Commit graph

4375 commits

Author SHA1 Message Date
gabor-mezei-arm 944c107744
Move contatnt-time memcmp functions to the contant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 10:00:12 +01:00
Gilles Peskine 4bdcf9a35a Reorder macro definitions
Definition before mention

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 12:44:08 +01:00
Gilles Peskine 8cb22c8d87 Untangle PSA_ALG_IS_HASH_AND_SIGN and PSA_ALG_IS_SIGN_HASH
The current definition of PSA_ALG_IS_HASH_AND_SIGN includes
PSA_ALG_RSA_PKCS1V15_SIGN_RAW and PSA_ALG_ECDSA_ANY, which don't strictly
follow the hash-and-sign paradigm: the algorithm does not encode a hash
algorithm that is applied prior to the signature step. The definition in
fact encompasses what can be used with psa_sign_hash/psa_verify_hash, so
it's the correct definition for PSA_ALG_IS_SIGN_HASH. Therefore this commit
moves definition of PSA_ALG_IS_HASH_AND_SIGN to PSA_ALG_IS_SIGN_HASH, and
replace the definition of PSA_ALG_IS_HASH_AND_SIGN by a correct one (based
on PSA_ALG_IS_SIGN_HASH, excluding the algorithms where the pre-signature
step isn't to apply the hash encoded in the algorithm).

In the definition of PSA_ALG_SIGN_GET_HASH, keep the condition for a nonzero
output to be PSA_ALG_IS_HASH_AND_SIGN.

Everywhere else in the code base (definition of PSA_ALG_IS_SIGN_MESSAGE, and
every use of PSA_ALG_IS_HASH_AND_SIGN outside of crypto_values.h), we meant
PSA_ALG_IS_SIGN_HASH where we wrote PSA_ALG_IS_HASH_AND_SIGN, so do a
global replacement.
```
git grep -l IS_HASH_AND_SIGN ':!include/psa/crypto_values.h' | xargs perl -i -pe 's/ALG_IS_HASH_AND_SIGN/ALG_IS_SIGN_HASH/g'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 12:44:08 +01:00
Mateusz Starzyk 64010dc544 Add missing PSA_KEY_ID_NULL macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 12:38:57 +01:00
Mateusz Starzyk 272a3d4dd8 Add missing PSA_HASH_BLOCK_LENGTH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 12:38:57 +01:00
Mateusz Starzyk 294ca30120 Add missing PSA_ALG_NONE macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 12:38:57 +01:00
Mateusz Starzyk d22362c647 Add missing PSA_ALG_IS_SIGN_HASH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 12:38:57 +01:00
Manuel Pégourié-Gonnard 1f1bc2df7c
Merge pull request #5117 from gilles-peskine-arm/psa-rsa-pss_any_salt-2.x
Backport 2.x: PSA: fix salt length for PSS verification
2021-10-29 16:36:46 +02:00
Manuel Pégourié-Gonnard 6295dcb600
Merge pull request #5051 from gilles-peskine-arm/psa-add-aria-2.x
Backport 2.x: Add ARIA to the PSA API
2021-10-29 09:38:13 +02:00
Gilles Peskine f8362ca847 Readability improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:07:37 +02:00
Gilles Peskine a2536092b2 Support PSA_ALG_RSA_PSS_ANY_SALT iff PSA_ALG_RSA_PSS is supported
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:07:07 +02:00
Gilles Peskine 35115f9c1a New algorithm PSA_ALG_RSA_PSS_ANY_SALT
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.

In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).

Changes in this commit:

* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
  PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
  PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
  generate_psa_constant_names).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:06:38 +02:00
Gilles Peskine 95f2324c5e
Merge pull request #4845 from mstarzyk-mobica/ecb-alt-ret-2.2x
Backport 2.2x: Catch failures of mbedtls_aes_crypt_ecb and its DES equivalents
2021-10-14 12:11:04 +02:00
Gilles Peskine 0d3d742a0a Implement PSA_WANT_KEY_TYPE_ARIA
Follow what has been done for CAMELLIA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 18:28:15 +02:00
Gilles Peskine 8890f64338 Add ARIA to the PSA API
Use the encoding from an upcoming version of the specification.

Add as much (or as little) testing as is currently present for Camellia.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 18:28:15 +02:00
Gilles Peskine a4e060b87b
Merge pull request #5000 from mprse/mbedtls_cipher_setup_psa_ECB_2x
Backport 2.x: Fix test gap: mbedtls_cipher_setup_psa() with ECB
2021-10-01 14:49:25 +02:00
Gilles Peskine c79e4abaef Fix typo in comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 20:34:29 +02:00
Gilles Peskine c2779328bf Make MBEDTLS_IGNORE_RETURN configurable
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Gilles Peskine 327cb72e76 Cleaner implementation of MBEDTLS_IGNORE_RETURN
The previous implementation was misparsed in constructs like
`if (condition) MBEDTLS_IGNORE_RETURN(...); else ...;`.

Implement it as an expression, tested with GCC, Clang and MSVC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Gilles Peskine 9110809c46 Fix mistake in the sample implementation of MBEDTLS_CHECK_RETURN
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-30 19:24:36 +02:00
Przemyslaw Stekiel 39f4e75120 Address review comments
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-30 12:29:27 +02:00
Przemyslaw Stekiel f0fa86eee5 Add PSA support for MBEDTLS_CIPHER_AES_128_ECB
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-30 12:29:22 +02:00
Mateusz Starzyk 15a7420d3c Silence warnings about unused return value
This macro is introduced here for use in deprecated functions. It may also
be useful in user code, so it is in a public header.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:57:33 +02:00
Gilles Peskine 8472a10594 New configuration option MBEDTLS_CHECK_RETURN_WARNING
MBEDTLS_CHECK_RETURN_TYPICAL defaults off, but is enabled if
MBEDTLS_CHECK_RETURN_WARNING is enabled at compile time.
(MBEDTLS_CHECK_RETURN_CRITICAL is always enabled.)

The default is off so that a plausible program that builds with one version
of Mbed TLS in the default configuration will still build under the next
version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:42:51 +02:00
Gilles Peskine e568ebade1 Use reserved identifier for warn_unused_result
This is normally equivalent, but works even if some other header defines a
macro called warn_unused_result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:41:01 +02:00
Gilles Peskine 6b5c0f0e44 Better default for MBEDTLS_CHECK_RETURN in config.h
An empty expansion is possible, but as documented its effect is to disable
the feature, so that isn't a good example. Instead, use the GCC
implementation as the default: it's plausible that it could work even on
compilers that don't advertise themselves as sufficiently GCC-like to define
__GNUC__, and if not it gives users a concrete idea of what the macro is
supposed to do.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:55 +02:00
Gilles Peskine ce555e4fad Change DES and AES functions to MBEDTLS_CHECK_RETURN_TYPICAL
For all of these functions, the only possible failures are a hardware
accelerator (not possible unless using an ALT implementation), an internal
error or runtime corruption.

Exception: the self-tests, which serve little purpose if their status isn't
tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:45 +02:00
Gilles Peskine ee0a4435f7 Define indirection macros MBEDTLS_CHECK_RETURN_xxx
Define macros MBEDTLS_CHECK_RETURN_CRITICAL, MBEDTLS_CHECK_RETURN_TYPICAL
and MBEDTLS_CHECK_RETURN_OPTIONAL so that we can indicate on a
function-by-function basis whether checking the function's return value is
almost always necessary (CRITICAL), typically necessary in portable
applications but unnecessary in some reasonable cases (TYPICAL), or
typically unnecessary (OPTIONAL).

Update the documentation of MBEDTLS_CHECK_RETURN accordingly. This is split
between the user documentation (Doxygen, in config.h) and the internal
documentation (non-Doxygen, in platform_util.h, of minor importance since
the macro isn't meant to be used directly).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:33 +02:00
Mateusz Starzyk 1ef29fcf47 Add MBEDTLS_CHECK_RETURN description to config.h
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:33 +02:00
Gilles Peskine 377a310da4 Catch failures of AES or DES operations
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.

A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.

This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:

* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
  was not properly checking the result of an AES operation:
    * In library code: on failure, goto exit and return ret.
    * In pkey programs: goto exit.
    * In the benchmark program: exit (not ideal since there's no error
      message, but it's what the code currently does for failures).
    * In test code: TEST_ASSERT.
* Changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:31 +02:00
Yuto Takano 5b4caf21de Fix typos pointed out by check_names
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-09-27 20:08:01 +02:00
Gilles Peskine 186c0216b0
Merge pull request #4978 from davidhorstmann-arm/2.x-fix-aarch64-asm-constraints
Backport 2.x: Fix aarch64 assembly for bignum multiplication
2021-09-27 09:01:12 +02:00
Manuel Pégourié-Gonnard b52b91d949 Remove warning about PSA Crypto being beta
The API reached 1.0.0 some time ago, and we've caught up with the
incompatible changes already.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-09-24 20:44:03 +02:00
Manuel Pégourié-Gonnard 00b72fc35f Add docs/use-psa-crypto.md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-09-24 20:44:03 +02:00
David Horstmann a23be22308 Fix aarch64 assembly for bignum multiplication
Add memory constraints to the aarch64 inline assembly in MULADDC_STOP.
This fixes an issue where Clang 12 and 13 were generating
non-functional code on aarch64 platforms. See #4962, #4943
for further details.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-09-24 09:47:01 +01:00
Gilles Peskine 02e17c0aa5
Merge pull request #4941 from gilles-peskine-arm/muladdc-amd64-memory-2.x
Backport 2.x: Fix x86_64 assembly for bignum multiplication
2021-09-20 22:23:53 +02:00
Gilles Peskine c6d977eae5 x86_64 MULADDC assembly: add missing constraints about memory
MULADDC_CORE reads from (%%rsi) and writes to (%%rdi). This fragment is
repeated up to 16 times, and %%rsi and %%rdi are s and d on entry
respectively. Hence the complete asm statement reads 16 64-bit words
from memory starting at s, and writes 16 64-bit words starting at d.

Without any declaration of modified memory, Clang 12 and Clang 13 generated
non-working code for mbedtls_mpi_mod_exp. The constraints make the unit
tests pass with Clang 12.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-15 15:47:37 +02:00
Mateusz Starzyk 7d13539d1b Disable MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE in default config.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:19:25 +02:00
Mateusz Starzyk b3d344c225 Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES option.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:18:53 +02:00
Hanno Becker c8ac785fc3 Document that returning 0 from the recv callback means EOF
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-08-16 13:00:06 +02:00
Manuel Pégourié-Gonnard f87422f019
Merge pull request #4427 from gilles-peskine-arm/tls_ext_cid-config-2.x
Backport 2.x: Allow configuring MBEDTLS_TLS_EXT_CID at compile time
2021-08-13 10:50:02 +02:00
Gilles Peskine 7b8571fcb5 New macro MBEDTLS_CHECK_RETURN
Put this macro before a function declaration to indicate that its result
must be checked. This commit supports GCC-like compilers and MSVC >=2012.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-05 13:49:44 +02:00
Gilles Peskine a92a3e9290
Merge pull request #4827 from gilles-peskine-arm/generate_errors-multiline-2.2x
Backport 2.2x: Move MBEDTLS_ERR_xxx Doxygen comments before the definition
2021-08-03 13:46:23 +02:00
Spencer Burke 30dc0b5386 Remove the duplicate code in mbedtls/include/mbedtls/check_config.h
Removing the extra preprocessor directives found within the specified
source file.

Signed-off-by: Spencer Burke <info.spencer.burke@gmail.com>
2021-08-03 09:36:15 +02:00
Gilles Peskine a3974435ea Move MBEDTLS_ERR_xxx Doxygen comments before the definition
Now that descriptions of error codes no longer have to be on the same line
for the sake of generate_errors.pl, move them to their own line before the
definition. This aligns them with what we do for other definitions, and
means that we no longer need to have very long lines containing both the C
definition and the comment.

```
perl -i -pe 's~^(#define +MBEDTLS_ERR_\w+ +-\w+) */\*[*!]<(.*)\*/~/**$2*/\n$1~' include/mbedtls/*.h
```

This commit does not change the output of generate_errors.pl.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-08-02 22:57:46 +02:00
Gilles Peskine 9274d4691d
Merge pull request #4759 from paul-elliott-arm/fix_cipher_output_size_2.x
Backport 2.x: Fix divide by zero if macro used with wrong key type
2021-07-30 18:56:22 +02:00
Paul Elliott c183f20056 Add fix to update output size macro as well.
Same issue with zero block length applies here.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-23 18:58:18 +01:00
Paul Elliott 9bc9659cfb Change PSA Cipher macro safety to use block length
Although checking if the key was symmetric was correct, its easier to
read if we just check the block length is not zero before we use it in a
division.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-23 18:58:18 +01:00
Yuto Takano 284857ee55 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:30:34 +01:00
Paul Elliott 7fe62cc88b Fix divide by zero if macro used with wrong key
If PSA_CIPHER_ENCRYPT_OUTPUT_SIZE was called on a non symmetric key,
then a divide by zero could happen, as PSA_CIPHER_BLOCK_LENGTH will
return 0 for such a key, and PSA_ROUND_UP_TO_MULTIPLE will divide by
the block length.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-08 11:28:15 +01:00