Commit graph

128 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard f2a7529403 Fix double return statement in cipher.c
This was introduced in ce1ddee13a
2019-02-05 13:13:21 +01:00
Hanno Becker 2169a5e54d PSA: Adapt pk.c, pk_wrap.c, cipher.c to new key policy init API 2019-01-25 14:36:28 +00:00
Hanno Becker 242da1e2c2 PSA: Adapt cipher.c, pk.c, pk_wrap.c to new key slot allocation API 2019-01-25 14:36:28 +00:00
Andrzej Kurek f410a5c251 Fix indentation of documentation 2019-01-23 06:23:31 -05:00
Andrzej Kurek 08dfceaba4 cipher: fixed key ownership scope
Indicate key ownership earlier, so that it gets destroyed on faulty policy setting.
2019-01-23 06:22:42 -05:00
Andrzej Kurek c750932f2c Adapt to the new key allocation mechanism 2019-01-23 06:22:32 -05:00
Hanno Becker 7b05629641 Return 'Feature unavailable' error for ciphers unsupported by PSA 2018-11-22 16:33:01 +00:00
Hanno Becker 1908655231 Use enum for slot state in PSA-based cipher context 2018-11-22 16:33:01 +00:00
Hanno Becker 4ee7e76378 Check support for cipher in mbedtls_cipher_setup_psa()
mbedtls_cipher_setup_psa() should return
MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE when the requested
cipher is not supported by PSA, so that the caller can
try the original mbedtls_cipher_setup() instead.

The previous version of mbedtls_cipher_setup_psa(), however,
only attempted to translate the cipher mode (GCM, CCM, CBC,
ChaChaPoly, Stream), but didn't consider the underlying
cipher primitive. Hence, it wouldn't fail when attempting
to setup a cipher context for, say, 3DES-CBC, where CBC
is currently supported by PSA but 3DES isn't.

This commit adds a check to mbedtls_cipher_setup_psa()
for whether the requested cipher primitive is available
in the underlying PSA Crypto implementation, and fails
cleanly with MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if
it is isn't.
2018-11-22 16:33:01 +00:00
Hanno Becker fe73adee5a Implement PSA-based AEAD enc/dec cipher operations 2018-11-22 16:33:01 +00:00
Hanno Becker 20120b373e Add AEAD tag length to new mbedtls_cipher_setup_psa()
For AEAD ciphers, the information contained in mbedtls_cipher_info
is not enough to deduce a PSA algorithm value of type psa_algorithm_t.
This is because mbedtls_cipher_info doesn't contain the AEAD tag
length, while values of type psa_algorithm_t do.

This commit adds the AEAD tag length as a separate parameter
to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value
must be 0.

This approach is preferred over passing psa_algorithm_t directly
in order to keep the changes in existing code using the cipher layer
small.
2018-11-22 16:33:01 +00:00
Hanno Becker a395d8f1e9 Always configure PSA-based keys for encryption and decryption
Mbed TLS cipher layer allows usage of keys for other purposes
than indicated in the `operation` parameter of `mbedtls_cipher_setkey()`.
The semantics of the PSA Crypto API, in contrast, checks key
usage against the key policy.

As a remedy, this commit modifies the PSA key slot setup to
always allow both encryption and decryption.
2018-11-22 16:33:01 +00:00
Hanno Becker 55e2e3d5cc Implement PSA-based version of mbedtls_cipher_crypt() 2018-11-22 16:33:01 +00:00
Hanno Becker edda8b8830 Implement mbedtls_cipher_setkey() for PSA-based cipher contexts
This commit implements the internal key slot management performed
by PSA-based cipher contexts. Specifically, `mbedtls_cipher_setkey()`
wraps the provided raw key material into a key slot, and
`mbedtls_cipher_free()` destroys that key slot.
2018-11-22 16:33:01 +00:00
Hanno Becker 6118e43d15 Add PSA-specific cipher context 2018-11-22 16:33:01 +00:00
Hanno Becker ce1ddee13a Add psa_enabled field to cipher ctx and add dummy implementations
This field determines whether a cipher context should
use an external implementation of the PSA Crypto API for
cryptographic operations, or Mbed TLS' own crypto library.

The commit also adds dummy implementations for the cipher API.
2018-11-22 16:33:01 +00:00
Hanno Becker 4ccfc40aef Add declaration and dummy-definition of mbedtls_cipher_setup_psa() 2018-11-22 16:33:01 +00:00
Hanno Becker 18597cd3c4 Fix style in cipher.c 2018-11-22 16:33:01 +00:00
Ron Eldor bb4bbbbbb4 Resolve PR review comments
Address review comments:
1. add `mbedtls_cipher_init()` after freeing context, in test code
2. style comments
3. set `ctx->iv_size = 0` in case `IV == NULL && iv_len == 0`
2018-07-23 18:18:35 +01:00
Ron Eldor 4e64e0b922 Fix after PR comments
1. Don't set IV onECB
2. Fix style issues
3. reduce number of tests
2018-07-23 18:18:32 +01:00
Ron Eldor 7b01244b99 Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves #1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
2018-07-23 18:02:09 +01:00
Ron Eldor ab8d58cb2d Move definition of MBEDTLS_CIPHER_MODE_STREAM
Move definition of `MBEDTLS_CIPHER_MODE_STREAM` to header file
(`mbedtls_cipher_internal.h`), because it is used by more than
one file. Raised by TrinityTonic in #1719
2018-07-01 10:20:43 +03:00
Manuel Pégourié-Gonnard 0dadba2b58 Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (182 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-19 11:13:50 +02:00
Jaeden Amero c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Simon Butcher 8c0fd1e881 Add cipher abstraction and test cases for OFB block mode
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
2018-06-11 14:03:22 +01:00
Manuel Pégourié-Gonnard 3dc62a0a9b chachapoly: force correct mode for integrated API
Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check
the tag correctly (or at all). So force them to use auth_decrypt() instead.

See also https://github.com/ARMmbed/mbedtls/pull/1668
2018-06-04 12:18:19 +02:00
Manuel Pégourié-Gonnard 32902e6eae cipher: handle ChaCha20 as a stream cipher
That's what it is. So we shouldn't set a block size != 1.

While at it, move call to chachapoly_update() closer to the one for GCM, as
they are similar (AEAD).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 5ef92d309a chachapoly: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the GCM API that
very comparable to it, so switch to (pointer, len) for consistency.

Note that the crypt_and_tag() and auth_decrypt() functions were already using
the same convention as GCM, so this also increases intra-module consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard fe725defae cipher: use new functions from chachapoly 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard dca3a5d884 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-24 13:37:31 +02:00
Daniel King 16b04ce641 Fix unused function warning under certain configurations.
I refactored some code into the function mbedtls_constant_time_memcmp
in commit 7aad291 but this function is only used by GCM and
AEAD_ChaCha20_Poly1305 to check the tags. So this function is now
only enabled if either of these two ciphers is enabled.
2018-05-24 13:37:31 +02:00
Daniel King 8fe4701abe Add ChaCha20+Poly1305 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King bd92062269 Add ChaCha20 to the Cipher module 2018-05-24 13:37:31 +02:00
Andres Amaya Garcia 1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Andy Leiserson 79e7789d44 return plaintext data faster on unpadded decryption 2018-03-27 10:55:24 -07:00
Micha Kraus ba8316f790 fix bug in get_one_and_zeros_padding()
add test case (“0000000082”) which fails with the old implementation.
2017-12-23 23:40:08 +01:00
Andres Amaya Garcia 6a54336897 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Simon Butcher 327398ad3a Refactor and change CMAC interface
Change the CMAC interface to match the mbedtls_md_hmac_xxxx() interface. This
changes the overall design of the CMAC interface to make it more consistent with
the existing HMAC interface, and will allow incremental updates of input data
rather than requiring all data to be presented at once, which is what the
current interface requires.
2016-10-05 14:19:18 +01:00
Janos Follath 98e28a74e3 Address user reported coverity issues. 2016-06-09 13:41:28 +01:00
Simon Butcher 88ffc089bc Adds casts to zeroize functions to allow building as C++ 2016-05-23 14:29:32 +01:00
Manuel Pégourié-Gonnard 37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard 6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard 898e0aa210 Rename key_length in cipher_info 2015-06-18 15:31:10 +02:00
Manuel Pégourié-Gonnard b8186a5e54 Rename len to bitlen in function parameters
Clarify a few comments too.
2015-06-18 14:58:58 +02:00
Manuel Pégourié-Gonnard cb46fd8216 Avoid non-standard strcasecmp() 2015-05-29 10:18:09 +02:00
Manuel Pégourié-Gonnard 50518f4195 Rename _wrap headers to _internal
Makes it clearer that the user is not supposed to include them
2015-05-26 11:06:12 +02:00
Manuel Pégourié-Gonnard 8473f87984 Rename cipher_init_ctx() to cipher_setup() 2015-05-14 21:58:34 +02:00
Manuel Pégourié-Gonnard 2cf5a7c98e The Great Renaming
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard 47723147f5 Remove functions deprecated in 1.3 2015-03-20 18:21:12 +00:00