fix possible unreachable code
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm f4cc6c9064
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm 3fd792d076
Add checks for buffer size
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm 7fbea09847
Use local variable instead of an ouput parameter
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm 52ae871b27
Initialize output buffer length to 0
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:21:11 +02:00
Janos Follath b4c676e6b3 Prevent memory leak in ecp_check_pubkey_x25519()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard 520f0a0ea0 Avoid complaints about undeclared non-static symbols
Clang was complaining and check-names.sh too

This only duplicates macros, so no impact on code size. In 3.0 we can
probably avoid the duplication by using an internal header under
library/ but this won't work for 2.16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard ae48111294 Use more compact encoding of Montgomery curve constants
Base 256 beats base 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard 10b8e5a5c9 Use a more compact encoding of bad points
Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:22 +01:00
Manuel Pégourié-Gonnard f2268d1c17 Reject low-order points on Curve25519 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources
(RFC 7748 say we MAY reject 0 as a result) and recommended by some to
reject those points (either to ensure contributory behaviour, or to
protect against timing attack when the underlying field arithmetic is
not constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:06:45 +01:00
Dave Rodgman 478ab5443b Use more standard label name
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-25 09:09:30 +01:00
Ronald Cron 132e8c3cab
Merge pull request #4715 from gilles-peskine-arm/psa_crypto_spm-from_platform_h-2.x
Backport 2.x: Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
Straightforward backport from development to developement_2.x plus one trivial commit, only one approval is enough.
2021-06-25 09:00:58 +02:00
gabor-mezei-arm dad6f3b5a0
Remove confising comments
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 17:29:09 +02:00
Dave Rodgman d73e1b0ccd Tidy up logic in psa_mac_sign_finish
Simplify the logic in psa_mac_sign_finish.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:57 +01:00
Dave Rodgman db861797c1 Correct coding style issues
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:53 +01:00
gabor-mezei-arm 22984de191
Remove comments
These comment cannot bring more information than the code does.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 17:20:22 +02:00
gabor-mezei-arm f67d8af106
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:58:27 +02:00
gabor-mezei-arm fa990b5ffe
Dispatch cipher functions through the driver interface
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
gabor-mezei-arm 0ef3b85381
Implement one-shot cipher
Implement one-shot cipher APIs, psa_cipher_encrypt and psa_cipher_decrypt, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
Dave Rodgman cccb05def4 Call abort on error in psa_mac/cipher setup
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:47 +01:00
Dave Rodgman 4e0a82e274 Update multipart hash operations to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:23 +01:00
gabor-mezei-arm 6439e85094 Do key usage policy extension when loading keys
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 11:58:19 +02:00
Dave Rodgman c88b0a57da Update cipher and mac functions to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-23 19:05:35 +01:00
Ronald Cron eaacabf98d
Merge pull request #4392 from gilles-peskine-arm/psa-storage-format-test-lifetimes
Backport 2.x: PSA storage format: test lifetimes
2021-06-23 15:22:24 +02:00
Gilles Peskine 76dec15d54 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Janos Follath 53d1cf8e2b
Merge pull request #4644 from gilles-peskine-arm/mpi_montmul-null-2.x
Backport 2.x: Fix several bugs with the value 0 in bignum
2021-06-23 13:40:05 +01:00
Gilles Peskine 478ac0bcc1
Merge pull request #4704 from mpg/issue-3990-fix_psa_verify_with_alt-2.x
[Backport 2.x] Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:42 +02:00
Ronald Cron 4ed836883e psa: mac: Add driver delegation support for psa_mac_verify()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron ef0d8f17f8 psa: mac: Introduce psa_mac_compute_internal
Introduce psa_mac_compute_internal with an
additional `is_sign` parameter compared to
the psa_mac_compute API. The intent is to
call psa_mac_compute_internal() from
psa_mac_verify() as well to compute the
message MAC.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron 882eb780fb psa: mac: Improve MAC finalization code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron dbb8646c2c psa: mac: Add driver delegation support for psa_mac_compute()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron bfdfaa676c psa: mac: Add MAC compute builtin implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron def68e722a psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron 1c650a1a37 psa: mac: Split psa_mac_setup()
Split out of psa_mac_setup() the final checks on
the requested algorithm and the key attributes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron 48f875e809 psa: mac: Re-organize psa_mac_setup() internal function
Re-organize psa_mac_setup() to prepare the move
to a dedicated function of the additional checks
on the algorithm and the key attributes done by
this function. We want to move those checks in
a dedicated function to be able to do them
without duplicating them in psa_mac_compute().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
gabor-mezei-arm a00616fc6b Implement one-shot MAC functions
Implement one-shot MAC APIs, psa_mac_compute and psa_mac_verify, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-22 13:43:13 +02:00
Janos Follath 03daae6894 Improve psa_rsa_decode_md_type()
Remove a case that cannot be triggered as PSA_ALG_SIGN_GET_HASH always
returns 0 for raw algorithms.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:05 +02:00
Janos Follath b23b5745b5 PSA RSA PSS: pass pre-hash algorithm to Mbed TLS
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well
as Mbed TLS does not use this parameter for anything beyond determining
the input lengths.

Some alternative implementations however check the consistency of the
algorithm used for pre-hash and for other uses in verification (verify
operation and mask generation) and fail if they don't match. This makes
all such verifications fail.

Furthermore, the PSA Crypto API mandates that the pre-hash and internal
uses are aligned as well.

Fixes #3990.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:00 +02:00
Gilles Peskine 37d690c45b Correct some statements about the ordering of A and B
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine b798b35374 Clarification in a comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 38a384d2cc Simplify is-zero check
The loop exits early iff there is a nonzero limb, so i==0 means that
all limbs are 0, whether the number of limbs is 0 or not.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine ea9aa14b3a Write a proof of correctness for mbedtls_mpi_gcd
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 6537bdb5e0 Explain how the code relates to the description in HAC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine d65b50063a Fix multiplication with negative result and a low-order 0 limb
Fix a bug introduced in "Fix multiplication producing a negative zero" that
caused the sign to be forced to +1 when A > 0, B < 0 and B's low-order limb
is 0.

Add a non-regression test. More generally, systematically test combinations
of leading zeros, trailing zeros and signs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 0759cadddf Whitespace fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine d48761317c mbedtls_mpi_read_string: make an empty bignum for an empty string
In mbedtls_mpi_read_string, if the string is empty, return an empty bignum
rather than a bignum with one limb with the value 0.

Both representations are correct, so this is not, in principle, a
user-visible change. The change does leak however through
mbedtls_mpi_write_string in base 16 (but not in other bases), as it writes a
bignum with 0 limbs as "" but a bignum with the value 0 and at least one
limb as "00".

This change makes it possible to construct an empty bignum through
mbedtls_mpi_read_string, which is especially useful to construct test
cases (a common use of mbedtls_mpi_read_string, as most formats use in
production encode numbers in binary, to be read with mbedtls_mpi_read_binary
or mbedtls_mpi_read_binary_le).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 70a7dcda3f Fix multiplication producing a negative zero
Fix mbedtls_mpi_mul_mpi() when one of the operands is zero and the
other is negative. The sign of the result must be 1, since some
library functions do not treat {-1, 0, NULL} or {-1, n, {0}} as
representing the value 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine c86acc5434 mbedtls_mpi_gcd: small optimization
Shifting TA and TB before the loop is not necessary. If A != 0, it will be
done at the start of the loop iteration. If A == 0, then lz==0 and G is
correctly set to B after 0 loop iterations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine b5e56ec5fd mbedtls_mpi_gcd: fix the case B==0
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine f643e8e8a9 Fix null pointer dereference in mbedtls_mpi_exp_mod
Fix a null pointer dereference in mbedtls_mpi_exp_mod(X, A, N, E, _RR) when
A is the value 0 represented with 0 limbs.

Make the code a little more robust against similar bugs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Manuel Pégourié-Gonnard 6a55de9057
Merge pull request #4623 from gilles-peskine-arm/debug-print-mpi-null-2.x
Backport 2.x: Fix mbedtls_debug_print_mpi crash on 0
2021-06-22 12:08:57 +02:00
Manuel Pégourié-Gonnard 9a11ac9cc1
Merge pull request #4621 from gilles-peskine-arm/default-hashes-curves-2.x
Backport 2.x: Curve and hash selection for X.509 and TLS
2021-06-22 12:08:43 +02:00
Manuel Pégourié-Gonnard 82a5a9dcdd Merge branch 'development_2.x' into development_2.x-restricted
* development_2.x:
  Reword changelog - Test Resource Leak
  Fix fd range for select on Windows
  Refactor file descriptor checks into a common function
  Update changelog formatting - Missing Free Context
  Update changelog formatting Missing Free Context
  Update changelog formatting - Missing Free Context
  Changelog entry for Free Context in test_suite_aes fix
  Free context in at the end of aes_crypt_xts_size()
  Fix copypasta in test data
  Use UNUSED wherever applicable in derive_input tests
  Fix missing state check for tls12_prf output
  Key derivation: add test cases where the secret is missing
  Add bad-workflow key derivation tests
  More explicit names for some bad-workflow key derivation tests
2021-06-22 10:42:04 +02:00
Gilles Peskine 51859aaff2 Fix fd range for select on Windows
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows: they were testing that the file
descriptor is in range for fd_set, but on Windows socket descriptors are not
limited to a small range. Fixes #4465.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:17:39 +02:00
Gilles Peskine 0f6351f8a9 Refactor file descriptor checks into a common function
This will make it easier to change the behavior uniformly.

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:17:39 +02:00
Manuel Pégourié-Gonnard c94b6b07dc Homogenize coding patterns
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 16:39:47 +02:00
Gilles Peskine f216f0d5d4 Fix missing state check for tls12_prf output
Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Manuel Pégourié-Gonnard 0b3bde57f1 Silence MSVC type conversion warnings
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:22 +02:00
Manuel Pégourié-Gonnard f10d289441 Simplify sign selection
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:22 +02:00
Manuel Pégourié-Gonnard 5325b976b9 Avoid UB caused by conversion to int
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:22 +02:00
Manuel Pégourié-Gonnard 464fe6a4d7 Use bit operations for mpi_safe_cond_swap()
Unrelated to RSA (only used in ECP), but while improving one
mbedtls_safe_cond_xxx function, let's improve the other as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard c3be399591 Use bit operations for mpi_safe_cond_assign()
- copied limbs
- sign
- cleared limbs

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard eaafa494e1 Avoid using == for sensitive comparisons
mbedtls_mpi_cf_bool_eq() is a verbatim copy of mbedtls_ssl_cf_bool_eq()

Deduplication will be part of a future task.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard e10e8db6d4 Use constant-time look-up for modular exponentiation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard c4c0d819ce Merge branch 'development_2.x' into development_2.x-restricted
* development_2.x:
  Disable OS X builds on Travis
  config: Allow Mbed to implement TIMING_C
  Fix misuse of MD API in SSL constant-flow HMAC
2021-06-11 10:09:53 +02:00
Gilles Peskine 2bfbb17f30 Remove duplicate wipe call in psa_destroy_key
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 23:27:54 +02:00
Gilles Peskine 4de5a6096b Add missing parentheses
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:42:15 +02:00
Gilles Peskine e247b10cd6 Indicate that the truncation from size_t to int is deliberate
MPI sizes do fit in int. Let MSVC know this conversion is deliberate.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:42:08 +02:00
Gilles Peskine 2ee0bb333c Simplify mbedtls_debug_print_mpi and fix the case of empty bignums
Rewrite mbedtls_debug_print_mpi to be simpler and smaller. Leverage
mbedtls_mpi_bitlen() instead of manually looking for the leading
zeros.

Fix #4608: the old code made an invalid memory dereference when
X->n==0 (freshly initialized bignum with the value 0).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:41:59 +02:00
Gilles Peskine 0ecd719edf Document more precisely what goes into the default profile
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:24:26 +02:00
Gilles Peskine 7a4c7589c8
Merge pull request #4541 from mpg/fix-ssl-cf-hmac-alt-2.x
[Backport 2.x] Fix misuse of MD API in SSL constant-flow HMAC
2021-06-07 20:53:48 +02:00
Gilles Peskine 74f66bb5c3 Fix non-constant-time comparison in mbedtls_mpi_random
Calling mbedtls_mpi_cmp_int reveals the number of leading zero limbs
to an adversary who is capable of very fine-grained timing
measurements. This is very little information, but could be practical
with secp521r1 (1/512 chance of the leading limb being 0) if the
adversary can measure the precise timing of a large number of
signature operations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-04 14:50:23 +02:00
Manuel Pégourié-Gonnard 62da8ac37a
Merge pull request #4276 from gilles-peskine-arm/random-range-uniformity
Backport 2.x: Fix non-uniform random generation in a range
2021-06-04 10:43:25 +02:00
Gilles Peskine 23422e424c Note that the byte order in mpi_fill_random_internal() is deliberate
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 11:51:09 +02:00
Gilles Peskine c0b68bf03a Use MBEDTLS_MPI_CHK where warranted
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 11:38:26 +02:00
Gilles Peskine 3130ce24f4 New internal function mbedtls_mpi_resize_clear
The idiom "resize an mpi to a given size" appeared 4 times. Unify it
in a single function. Guarantee that the value is set to 0, which is
required by some of the callers and not a significant expense where
not required.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 23:48:07 +02:00
Gilles Peskine 11779077a0 Use ternary operator with the most common case first
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:31 +02:00
Gilles Peskine 3f61363f8d Correct some comments about ECC in mbedtls_mpi_random
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:31 +02:00
Gilles Peskine 104eb82ec1 DHM: add notes about leading zeros
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:31 +02:00
Gilles Peskine a16001e2d9 mpi_fill_random_internal: remove spurious grow() call
Since the internal function mpi_fill_random_internal() assumes that X
has the right size, there is no need to call grow().

To further simplify the function, set the sign outside, and zero out
the non-randomized part directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:31 +02:00
Gilles Peskine e39ee8e0a2 MPI random test: use more iterations for small numbers
In real life, min << N and the probability that mbedtls_mpi_random()
fails to find a suitable value after 30 iterations is less than one in
a billion. But at least for testing purposes, it's useful to not
outright reject "silly" small values of N, and for such values, 30
iterations is not enough to have a good probability of success.

Pick 250 iterations, which is enough for cases like (min=3, N=4), but
not for cases like (min=255, N=256).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:31 +02:00
Gilles Peskine ef1325134f Contextualize comment about mbedtls_mpi_random retries
This comment is no longer in the specific context of generating a
random point on an elliptic curve.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:30 +02:00
Gilles Peskine 8f45470515 Fix mbedtls_mpi_random when N has leading zeros
mbedtls_mpi_random() uses mbedtls_mpi_cmp_mpi_ct(), which requires its
two arguments to have the same storage size. This was not the case
when the upper bound passed to mbedtls_mpi_random() had leading zero
limbs.

Fix this by forcing the result MPI to the desired size. Since this is
not what mbedtls_mpi_fill_random() does, don't call it from
mbedtls_mpi_random(), but instead call a new auxiliary function.

Add tests to cover this and other conditions with varying sizes for
the two arguments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:30 +02:00
Gilles Peskine 16e3668d14 DHM: use mbedtls_mpi_random for blinding and key generation
Instead of generating blinding values and keys in a not-quite-uniform way
(https://github.com/ARMmbed/mbedtls/issues/4245) with copy-pasted code,
use mbedtls_mpi_random().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:39:03 +02:00
Gilles Peskine 58df4c9098 dhm_check_range: microoptimization
No need to build a bignum for the value 2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:37:43 +02:00
Gilles Peskine 87fdb1f872 DHM refactoring: use dhm_random_below in dhm_make_common
dhm_make_common includes a piece of code that is identical to
dhm_random_below except for returning a different error code in one
case. Call dhm_random_below instead of repeating the code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:37:40 +02:00
Gilles Peskine b4e815f638 DHM blinding: don't accept P-1 as a blinding value
P-1 is as bad as 1 as a blinding value. Don't accept it.

The chance that P-1 would be randomly generated is infinitesimal, so
this is not a practical issue, but it makes the code cleaner. It was
inconsistent to accept P-1 as a blinding value but not as a private key.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:36:26 +02:00
Gilles Peskine 0853bb2bea DHM refactoring: unify mbedtls_dhm_make_{params,public}
Unify the common parts of mbedtls_dhm_make_params and mbedtls_dhm_make_public.

No intended behavior change, except that the exact error code may
change in some corner cases which are too exotic for the existing unit
tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 6466d3461e ECP: use mbedtls_mpi_random for blinding
Instead of generating blinding values in a not-quite-uniform way
(https://github.com/ARMmbed/mbedtls/issues/4245) with copy-pasted
code, use mbedtls_mpi_random().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine aeab0fbd73 Preserve MBEDTLS_ERR_ECP_RANDOM_FAILED in case of a hostile RNG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 9312ba5304 mbedtls_mpi_random: check for invalid arguments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 4699fa47d2 Move mbedtls_mpi_random to the bignum module
Since mbedtls_mpi_random() is not specific to ECC code, move it from
the ECP module to the bignum module.

This increases the code size in builds without short Weierstrass
curves (including builds without ECC at all) that do not optimize out
unused functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 7967ec5d25 mbedtls_ecp_gen_privkey_sw: generalize to mbedtls_mpi_random
Rename mbedtls_ecp_gen_privkey_sw to mbedtls_mpi_random since it has
no particular connection to elliptic curves beyond the fact that its
operation is defined by the deterministic ECDSA specification. This is
a generic function that generates a random MPI between 1 inclusive and
N exclusive.

Slightly generalize the function to accept a different lower bound,
which adds a negligible amount of complexity.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine eadf31d56a mbedtls_ecp_gen_privkey_mx: simplify the size calculation logic
mbedtls_ecp_gen_privkey_mx generates a random number with a certain
top bit set. Depending on the size, it would either generate a number
with that top bit being random, then forcibly set the top bit to
1 (when high_bit is not a multiple of 8); or generate a number with
that top bit being 0, then set the top bit to 1 (when high_bit is a
multiple of 8). Change it to always generate the top bit randomly
first.

This doesn't make any difference in practice: the probability
distribution is the same either way, and no supported or plausible
curve has a size of the form 8n+1 anyway. But it slightly simplifies
reasoning about the behavior of this function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 4f7767445b mbedtls_ecp_gen_privkey_mx: make bit manipulations unconditional
Don't calculate the bit-size of the initially generated random number.
This is not necessary to reach the desired distribution of private
keys, and creates a (tiny) side channel opportunity.

This changes the way the result is derived from the random number, but
does not affect the resulting distribution.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 6acfc9cb4c mbedtls_ecp_gen_privkey_mx: remove the exception for all-zero
The library rejected an RNG input of all-bits-zero, which led to the
key 2^{254} (for Curve25519) having a 31/32 chance of being generated
compared to other keys. This had no practical impact because the
probability of non-compliance was 2^{-256}, but needlessly
complicated the code.

The exception was added in 98e28a74e3 to
avoid the case where b - 1 wraps because b is 0. Instead, change the
comparison code to avoid calculating b - 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 3838f28c33 mbedtls_ecp_gen_privkey_mx: rename n_bits to high_bit
For Montgomery keys, n_bits is actually the position of the highest
bit and not the number of bits, which would be 1 more (fence vs
posts). Rename the variable accordingly to lessen the confusion.

No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine de33213f23 mbedtls_ecp_gen_privkey: create subfunctions for each curve type
Put the Montgomery and short Weierstrass implementations of
mbedtls_ecp_gen_privkey into their own function which can be tested
independently, but will not be part of the public ABI/API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 570a8cd056 Fix null pointer arithmetic in error case
When mbedtls_nist_kw_wrap was called with output=NULL and out_size=0, it
performed arithmetic on the null pointer before detecting that the output
buffer is too small and returning an error code. This was unlikely to have
consequences on real-world hardware today, but it is undefined behavior and
UBSan with Clang 10 flagged it. So fix it (fix #4025).

Fix a similar-looking pattern in unwrap, though I haven't verified that it's
reachable there.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-01 11:57:18 +02:00
Gilles Peskine 251c774b91 Refuse to destroy read-only keys
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-28 12:53:15 +02:00
Gilles Peskine ac9851f8d3 Forbid creating a read-only key
The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used
as intended, for keys that cannot be modified through normal use of the API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-27 21:10:09 +02:00
Gilles Peskine 7934b3f9f9 Fix mbedtls_psa_get_stats for keys with fancy lifetimes
mbedtls_psa_get_stats() was written back before lifetimes were
structured as persistence and location. Fix its classification of
volatile external keys and internal keys with a non-default
persistence.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-27 21:10:09 +02:00
Ronald Cron 9df7209bf6
Merge pull request #4546 from Patater/psa-without-genprime-fix-2.x
[Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME
2021-05-27 14:19:14 +02:00
Gilles Peskine 66c616a393 CAMELLIA: add missing context init/free
This fixes the self-test with alternative implementations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 18:45:04 +02:00
Gilles Peskine ccbbb2c501 ARIA: add missing context init/free
This fixes the self-test with alternative implementations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 18:45:04 +02:00
Jaeden Amero c17f29309f psa: Support RSA signature without MBEDTLS_GENPRIME
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-21 10:21:27 +01:00
Janos Follath d76f7ba2e1
Merge pull request #4529 from hanno-arm/ssl_session_cache_fix_backport_2x
Backport 2.x: Add session ID as an explicit parameter to SSL session cache API
2021-05-21 08:49:11 +01:00
Gilles Peskine d135b57e8c
Merge pull request #4412 from gilles-peskine-arm/undefined-reference-2.27
Backport 2.x: Fix missing compilation guard around psa_crypto_driver_wrappers.c
2021-05-20 17:20:36 +02:00
Gilles Peskine a33cb76820
Merge pull request #4493 from netfoundry/gcc11.fixes_2.x
Backport 2.x: build with gcc11
2021-05-20 15:54:20 +02:00
Gilles Peskine 05c11e3dd5
Merge pull request #4503 from gilles-peskine-arm/ciphersuite-sha384-guard-2.x
Backport 2.x: fix SHA384 guards in TLS
2021-05-19 21:13:08 +02:00
Gilles Peskine ad0e01248d Fix missing compilation guard around psa_crypto_driver_wrappers.c
Fix #4411.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 21:03:46 +02:00
Gilles Peskine c54010c3ec Split SHA-512 and SHA-384 guards for hash availability code
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:15 +02:00
Gilles Peskine fc9c07ff8f Fix unused variable with MBEDTLS_SHA512_NO_SHA384
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:13 +02:00
Gilles Peskine d2d59379ed Remove dead code under MBEDTLS_SHA512_NO_SHA384
TLS code specific to SHA-384 was gated on MBEDTLS_SHA512_C. But SHA-384 also
requires that MBEDTLS_SHA512_NO_SHA384 is not defined. This lead to dead
code in TLS when MBEDTLS_SHA512_C and MBEDTLS_SHA512_NO_SHA384 were both
defined (i.e. when SHA-512 was enabled but not SHA-384).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:10 +02:00
Gilles Peskine 367379d7fc Fix dependencies on SHA384 cipher suites
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.

Fix #4499.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:08 +02:00
Gilles Peskine 3d23e28ee1 Fix dependency for TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384
Fix #4472

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:57:40 +02:00
Manuel Pégourié-Gonnard 21bfbdd703 Fix misuse of MD API in SSL constant-flow HMAC
The sequence of calls starts-update-starts-update-finish is not a
guaranteed valid way to abort an operation and start a new one. Our
software implementation just happens to support it, but alt
implementations may very well not support it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-05-19 10:40:02 +02:00
Hanno Becker 83e3671d87 Don't check ciphersuite and compression in SSL session cache lookup
Session-ID based session resumption requires that the resumed session
is consistent with the client's ClientHello in terms of choice of
ciphersuite and choice of compression.

This check was previously assumed to be performed in the session cache
implementation, which seems wrong: The session cache should be an id-based
lookup only, and protocol specific checks should be left to Mbed TLS.

This commit
- adds an explicit ciphersuite and compression consistency check after
  the SSL session cache has been queried
- removes the ciphersuite and compression consistency check from
  Mbed TLS' session cache reference implementation.

Don't use ssl_check_xxx() for functions with void return

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-19 05:09:56 +01:00
Gilles Peskine 48f052fb35 mbedtls_ecp_gen_privkey: minor refactoring
Prepare to isolate the Montgomery and short Weierstrass
implementations of mbedtls_ecp_gen_privkey into their own function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-17 23:02:21 +02:00
Gilles Peskine 54650b3892
Merge pull request #4505 from d3zd3z/bp2x-posix-define
Backport 2.x: Check if feature macro is defined before define it
2021-05-17 12:09:59 +02:00
Gilles Peskine bed4e9e214
Merge pull request #4357 from gabor-mezei-arm/3267_Implement_psa_sign_message_and_verify
Implement psa_sign_message and psa_verify_message
2021-05-17 10:14:46 +02:00
Gilles Peskine bb66dac971 Fix spurious -Wstringop-overflow with GCC 11.1
A previous fix in d596ca8a1e worked with
beta versions of GCC 11, but not with the final 11.1 release.

This time, just disable the warning locally.

Fix #4130

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 10:20:39 -04:00
Flavio Ceolin a79c30b8f4 Check if feature macro is defined before define it
Zephyr's native posix port define _POSIX_C_SOURCE with a higher value
during the build, so when mbedTLS defines it with a different value
breaks the build.

As Zephyr is already defining a higher value is guaranteed that mbedTLS
required features will be available. So, just define it in case it was
not defined before.

[taken from Zephyr mbedtls module:
76dcd6eeca]

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Signed-off-by: David Brown <david.brown@linaro.org>
2021-05-12 15:00:48 -06:00
Shawn Carey 4e54f25cc6 avoid "maybe-uninitialized" and "free-nonheap-object" errors/warnings with gcc11
Signed-off-by: Shawn Carey <shawn.carey@netfoundry.io>
2021-05-12 09:37:00 -04:00
gabor-mezei-arm f25c9767a9
Enable fallback to software implementation in psa_sign/verify_message driver
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 11:12:25 +02:00
gabor-mezei-arm c979578a83
Unify variable type and rename to be unambiguous
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 11:03:09 +02:00
gabor-mezei-arm 63c7a66320
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 10:49:27 +02:00
Steven Cooreman bbb1952414 Refactor out mac_sign_setup and mac_verify_setup
Since they became equivalent after moving the is_sign checking back to
the PSA core, they're now redundant, and the generic mac_setup function
can just be called directly.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman f8ad2123f9 Be explicit about why the zero-length check is there
Since a valid mac operation context would guarantee that the stored
mac size is >= 4, it wasn't immediately obvious that the zero-length
check is meant for static analyzers and a bit of robustness.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman a6474de2ac Supply actual key bits to PSA_MAC_LENGTH during MAC setup
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 9621f444a7 Correctly mark unused arguments when MAC algorithms are compiled out
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 63fa40e593 Add sanity tests for CMAC-(3)DES through PSA Crypto
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman aaf9944db3 Use the proper define guards in the MAC driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 2a18f56b4e Remove superfluous checking from MAC driver
The PSA core checks the key type and algorithm combination before
calling the driver, so the driver doesn't have to do this once more.

The PSA core will also not start an operation with a requested length
which is larger than the full MAC output size, so the output length check
in the driver isn't needed as long as the driver returns an error on
mac_setup if it doesn't support the underlying hash algorithm.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 15f0d92a48 Move is_sign and mac_size checking back to PSA core scope
It makes sense to do the length checking in the core rather than expect
each driver to deal with it themselves. This puts the onus on the core to
dictate which algorithm/key combinations are valid before calling a driver.

Additionally, this commit also updates the psa_mac_sign_finish function
to better deal with output buffer sanitation, as per the review comments
on #4247.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman bd1f60868a Minor documentation and language fixes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman dba0644818 Remove superfluous check
As psa_mac_sign_finish / psa_mac_verify_finish already checks that the
operation structure is valid (id is non-zero), the driver itself doesn't
have to check for that anymore. If the operation has a driver ID assigned,
it means that driver has returned success from its setup function, so the
algorithm value will be set correctly.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman e68bb52afd Remove unused variable from MAC driver structure
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman af81a71b8b Remove superfluous length check
The key passed to the driver has been imported by the PSA Core, meaning
its length has already been verified, and the driver can rely on the
buffer length and key attributes being consistent.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 9878a160c6 Code flow and style improvements
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 22dea1d527 Base the PSA implementation of TLS 1.2 PRF on the MAC API
This means there is no longer a need to have an internal HMAC API, so
it is being removed in this commit as well.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman b27e3506fe Make HKDF use the generic MAC API
Such that the underlying HMAC can be accelerated if such a driver is present

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 4f7cae6cbe Rename HMAC operation structure
Prefix with 'mbedtls_psa' as per the other types which implement some
sort of algorithm in software.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman a2a1b803da Make safer_memcmp available to all compile units under PSA
Now renamed to mbedtls_psa_safer_memcmp, it provides a single location
for buffer comparison.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman b4b9b2879c Remove redundant key_set from MAC operation structure
The purpose of key_set was to guard the operation structure from being
used for update/finish before a key was set. Now that the implementation
fully adheres to the PSA API, that function is covered by the `alg`
variable instead. It's set to the algorithm in use when a key is set, and
is zero when the operation is reset/invalid.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 6e6451ec01 Code flow/readability improvements after review
* Early return since there's nothing to clean up
* Get rid of unnecessary local variable
* Check algorithm validity for MAC in the PSA core instead of in the driver

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 5c85ef0a56 Remove unused items from MAC operation context structure
Apparently it was at some point assumed that there would be
support for MAC algorithms with IV, but that hasn't been
implemented yet. Until that time, these context structure
members are superfluous and can be removed.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 2d9a3f946e Add testing of the MAC driver entry points
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman f64b25e205 Rename internal HMAC structure type to match convention
Typedef'ed structures are suffixed _t
Also updated the initialiser macro with content that actually
matches the structure's content.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 76720f6389 Complete, document and fully use internal HMAC API
Since HMAC moved into its own compilation unit, the internal API needed
to be documented and finalized. This means no more reaching deep into
the operation structure from within the PSA Crypto core. This will make
future refactoring work easier, since internal HMAC is now opaque to the
core.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 87885df795 Migrate MAC finish calls into the software driver
Step 3/x in moving the driver. Separate commits should make for easier
review.

Additional changes on top of code movement:
* Copied the implementation of safer_memcmp from psa_crypto into
  psa_cipher_mac since the mac_verify driver implementation
  depends on it, and it isn't available through external linkage

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 11743f91de Migrate MAC update call into the software driver
Step 2/x in moving the driver. Separate commits should make for easier
review.

Additional changes on top of code movement:
* Early-return success on input with zero-length to mac_update, to
  avoid NULL pointers getting passed into the driver dispatch

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 0789783c17 Migrate MAC setup/abort calls into the software driver
Step 1/x in moving the driver. Separate commits should make for easier
review.
Additional changes on top of just moving code:
* Added a sanity check on the key buffer size for CMAC.
* Transfered responsibility for resetting the core members of the
  PSA MAC operation structure back to the core (from the driver
  wrapper layer)

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 32d569449b Move internal HMAC implementation into internal MAC driver
This is a temporary measure. Other operations in the PSA Core which rely
on this internal HMAC API should be rewritten to use the MAC API instead,
since they can then leverage accelerated HMAC should a platform provide
such acceleration support.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 6e3c2cbb52 Move the MAC operation structure into the driver headers
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
Steven Cooreman 896d51e584 Add boilerplate for dispatching MAC operations
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-05-11 18:56:01 +02:00
gabor-mezei-arm a7b9b202b2
Change the driver calling logic for psa_sign/verify_messsage
The changed logic is to try a sign-message driver (opaque or transparent);
if there isn't one, fallback to builtin sofware and do the hashing,
then try a sign-hash driver. This will enable to the opaque driver
to fallback to software.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-07 15:16:34 +02:00
gabor-mezei-arm f3c5c86db7
Rename sign/verify builtin functions called by driver wrapper functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:50:33 +02:00
gabor-mezei-arm ef6f2aa94b
Return error if algorithm is not hash-then-sign for psa_sign_message
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:50:32 +02:00
gabor-mezei-arm 5698048cc6
Use bool variable instead of enum values
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:50:32 +02:00
gabor-mezei-arm 12ff4d581e
Fix documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:50:32 +02:00
gabor-mezei-arm dd05aab6a0
Use switch-case for error handling
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:50:32 +02:00
gabor-mezei-arm 9719a8450e
Fix for algorithms other than hash-then-sign
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:49:24 +02:00
gabor-mezei-arm fc8d0aedd6
Use driver-wrapper functions for psa_sign/verify_message
To avoid code duplication of the old-style SE interface usage
call psa_driver_wrapper_sign/verify_hash function instead of
the direct internal functions.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:49:24 +02:00
gabor-mezei-arm 84255a5add
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:49:24 +02:00
gabor-mezei-arm bfbe465bb0
Enable algorithms other than hash-then-sign
For psa_hash/verify_message other algorithms than hash-then-sign is
enabled like PureEdDSA.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:49:24 +02:00
gabor-mezei-arm 81bf120076
Fix error checking
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:49:24 +02:00
gabor-mezei-arm 77588fb171
Update macro names
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:49:23 +02:00
gabor-mezei-arm c53f4f6281
Dispatch sign/verify funtions through the driver interface
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:47:42 +02:00
gabor-mezei-arm 9d26fa3dcc
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:47:41 +02:00
gabor-mezei-arm bc0088b99b
Unify similar functions
Use common funtion for psa_sign_hash and psa_sign_message and one for
psa_verify_hash and psa_verify_message to unify them.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:47:41 +02:00
gabor-mezei-arm e8efa3911c
Implement psa_sign_message and psa_verify_message functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-06 13:47:41 +02:00
Ronald Cron 05ee58d38a tests: Revert test_driver.h name change
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-05 09:03:44 +02:00
Ronald Cron b0737dab26 tests: psa: Simplify key buffer size calculation
Move the key buffer size calculation code under
tests to avoid check-names.sh to complain about
"likely macros with typos".

This removes the calculation of key buffer
sizes for the test driver from the wrapper based on
static size data. But the code is still there in test
code to be used when we go back to work on the
generation of the driver wrapper.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-05 09:02:13 +02:00
Ronald Cron c4bc12e8f3 tests: psa: Add mbedtls/MBEDTLS prefix to test driver symbols
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-05 09:02:13 +02:00
Ronald Cron 0bec41a18c tests: Add hash transparent test driver hooks
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-05-05 08:52:30 +02:00
Steven Cooreman 146e7fc5fa Allow skipping 3DES in CMAC self-test when ALT implemented
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-30 10:09:52 +02:00
Gilles Peskine 4ad0967125
Merge pull request #4430 from gilles-peskine-arm/dhm_min_bitlen-bits
Backport 2.x: Enforce dhm_min_bitlen exactly
2021-04-29 14:55:36 +02:00
Gilles Peskine e0427c777f
Merge pull request #4434 from chris-jones-arm/development
Backport 2.x: Add macro to check error code additions/combinations
2021-04-28 16:47:26 +02:00
Chris Jones 4d01c5b5c3 Remove dead code from pk_parse_key_pkcs8_unencrypted_der
pk_get_pk_alg will either return 0 or a pk error code. This means that
the error code will always be a high level module ID and so we just
return ret.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-28 14:12:07 +01:00
Ronald Cron 931d91e307
Merge pull request #4243 from bensze01/psa_vararg
PSA: Update AEAD output buffer macros to PSA API version 1.0
2021-04-28 08:36:06 +02:00
Steven Cooreman b74b5602b7 Add missing parenthesis
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-27 17:08:26 +01:00
Ronald Cron b5939e814e
Merge pull request #4160 from stevew817/feature/driver_builtin_keys
Add implementation for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS

Merging as it has been ready for four days now and I prefer not having to go through other rebases especially given the coming change of scope of development (3.0 rather than 2.2x).
2021-04-23 09:40:31 +02:00
Chris Jones e11e81413d Improve documentation for error code checking
Improve comments explaining error code checking, fix incorrect comments
and make a small formatting fix.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-22 15:28:56 +01:00
Paul Elliott 986b55af03 Style Fix
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-04-20 21:46:29 +01:00
Paul Elliott 7725a63c24 Fix unchecked return in bignum
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-04-20 19:01:46 +01:00
Manuel Pégourié-Gonnard 0bbb38c67e
Merge pull request #4199 from TRodziewicz/mul_shortcut_fix
Fix ECDSA failing when the hash is all-bits-zero
2021-04-19 09:54:12 +02:00
Steven Cooreman 966db26779 Minor code flow improvements
* group setting of attributes before calling get_builtin_key
* return early instead of going to exit when no resources are allocated yet

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-16 11:22:17 +02:00
Bence Szépkúti ec174e292d Update all uses of old AEAD output size macros
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-04-15 17:32:06 +02:00
Steven Cooreman ce48702448 Get a builtin key's attributes in order to correctly get its size
Leverage the fact that the get_builtin_key entrypoint returns a key's
attributes, such that a proper size for the builtin key's buffer can
be calculated through the driver's get_key_buffer_size hook.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:53 +02:00
Steven Cooreman 7ddee7f7c5 Use remove_key_data_from_memory instead of wipe_key_slot
Since the loading attempt of a builtin key might be followed by trying
to load a persistent key, we can only wipe the allocated key data, not
the associated metadata.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:53 +02:00
Steven Cooreman 7609b1ff6c leverage psa_allocate_buffer_to_slot from slot management
It makes the implementation of psa_load_builtin_key_into_slot a lot
cleaner.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:53 +02:00
Steven Cooreman 0bb653600f If no storage backend is available, don't even attempt key loading
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:53 +02:00
Steven Cooreman b938b0bb03 Documentation clarification after review
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:53 +02:00
Steven Cooreman a1ce2f2675 Rename test driver lifetime to location
The macro always meant 'location', but was mistakenly named 'lifetime'.
Naming it location instead makes much more sense, and drives home the
conceptual differences between location and lifetime values.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:53 +02:00
Steven Cooreman c8b9534378 Change signature of mbedtls_psa_platform_get_builtin_key
Instead of the full attributes struct, it now only takes/returns what it
actually needs to.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman 1a0fbacde1 Refactor opaque key handling in the test driver
Builtin key support for the test driver is always compiled in, and no
  longer guarded by MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS.
Parsing the key slot from the buffer by cast and assign instead of memcmp.
For exporting keys, the test driver no longer reaches into the key
  identifier in order to check whether a key is builtin, but rather
  assumes so based on the key buffer length. It's the driver's
  responsibility to be able to detect the key material it returned as part
  of the get_builtin_key operation.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman e384252cb7 Move include to top of file
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman 649a8f4301 replace memcpy of structure with regular assignment
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman ffc7fc9b71 Move variable declarations to top of function
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman 85d554a99b Use different variables for buffer size and data length
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman 203bcbbc47 Style fixes (typos, whitespace, 80 column limit)
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman e5e30859b7 Remove potentially unused exit label
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:06:52 +02:00
Steven Cooreman f9a55ffa2c Add test driver implementation for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
As part of test_psa_crypto_drivers, define a builtin symmetric
plus an ECC key on the test driver lifetime.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:04:26 +02:00
Steven Cooreman 6801f08973 Implement support for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:04:26 +02:00
Manuel Pégourié-Gonnard 93c0847914 Revert "Remove deprecated things from hashing modules"
This reverts commit c75d9f589b.

This was merged by mistake in development instead of development_3.0.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-15 12:28:15 +02:00
Manuel Pégourié-Gonnard 149211146f Revert "fix error.c - now it's autogenerated"
This reverts commit 48f6d0d6e5.

This was merged by mistake in development instead of development_3.0.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-15 12:28:06 +02:00
Manuel Pégourié-Gonnard 30dcdf40b4 Revert "fix error.c - second try"
This reverts commit 9a86843470.

This was merged by mistake in development instead of development_3.0.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-04-15 12:27:59 +02:00
Chris Jones fdb588b3a7 Fix an incorrect error code addition in pk_parse_key_pkcs8_unencrypted_der
An incorrect error code addition was spotted by the new invasive testing
infrastructure whereby pk_get_pk_alg will always return a high level
error or zero and pk_parse_key_pkcs8_unencrypted_der will try to add
another high level error, resulting in a garbage error code.

Apply the same fix from ae3741e8a to fix the bug.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-15 11:19:56 +01:00
Chris Jones 9f7a693f2c Apply MBEDTLS_ERROR_ADD to library
Replace all occurences of error code addition in the library with the new
MBEDTLS_ERROR_ADD macro.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-15 11:19:47 +01:00
Manuel Pégourié-Gonnard c039514559
Merge pull request #4334 from TRodziewicz/origin/remove_old_func_from_hashing
Remove deprecated things from hashing modules
2021-04-15 10:13:32 +02:00
Gilles Peskine 09c916afba
Merge pull request #4257 from ronald-cron-arm/psa-aead
Add PSA crypto driver delegation for AEAD single shot PSA APIs - 1
2021-04-14 14:07:51 +02:00
Chris Jones ef01852d65 Add missing guard to mbedtls_test_hook_error_add
Add a missing guard for the definition and declaration of
mbedtls_test_hook_error_add.

Also make the declaration always visible when MBEDTLS_TEST_HOOKS is
enabled. This fixes an issue when MBEDTLS_ERROR_C is not defined but
MBEDTLS_TEST_HOOKS is.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:27:04 +01:00
Chris Jones b7d02e0f15 Fix misc issues with unused parameters and check-names.sh
Fix unused parameter warnings when MBEDTLS_TEST_HOOKS is not enabled.

A few issues were caught by check-names.sh namely:

- mbedtls_error_add was not capitalised.
- mbedtls_test_hook_error_add was being defined multiple times as the
  definition was in a header.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:26:59 +01:00
Chris Jones 7439209bcc Rewrite error addition interface
The previous implementation of the error addition interface did not comply
with the invasive testing architecture guidelines. This commit fixes that
by:

- Renaming functions/macros/variables to follow the mbedtls_error_xxx or
  mbedtls_test_hook_xxx convention.

- Making mbedtls_test_hook_error_add a global variable that can be set
  by the testing code.

- Using a static inline function call, as opposed to macro, to keep
  discrepancies between debug and production version to a minimum.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:24:25 +01:00
Chris Jones b179b84335 Change set_err_add_hook void pointer to actual function pointer signature
Change the signature of the `hook` parameter of `mbedtls_set_err_add_hook`
to use the actual signature of the function as opposed to `void *`. This
fixes a warning when compiling with clang `-pedantic`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:21:43 +01:00
Chris Jones ef180af350 Move MBEDTLS_ERR_ADD macro and functions to error.*
`error.c` and  error.h are the more logical place to keep this code and it
prevents issues with building `common.c` and conflicts with other projects
that use mbedtls (such as mbedOS).

`error.c` has been automatically generated by first adding the code to
`error.fmt` and then running `./scripts/generate_errors.pl`.

Also add parenthesis to the addition in `MBEDTLS_ERR_ADD`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:21:43 +01:00
Chris Jones 808b7c8a8a Fix building with MBEDTLS_TEST_HOOKS enabled
Fix building by adding `common.c` to the build scripts (both make and Cmake).

Also reworks the hook function pointer (also renamed to `err_add_hook`) to be
a static local to `common.c` with a setter function to set the pointer to a
checking function.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:21:43 +01:00
Chris Jones 5e8805afeb Move MBEDTLS_ERR_ADD macro and function to common.*
`error.c` is a file generated from `error.h` and thus cannot contain the code
that was previously added. This commit fixes that issue by moving the
`MBEDTLS_ERR_ADD` macro and associated function and function pointer into
`common.h` and `common.c`.

Also fix a typo in `tests/include/test/helpers.h` where tabs were accidentally
used instead of spaces.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:21:43 +01:00
Chris Jones 713e4e77b4 Expand use of MBEDTLS_ERR_ADD to the rest of rsa.c
All occurences of manual error code addition/combination, in `rsa.c`, have
been replaced with the `MBEDTLS_ERR_ADD` macro.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:21:35 +01:00
Chris Jones 96ae73b0ea Add macro for error code addition
Adds a macro (`MBEDTLS_ERR_ADD`) to add error codes together and check that the
result will not be corrupted. This additional check is only enabled during
testing when `MBEDTLS_TEST_HOOKS` is defined.

Also includes a reference usage example in `rsa.c` where two high-level error
codes could be incorrectly added together under the right conditions. This now
ensures that when this error occurs during testing it will be correctly
reported.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-13 15:12:02 +01:00
TRodziewicz 9a86843470 fix error.c - second try
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-12 15:13:10 +02:00
TRodziewicz 48f6d0d6e5 fix error.c - now it's autogenerated
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-12 14:49:55 +02:00
TRodziewicz c75d9f589b Remove deprecated things from hashing modules
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-12 11:38:37 +02:00
Gilles Peskine 9a1c092f8b
Merge pull request #4297 from gilles-peskine-arm/ecp-add-fix-202104
Fix ECP arithmetic bug and read of zero-padded negative number
2021-04-09 16:46:06 +02:00
Gilles Peskine 392d1010dc Clarify some comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-09 15:46:51 +02:00
Ronald Cron df2e4f22a8
Merge pull request #4290 from ronald-cron-arm/hash-dispatch-follow-up
Hash dispatch follow up
2021-04-08 09:13:19 +02:00
Ronald Cron 810eb16831 psa: aead: Make CCM/GCM ordering consistent
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-04-07 16:03:31 +02:00