Commit graph

14040 commits

Author SHA1 Message Date
Fredrik Strupe f90e3019dd Use PSA_ERROR_INVALID_ARGUMENT for invalid cipher input sizes
... as opposed to PSA_ERROR_BAD_STATE.

The spec on psa_cipher_finish() states that PSA_ERROR_INVALID_ARGUMENT
should be returned when:

"The total input size passed to this operation is not valid for this
particular algorithm. For example, the algorithm is a based on block
cipher and requires a whole number of blocks, but the total input size
is not a multiple of the block size."

Currently, there is a distinction between encryption and decryption
on whether INVALID_ARGUMENT or BAD_STATE is returned, but this is not
a part of the spec.

This fix ensures that PSA_ERROR_INVALID_ARGUMENT is returned
consistently on invalid cipher input sizes.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-09-30 12:26:58 +02:00
okhowang(王沛文) 76158ce9b7 Use socklen_t on Android and other POSIX-compliant system
Fixes #2977

Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
2020-09-30 16:53:37 +08:00
okhowang(王沛文) 9c46a60e6c Use glibc's getrandom() instead of syscall when glibc > 2.25.
Fixes #3432

Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
2020-09-30 16:10:49 +08:00
Gilles Peskine 4bcfe9269f When to write a changelog: minor improvements
Mention sample programs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 09:55:27 +02:00
John Durkop 76228acfb9 Fix typo in define in comment
This fixes error in check-names.sh test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-29 22:33:49 -07:00
John Durkop 714e3a1318 Minor cleanup to fix errors with some unit tests
With the new feature MBEDTLS_PSA_CRYPTO_CONFIG, needed to
add support that when the feature is disabled, if there
are defines like MBEDTLS_ECDSA_C defined, then the PSA_WANT_
equivalent define is also enabled. This ensures the guards in
the library psa_crypto will work properly.

Also fixed an error return code in the driver wrapper for cipher
encrypt setup so it will properly pass unit tests.

Ensured config.py full works properly with the new
MBEDTLS_PSA_CRYPTO_CONFIG, it should not be set when the full
option is used.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-29 22:07:04 -07:00
Gilles Peskine ece00a0cd0 Explain when to write a changelog entry
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 01:16:59 +02:00
Gilles Peskine 3b4edc78df We no longer credit contributors in the changelog
From now on, external contributions are no longer acknowledged in the
changelog file. They of course remain acknowledged in the Git history.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 01:13:05 +02:00
Gilles Peskine 27ed799109 Remove changelog entries without a user-visible impact
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 01:11:39 +02:00
Manuel Pégourié-Gonnard 6d6f8a4b97 Clarify descriptions of constant-flow helpers
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-28 09:51:41 +02:00
Peter Kolbus ca8b8e7c31 Restore retry in rsa_prepare_blinding()
Starting with commit 49e94e3, the do/while loop in
`rsa_prepare_blinding()` was changed to a `do...while(0)`, which
prevents retry from being effective and leaves dead code.

Restore the while condition to retry, and lift the calls to finish the
computation out of the while loop by by observing that they are
performed only when `mbedtls_mpi_inv_mod()` returns zero.

Signed-off-by: Peter Kolbus <peter.kolbus@garmin.com>
2020-09-25 08:43:57 -05:00
Gilles Peskine 7829748cd4
Merge pull request #3709 from CameronNemo/issue-3524
programs/psa/psa_constant_names_generated.c: commit generated file
2020-09-25 15:23:48 +02:00
Ronald Cron bf4f40883e Rework mbedtls_test_param_failed_get_state_buf()
Rework mbedtls_test_param_failed_get_state_buf() and
its documentation.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-25 10:45:06 +02:00
John Durkop 736eb1de47 Update to VS project file for PSA crypto config
The new header files to support PSA crypto config needed to be
added to the VS project file.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:11:10 -07:00
John Durkop 39e09672a3 Update version_features for new PSA crypto config
The version features library needed updating to support the new
MBEDTLS_PSA_CRYPTO_CONFIG definition.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:09:25 -07:00
John Durkop 2542c21ba8 Add MBEDTLS_PSA_CRYPTO_CONFIG to test program
Since the recent changes required the addition of a new definition
in mbedtls/config.h, we also need to update query_config.c to account
for the new MBEDTLS_PSA_CRYPTO_CONFIG setting.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:06:35 -07:00
Cameron Nemo e18d09de37 fix(programs/psa): commit python3 generated file
Python should not be required for the build when the no_test target is
used. This commit adds the generated file to the source tree and the
check-generated-files script, and removes the generation from (c)make.

Fixes #3524

Signed-off-by: Cameron Nemo <cnemo@tutanota.com>
2020-09-24 20:57:46 -07:00
Gilles Peskine 1803563572 Fix "make -C tests/data_files -f ..."
The toplevel directory is actually just ../..: the makefile commands
are executed in the subdirectory. $(PWD) earlier was wrong because it
comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is
wrong because it indicates where the makefile is (make -f), not which
directory to work in (make -C).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-24 16:36:04 +02:00
John Durkop 2dfaf9ca23 Update how MBEDTLS_PSA_CRYPTO_CONFIG is handled
Originally, MBEDTLS_PSA_CRYPTO_CONFIG was being used to allow
inclusion of mbedlts/config_psa.h, but that needed to be updated
so that mbedtls/config_psa.h is always included and the definitions
specific to PSA configuration are now guarded by
MBEDTLS_PSA_CRYPTO_CONFIG. This will allow for the standard setup
to continue working while new PSA configuration items to also work.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
John Durkop d8959390c5 Add ECDSA support to PSA crypto configuration
Initial changes to PSA crypto core to support configuration
of ECDSA algorithm using PSA crypto configuration mechanism.
Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have
been changed to be based off PSA_WANT_ALG_ECDSA and
PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to
confirm new settings are working properly. Current code does not
pass the tests since built in signature verification is not in place.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
John Durkop 7758c858ae Update requires for MBEDTLS_PSA_CRYPTO_DRIVERS
In order to test various PSA crypto settings the Requires section
needed updating to require MBEDTLS_PSA_CRYPTO_C or
MBEDTLS_PSA_CRYPTO_CONFIG.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
John Durkop 6e33dbe9fd Created infrastructure for MBEDTLS_PSA_CRYPTO_CONFIG
In order to prepare for PSA cryptographic mechanism for conditional
inclusion of various modules, there needs to be some updates to
the mbedtls configuration to enable that feature to work. This initial
set of changes just lays the ground work and future changes will
implement the functional features.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
Gilles Peskine 9b33eb3284
Merge pull request #3705 from ctron/feature/fix_return_code_1
Fix return code expression in pkparse
2020-09-22 18:51:49 +02:00
Jens Reimann 9ad4a33a54 fix return code
Signed-off-by: Jens Reimann <jreimann@redhat.com>
2020-09-22 11:57:16 +02:00
Gilles Peskine 5cb54f7b27
Merge pull request #3542 from gilles-peskine-arm/psa-unified-driver-specs-20200807
PSA unified driver specification: minor updates
2020-09-18 22:53:46 +02:00
Manuel Pégourié-Gonnard 822b3729e7 Remove last use of non-bit operations
According to https://www.bearssl.org/ctmul.html even single-precision
multiplication is not constant-time on some older platforms.

An added benefit of the new code is that it removes the somewhat mysterious
constant 0x1ff - which was selected because at that point the maximum value of
padlen was 256. The new code is perhaps a bit more readable for that reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:22 +02:00
Manuel Pégourié-Gonnard 2a59fb45b5 Add explicit cast when truncating values
MSVC complains about it otherwise.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:22 +02:00
Manuel Pégourié-Gonnard 6e2a9a7faa Factor repeated code in ssl_cf functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:21 +02:00
Manuel Pégourié-Gonnard 2ddec4306f Use bit operations for constant-flow padding check
The previous code used comparison operators >= and == that are quite likely to
be compiled to branches by some compilers on some architectures (with some
optimisation levels).

For example, take the following function:

void old_update( size_t data_len, size_t *padlen )
{
    *padlen  *= ( data_len >= *padlen + 1 );
}

With Clang 3.8, let's compile it for the Arm v6-M architecture:

% clang --target=arm-none-eabi -march=armv6-m -Os foo.c -S -o - |
    sed -n '/^old_update:$/,/\.size/p'

old_update:
        .fnstart
@ BB#0:
        .save   {r4, lr}
        push    {r4, lr}
        ldr     r2, [r1]
        adds    r4, r2, #1
        movs    r3, #0
        cmp     r4, r0
        bls     .LBB0_2
@ BB#1:
        mov     r2, r3
.LBB0_2:
        str     r2, [r1]
        pop     {r4, pc}
.Lfunc_end0:
        .size   old_update, .Lfunc_end0-old_update

We can see an unbalanced secret-dependant branch, resulting in a total
execution time depends on the value of the secret (here padlen) in a
straightforward way.

The new version, based on bit operations, doesn't have this issue:

new_update:
        .fnstart
@ BB#0:
        ldr     r2, [r1]
        subs    r0, r0, #1
        subs    r0, r0, r2
        asrs    r0, r0, #31
        bics    r2, r0
        str     r2, [r1]
        bx      lr
.Lfunc_end1:
        .size   new_update, .Lfunc_end1-new_update

(As a bonus, it's smaller and uses less stack.)

While there's no formal guarantee that the version based on bit operations in
C won't be translated using branches by the compiler, experiments tend to show
that's the case [1], and it is commonly accepted knowledge in the practical
crypto community that if we want to sick to C, bit operations are the safest
bet [2].

[1] https://github.com/mpg/ct/blob/master/results
[2] https://github.com/veorq/cryptocoding

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:10:33 +02:00
Gilles Peskine 1d9c11081a
Merge pull request #3667 from Jongy/fix-docs
Fix docs to desribe written-into buffer parameter as writable
2020-09-17 00:02:08 +02:00
Janos Follath 2a25904f45
Merge pull request #3568 from hanno-arm/tls13_experimental_key_schedule_1
TLS 1.3: Add HKDF-based key derivation functionality
2020-09-16 11:40:06 +01:00
Hanno Becker 531fe3054c Comment on hardcoding of maximum HKDF key expansion of 255 Bytes
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-16 09:50:17 +01:00
Hanno Becker 61baae7c9f Minor fixes and improvements in TLS 1.3 key schedule documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-16 09:47:47 +01:00
Gilles Peskine dc57c25e30
Merge pull request #3527 from ronald-cron-arm/key-extended-id
PSA key identifiers rework
2020-09-15 16:06:06 +02:00
Gilles Peskine 7107e661b8
Merge pull request #3644 from stevew817/feature/transparent_multipart_driver
Add multipart cipher accelerator support and test driver
2020-09-15 09:51:24 +02:00
Ronald Cron 7424f0d998 psa: Move key identifier related macros and functions
Move key identifier related macros and functions from
crypto_types.h to crypto_values.h as the latter is
the intended file to put them in.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron cb54610e97 Set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER in baremetal configuration
No obvious reason to not enable owner identifier encoding
in baremetal as multi-client support is expected to be needed
for some embedded platforms. Thus enable it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron 9a2511e78f Fix key owner identifier documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron 5eba579c6c Remove unnecessary inline definition
Define inline for some compiling environment only
in crypto_platform.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:48:15 +02:00
Steven Cooreman 6d81f7e119 Final feedback from @ronald-cron-arm
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman ef8575e1bf Apply review feedback
* Reworked the cipher context once again to be more robustly defined
* Removed redundant memset
* Unified behaviour on failure between driver and software in cipher_finish
* Cipher test driver setup function now also returns early when its status
  is overridden, like the other test driver functions
* Removed redundant test cases
* Added bad-order checking to verify the driver doesn't get called where
  the spec says it won't.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman 89e54f2edc Add mock and negative testing to cipher driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman a07b9970c6 Update semantics around driver context use in psa_cipher_setup
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:39 +02:00
Steven Cooreman eca33c60f8 Add testing of fallback to cipher operations
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman fe0ab55c61 Implement one-shot cipher in test driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman e55f3e8de4 Make sure to not call mbedtls_cipher_free on an uninitialised context
As pointed out by Gilles

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman b5e52f2e31 Remove superfluous call in PSA cipher setup
As pointed out by Ronald. The key slot is populated using
get_key_from_slot, and after calling the driver the slot is
validated to not contain an external key, so calling
get_transparent_key is superfluous.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman 16afd3d9b4 Unify cipher setup function inside test driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman 7df0292f5a Check & set operation flags for both driver and software in the core
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:30 +02:00
Steven Cooreman cfeea8fa1e Unify driver context struct handling
Added zeroization of the wrapper context on failure/abort, and reliance on
the crypto core to not call an uninitialised wrapper.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:32:50 +02:00