Previously, the semantics of mbedtls_mps_reader_commit() was to invalidate
all buffers previously fetched via mbedtls_mps_reader_get(), forbidding
any further use by the 'consumer'. This was in fact a necessary constraint
for the current implementation, which did some memory moving in
mbedtls_mps_reader_commit().
This commit simplifies the reader's semantics and implementation in
the following way:
- API: A call to mbedtls_mps_reader_commit() does no longer invalidate
the buffers previously obtained via mbedtls_mps_reader_get().
Instead, they can continue to be used until
mbedtls_mps_reader_reclaim() is called.
Calling mbedtls_mps_reader_commit() now only sets a marker
indicating which parts of the data received through
mbedtls_mps_reader_get() need not be backed up once
mbedtls_mps_reader_reclaim() is called. Allowing the user
to call mbedtls_mbedtls_reader_commit() multiple times
before mbedtls_mps_reader_reclaim() is mere convenience:
We'd get exactly the same functionality if instead of
mbedtls_mps_reader_commit(), there was an additional argument
to mbedtls_mps_reader_reclaim() indicating how much data
to retain. However, the present design is more convenient
for the user and doesn't appear to introduce any unnecessary
complexity (anymore), so we stick with it for now.
- Implementation: mbedtls_mps_reader_commit() is now a 1-liner,
setting the 'commit-marker', but doing nothing else.
Instead, the complexity of mbedtls_mp_reader_reclaim()
slightly increases because it has to deal with creating
backups from both the accumulator and the current
fragment. In the previous implementation, which shifted
the accumulator content with every call to
mbedtls_mps_reader_commit(), only the backup from the
fragment was necessary; with the new implementation
which doesn't shift anything in
mbedtls_mps_reader_commit(), we need to do the
accumulator shift in mbedtls_mps_reader_reclaim().
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds an implementation of the MPS trace module
based on `printf()`.
The enabling macro MBEDTLS_MPS_TRACE remains unset by default
because MPS tracing is very verbose and consumes unnecessary
space in the CI.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds a test exercising the reader in a random way
and comparing the outcomes against what we expect based on the
abstract model of the reader from the producer's and consumer's
perspective.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds an MPS unit test suite `test_suite_mps` which will
subsequently be populated with unit tests for all components of MPS.
As a start, a test case
```
mbedtls_mps_reader_no_pausing_single_step_single_round()
```
is added which exercises the most basic usage of the MPS reader
component; see the test case description for more details.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds an internal header `library/mps/error.h` related
to error codes in MPS.
For now, those error codes can be considered internal and thus we
don't have to avoid clashes with other Mbed TLS error codes. This
is OK as long as it's true that MPS isn't public API, and its error
codes are never forwarded to the return values of public API calls.
The error code allocation of MPS will likely need revisiting over time.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Most buffers that MPS deals with are small and representable
with integer types of width 16-bit or more.
For highly memory constrained systems, it is therefore a potential
for significant memory savings to use 16-bit types for buffer sizes
throughout MPS.
In prepraration for this, this commit introduces typdefs
```
mbedtls_mps_size_t
mbedtls_mps_stored_size_t
```
for buffer sizes in the MPS implementation and the MPS structures,
respectively.
So far, those MUST be defined as `size_t`: While an effort has been made
to write most of MPS code in terms of `mbedtls_mps_[stored_]size_t` in a
way that would allow narrower types, those aren't yet supported. Still,
we retain the typedefs in order to avoid unnecessary rewriting of a large
body of the MPS codebase.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds the interface fo the MPS reader component as
`library/mps/reader.h`.
Please see the file itself for extensive documentation.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
MPS' tracing module uses four macros:
1) TRACE( type, fmt, ... )
This acts like `printf( fmt, ... )` but also allows
the specification of a type of trace output (comment,
warning, error, ...)
2) TRACE_INIT
This acts like TRACE() but increases the level of
indentation. It will be used at the beginning of
function calls.
3) RETURN( val )
Equivalent to `return( val )` plus a decrement in the
level of indentation. This should be used at the end of
functions that have been started with TRACE_INIT.
4) TRACE_END
This combines a trace output with a decrement of the
level of indentation. It's necessary prior to leaving
functions which have been started with TRACE_INIT
but which don't have a return value.
This commit defines those macros as no-op dummies in
`library/mps/trace.h` for now.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds an MPS-specific compile-time option
`MBEDTLS_MPS_TRACE` to the internal MPS header `mps/common.h`.
So far -- this may need revisiting -- MPS comes with its own
internal tracing module which allows to track the operation of
MPS' various layers for the purpose of understanding of it workings
as well as for debugging.
The reasons for the introduction of a module separate from SSL debug
are the following:
1) The SSL debug module requires an SSL context to function because
debug callbacks are part of the runtime configuration of the SSL
module.
The MPS tracing module, in contrast, is not supposed to be used
in production environments, and there is no need for a runtime
configuration. Instead, a compile-time defined tracing callback
is used.
2) In the interest of modularity, MPS' tracing module shouldn't
require having an SSL context around.
3) Purely visually, MPS' tracing module adds support for indentation
according to call-depth and coloring according to which module is
being used, which makes it very useful for what's going on; however,
those features aren't available in the SSL debug module (and they
shouldn't be).
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit adds the compile-time option MBEDTLS_MPS_ENABLE_ASSERTIONS
which controls the presence of runtime assertions in MPS code.
See the documentation in the header for more information.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit introduces the internal MPS header `mps/common.h`
which will subsequently be populated with MPS-specific compile-time
options and helper macros. For now, it's a stub.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Implementers and users would have to refer to the RFC for the detailed
specification of the algorithm anyway.
Keep a mention of the curves and hashes involved for avoidance of doubt.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add the test keys from RFC 8032 (§7.1 Ed25519 "TEST 1", §7.4 Ed448 "Blank").
This replaces the generic byte-sized data used for unknown key types
which no longer works now that Ed25519 is considered to have 255 bits.
Re-generate the automatically generated test data accordingly.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The coordinates are over $F_{2^{255}-19}$, so by the general
definition of the bit size associated with the curve in the
specification, the value for size attribute of keys is 255.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The size attribute of a key is expressed in bits, so use bits in the
documentation. (The documentation of psa_export_key() describes the
export format, so it counts in bytes.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Call it “SHAKE256-512”, just like SHA3-512 has 512 bits of output.
SHAKE256-64 looks like it's 64 bits of output, but this is 64 bytes.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define algorithms for PureEdDSA and for HashEdDSA, the EdDSA variants
defined by RFC 8032.
The encoding for HashEdDSA needs to encode the hash algorithm so that
the hash can be calculated by passing PSA_ALG_SIGN_GET_HASH(sig_alg)
to psa_hash_compute() or psa_hash_setup(). As a consequence,
Ed25519ph (using SHA-512) and Ed448ph (using SHAKE256) need to have
different algorithm encodings (the key is enough to tell them apart,
but it is not known while hashing). Another consequence is that the
API needs to recognize the Ed448 prehash (64 bytes of SHAKE256 output)
as a hash algorithm.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add an elliptic curve family for the twisted Edwards curves
Edwards25519 and Edwards448 ("Goldilocks"). As with Montgomery curves,
since these are the only two curves in common use, the family has a
generic name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove cipher_generate_iv driver entry point as there
is no known use case to delegate this to a driver.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>