Commit graph

5015 commits

Author SHA1 Message Date
Hanno Becker 94cc26dfa6 Adapt session ticket implementation to removal of peer_cert field 2019-02-26 14:38:09 +00:00
Hanno Becker 2a831a4ba7 Adapt client auth detection in ssl_parse_certificate_verify()
The server expects a CertificateVerify message only if it has
previously received a Certificate from the client.

So far, this was detected by looking at the `peer_cert` field
in the current session. Preparing to remove the latter, this
commit changes this to instead determine the presence of a peer
certificate by checking the new `peer_cert_digest` pointer.
2019-02-26 14:38:09 +00:00
Hanno Becker a1ab9be367 Adapt server-side signature verification to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker a6899bb89d Adapt client-side signature verification to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker be7f50866d Adapt ssl_get_ecdh_params_from_cert() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker c7d7e29b46 Adapt ssl_write_encrypted_pms() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
2019-02-26 14:38:09 +00:00
Hanno Becker a27475335a Make a copy of peer's raw public key after verifying its CRT chain
This commit modifies `mbedtls_ssl_parse_certificate()` to store a
copy of the peer's public key after parsing and verifying the peer's
CRT chain.

So far, this leads to heavy memory duplication: We have the CRT chain
in the I/O buffer, then parse (and, thereby, copy) it to a
`mbedtls_x509_crt` structure, and then make another copy of the
peer's public key, plus the overhead from the MPI and ECP structures.

This inefficiency will soon go away to a significant extend, because:
- Another PR adds functionality to parse CRTs without taking
  ownership of the input buffers. Applying this here will allow
  parsing and verifying the peer's chain without making an additional
  raw copy. The overhead reduces to the size of `mbedtls_x509_crt`,
  the public key, and the DN structures referenced in the CRT.
- Once copyless parsing is in place and the removal of the peer CRT
  is fully implemented, we can extract the public key bounds from
  the parsed certificate and then free the entire chain before
  parsing the public key again. This means that we never store
  the parsed public key twice at the same time.
2019-02-26 14:38:09 +00:00
Hanno Becker 75173121fe Add field for peer's raw public key to TLS handshake param structure
When removing the (session-local) copy of the peer's CRT chain, we must
keep a handshake-local copy of the peer's public key, as (naturally) every
key exchange will make use of that public key at some point to verify that
the peer actually owns the corresponding private key (e.g., verify signatures
from ServerKeyExchange or CertificateVerify, or encrypt a PMS in a RSA-based
exchange, or extract static (EC)DH parameters).

This commit adds a PK context field `peer_pubkey` to the handshake parameter
structure `mbedtls_handshake_params_init()` and adapts the init and free
functions accordingly. It does not yet make actual use of the new field.
2019-02-26 14:38:09 +00:00
Hanno Becker 494dd7a6b4 Add raw public key buffer bounds to mbedtls_x509_crt struct
This commit adds an ASN.1 buffer field `pk_raw` to `mbedtls_x509_crt`
which stores the bounds of the raw public key data within an X.509 CRT.

This will be useful in subsequent commits to extract the peer's public
key from its certificate chain.
2019-02-26 14:38:09 +00:00
Hanno Becker a887d1a5b6 Remove peer CRT from cache if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
Hanno Becker c966bd16be Remove peer CRT from tickets if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
Hanno Becker c5fcbb33c0 Add peer CRT digest to session tickets
This commit changes the format of session tickets to include
the digest of the peer's CRT if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
is disabled.

This commit does not yet remove the peer CRT itself.
2019-02-26 14:38:09 +00:00
Hanno Becker 3dad311ef0 Parse and verify peer CRT chain in local variable
`mbedtls_ssl_parse_certificate()` parses the peer's certificate chain
directly into the `peer_cert` field of the `mbedtls_ssl_session`
structure being established. To allow to optionally remove this field
from the session structure, this commit changes this to parse the peer's
chain into a local variable instead first, which can then either be freed
after CRT verification - in case the chain should not be stored - or
mapped to the `peer_cert` if it should be kept. For now, only the latter
is implemented.
2019-02-26 14:38:09 +00:00
Hanno Becker 177475a3aa Mitigate triple handshake attack by comparing digests only
This paves the way for the removal of the peer CRT chain from
`mbedtls_ssl_session`.
2019-02-26 14:38:09 +00:00
Hanno Becker 6bbd94c4eb Compute digest of peer's end-CRT in mbedtls_ssl_parse_certificate() 2019-02-26 14:38:09 +00:00
Hanno Becker 9198ad1101 Extend mbedtls_ssl_session by buffer holding peer CRT digest 2019-02-26 14:38:09 +00:00
Hanno Becker 8d84fd83ff Update version_features.c 2019-02-26 14:38:09 +00:00
Hanno Becker 8273df8383 Re-classify errors on missing peer CRT
mbedtls_ssl_parse_certificate() will fail if a ciphersuite requires
a certificate, but none is provided. While it is sensible to double-
check this, failure should be reported as an internal error and not
as an unexpected message.
2019-02-26 14:38:09 +00:00
Hanno Becker 0329f75a93 Increase robustness and documentation of ticket implementation 2019-02-26 14:38:09 +00:00
Hanno Becker aee8717877 Simplify session cache implementation via mbedtls_ssl_session_copy() 2019-02-26 14:38:09 +00:00
Hanno Becker 52055ae91f Give ssl_session_copy() external linkage
A subsequent commit will need this function in the session ticket
and session cache implementations. As the latter are server-side,
this commit also removes the MBEDTLS_SSL_CLI_C guard.

For now, the function is declared in ssl_internal.h and hence not
part of the public API.
2019-02-26 14:38:09 +00:00
Hanno Becker c7bd780e02 Allow passing any X.509 CRT chain to ssl_parse_certificate_chain()
This commit modifies the helper `ssl_parse_certificate_chain()` to
accep any target X.509 CRT chain instead of hardcoding it to
`session_negotiate->peer_cert`. This increases modularity and paves
the way towards removing `mbedtls_ssl_session::peer_cert`.
2019-02-26 14:38:09 +00:00
Hanno Becker 6863619a2f Introduce helper function for peer CRT chain verification 2019-02-26 14:38:09 +00:00
Hanno Becker fcd9e71cdf Don't progress TLS state machine on peer CRT chain parsing error 2019-02-26 14:38:09 +00:00
Hanno Becker 77adddc9e9 Make use of macro and helper detecting whether CertRequest allowed
This commit simplifies the client-side code for outgoing CertificateVerify
messages, and server-side code for outgoing CertificateRequest messages and
incoming CertificateVerify messages, through the use of the macro

   `MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED`

indicating whether a ciphersuite allowing CertificateRequest messages
is enabled in the configuration, as well as the helper function

   `mbedtls_ssl_ciphersuite_cert_req_allowed()`

indicating whether a particular ciphersuite allows CertificateRequest
messages.

These were already used in the client-side code to simplify the
parsing functions for CertificateRequest messages.
2019-02-26 14:38:09 +00:00
Hanno Becker 28f2fcd08d Add helper function to check whether a CRT msg is expected
This commit adds a helper function `ssl_parse_certificate_coordinate()`
which checks whether a `Certificate` message is expected from the peer.

The logic is the following:
- For ciphersuites which don't use server-side CRTs, no Certificate
  message is expected (neither for the server, nor the client).
- On the server, no client certificate is expected in the following cases:
  * The server server didn't request a Certificate, which is controlled
    by the `authmode` setting.
  * A RSA-PSK suite is used; this is the only suite using server CRTs
    but not allowing client-side authentication.
2019-02-26 14:38:09 +00:00
Hanno Becker 7177a88a36 Introduce helper function to determine whether suite uses server CRT
This commit introduces a static helper function

   `mbedtls_ssl_ciphersuite_uses_srv_cert()`

which determines whether a ciphersuite may make use of server-side CRTs.

This function is in turn uses in `mbedtls_ssl_parse_certificate()` to
skip certificate parsing for ciphersuites which don't involve CRTs.

Note: Ciphersuites not using server-side CRTs don't allow client-side CRTs
either, so it is safe to guard `mbedtls_ssl_{parse/write}_certificate()`
this way.

Note: Previously, the code uses a positive check over the suites

- MBEDTLS_KEY_EXCHANGE_PSK
- MBEDTLS_KEY_EXCHANGE_DHE_PSK
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
- MBEDTLS_KEY_EXCHANGE_ECJPAKE,

while now, it uses a negative check over `mbedtls_ssl_ciphersuite_uses_srv_cert()`,
which checks for the suites

- MBEDTLS_KEY_EXCHANGE_RSA
- MBEDTLS_KEY_EXCHANGE_RSA_PSK
- MBEDTLS_KEY_EXCHANGE_DHE_RSA
- MBEDTLS_KEY_EXCHANGE_ECDH_RSA
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA

This is equivalent since, together, those are all ciphersuites.
Quoting ssl_ciphersuites.h:

```
typedef enum {
    MBEDTLS_KEY_EXCHANGE_NONE = 0,
    MBEDTLS_KEY_EXCHANGE_RSA,
    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
    MBEDTLS_KEY_EXCHANGE_PSK,
    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
} mbedtls_key_exchange_type_t;
```
2019-02-26 14:38:09 +00:00
Hanno Becker 2148993900 Use helper macro to detect whether some ciphersuite uses CRTs 2019-02-26 14:38:09 +00:00
Hanno Becker 6bdfab2ccc Unify state machine update in mbedtls_ssl_parse_certificate()
The handler `mbedtls_ssl_parse_certificate()` for incoming `Certificate`
messages contains many branches updating the handshake state. For easier
reasoning about state evolution, this commit introduces a single code-path
updating the state machine at the end of `mbedtls_ssl_parse_certificate()`.
2019-02-26 14:38:09 +00:00
Hanno Becker 7a955a043e Clear peer's CRT chain outside before parsing new one
If an attempt for session resumption fails, the `session_negotiate` structure
might be partially filled, and in particular already contain a peer certificate
structure. This certificate structure needs to be freed before parsing the
certificate sent in the `Certificate` message.

This commit moves the code-path taking care of this from the helper
function `ssl_parse_certificate_chain()`, whose purpose should be parsing
only, to the top-level handler `mbedtls_ssl_parse_certificate()`.

The fact that we don't know the state of `ssl->session_negotiate` after
a failed attempt for session resumption is undesirable, and a separate
issue #2414 has been opened to improve on this.
2019-02-26 14:38:09 +00:00
Hanno Becker 4a55f638e2 Introduce helper to check for no-CRT notification from client
This commit introduces a server-side static helper function
`ssl_srv_check_client_no_crt_notification()`, which checks if
the message we received during the incoming certificate state
notifies the server of the lack of certificate on the client.

For SSLv3, such a notification comes as a specific alert,
while for all other TLS versions, it comes as a `Certificate`
handshake message with an empty CRT list.
2019-02-26 14:38:09 +00:00
Hanno Becker a028c5bbd8 Introduce CRT counter to CRT chain parsing function
So far, we've used the `peer_cert` pointer to detect whether
we're parsing the first CRT, but that will soon be removed
if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is unset.
2019-02-26 14:38:09 +00:00
Hanno Becker 1294a0b260 Introduce helper function to clear peer CRT from session structure
This commit introduces a helper function `ssl_clear_peer_cert()`
which frees all data related to the peer's certificate from an
`mbedtls_ssl_session` structure. Currently, this is the peer's
certificate itself, while eventually, it'll be its digest only.
2019-02-26 14:38:09 +00:00
Hanno Becker f852b1c035 Break overly long line in definition of mbedtls_ssl_get_session() 2019-02-26 14:38:09 +00:00
Hanno Becker 60848e6574 Don't reuse CRT from initial handshake during renegotiation
After mitigating the 'triple handshake attack' by checking that
the peer's end-CRT didn't change during renegotation, the current
code avoids re-parsing the CRT by moving the CRT-pointer from the
old session to the new one. While efficient, this will no longer
work once only the hash of the peer's CRT is stored beyond the
handshake.

This commit removes the code-path moving the old CRT, and instead
frees the entire peer CRT chain from the initial handshake as soon
as the 'triple handshake attack' protection has completed.
2019-02-26 14:38:09 +00:00
Gilles Peskine 9ab61b603d Fix cleanup in psa_cipher_setup
In some error cases, psa_cipher_setup was leaving a partly-initialized
operation context.
2019-02-26 11:29:17 +01:00
Janos Follath ffbd7e8ff3 Improve mbedtls_ecp_point_read_binary tests
Renamed the tests because they are explicitly testing Curve25519 and
nothing else. Improved test coverage, test documentation and extended
in-code documentation with a specific reference to the standard as well.
2019-02-25 11:49:54 +00:00
Janos Follath 7caf8e452f Add Montgomery points to ecp_point_write_binary
The library is able to perform computations and cryptographic schemes on
curves with x coordinate ladder representation. Here we add the
capability to export such points.
2019-02-22 15:42:18 +00:00
Janos Follath ab0f71a22a ECDH: Add test vectors for Curve25519
The test vectors added are published in RFC 7748.
2019-02-22 15:42:03 +00:00
Janos Follath e344d0f6fc Add little endian export to Bignum
The function `mbedtls_mpi_write_binary()` writes big endian byte order,
but we need to be able to write little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs ..` to transform the test data to little endian.
2019-02-22 15:41:31 +00:00
Janos Follath 171a7efd02 Add mbedtls_ecp_read_key
The private keys used in ECDH differ in the case of Weierstrass and
Montgomery curves. They have different constraints, the former is based
on big endian, the latter little endian byte order. The fundamental
approach is different too:
- Weierstrass keys have to be in the right interval, otherwise they are
  rejected.
- Any byte array of the right size is a valid Montgomery key and it
  needs to be masked before interpreting it as a number.

Historically it was sufficient to use mbedtls_mpi_read_binary() to read
private keys, but as a preparation to improve support for Montgomery
curves we add mbedtls_ecp_read_key() to enable uniform treatment of EC
keys.

For the masking the `mbedtls_mpi_set_bit()` function is used. This is
suboptimal but seems to provide the best trade-off at this time.
Alternatives considered:
- Making a copy of the input buffer (less efficient)
- removing the `const` constraint from the input buffer (breaks the api
and makes it less user friendly)
- applying the mask directly to the limbs (violates the api between the
modules and creates and unwanted dependency)
2019-02-22 15:39:03 +00:00
Janos Follath 59b813c7be Add Montgomery points to ecp_point_read_binary
The library is able to perform computations and cryptographic schemes on
curves with x coordinate ladder representation. Here we add the
capability to import such points.
2019-02-22 15:38:46 +00:00
Janos Follath a778a94b7d Add little endian import to Bignum
The function `mbedtls_mpi_read_binary()` expects big endian byte order,
but we need to be able to read from little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs .. | tr [a-z] [A-Z]` to transform the test data
to little endian and `echo "ibase=16;xx" | bc` to convert to decimal.
2019-02-22 15:38:32 +00:00
Jaeden Amero 86016a03a1 Merge remote-tracking branch 'origin/pr/2338' into development 2019-02-22 12:55:30 +00:00
Gilles Peskine 3081629de4 Fix mbedtls_ecdh_get_params with new ECDH context
The new check for matching groups in mbedtls_ecdh_get_params only worked
with legacy ECDH contexts. Make it work with the new context format.
2019-02-22 13:04:23 +01:00
Gilles Peskine 43f564f29d Define MBEDTLS_ECDH_LEGACY_CONTEXT in config.h
Define MBEDTLS_ECDH_LEGACY_CONTEXT in config.h instead of hard-coding
this in ecdh.h so that its absence can be tested. Document it as
experimental so that we reserve the right to change it in the future.
2019-02-22 13:04:20 +01:00
Jaeden Amero 461bd3dcca Merge remote-tracking branch 'origin/pr/2454' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero 9f47f82218 Merge remote-tracking branch 'origin/pr/2391' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero 8963b0311c Merge remote-tracking branch 'origin/pr/2411' into development 2019-02-22 10:32:44 +00:00
Gilles Peskine 0b1b71d712 Fix ecdh_get_params with mismatching group
If mbedtls_ecdh_get_params is called with keys belonging to
different groups, make it return an error the second time, rather than
silently interpret the first key as being on the second curve.

This makes the non-regression test added by the previous commit pass.
2019-02-22 10:21:46 +01:00
Jaeden Amero bf61ca7a04
Merge pull request #58 from Patater/disallow-invalid-context
Disallow use of invalid contexts
2019-02-21 17:37:04 +00:00
Jaeden Amero e236c2a13c psa: Don't abort when operations are invalid
In places where we detect a context is in a bad state and there is no
sensitive data to clear, simply return PSA_ERROR_BAD_STATE and don't
abort on behalf of the application. The application will choose what to
do when it gets a bad state error.

The motivation for this change is that an application should decide what
to do when it misuses the API and encounters a PSA_ERROR_BAD_STATE
error. The library should not attempt to abort on behalf of the
application, as that may not be the correct thing to do in all
circumstances.
2019-02-20 17:38:25 +00:00
Jaeden Amero 36ee5d0fbf psa: Disallow repeated setup
Calling psa_*_setup() twice on a MAC, cipher, or hash context should
result in a PSA_ERROR_BAD_STATE error because the operation has already
been set up.

Fixes #10
2019-02-20 15:27:41 +00:00
Jaeden Amero a0f625ac9a psa: Disallow use of invalid hash contexts
If a hash context has not been set up, fail with PSA_ERROR_BAD_STATE as
documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero ab43997f44 psa: Disallow use of invalid cipher contexts
Ensure that when doing cipher operations out of order,
PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA
Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero 252ef28dac psa: Disallow use of invalid MAC contexts
Ensure that when doing MAC operations out of order, PSA_ERROR_BAD_STATE
is returned as documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero 93e21119b7 psa: Be compatible with deprecated constants
In case the new constants aren't available yet in Mbed TLS, continue to
use the deprecated constants if they are available.
2019-02-20 13:59:05 +00:00
Jaeden Amero 72f40c6686
Merge pull request #59 from gilles-peskine-arm/psa-its-64_bit_internal_key_id
Support key file IDs encoding the key owner
2019-02-20 13:45:12 +00:00
Gilles Peskine 572f067205 PSA crypto service: encode the key owner (ITS backend only)
When building for the PSA crypto service (defined(PSA_CRYPTO_SECURE)),
define psa_key_owner_id_t as int32_t, which is how a PSA platform
encodes partition identity. Note that this only takes effect when the
build option MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is active.

Support this configuration in the ITS backend.
2019-02-20 12:52:09 +01:00
Gilles Peskine 69d7c8b2d7 Declare a psa_key_file_id_t layout with an owner field
Declare the owner as psa_key_owner_id_t, of which an implementation
must be provided separately.

Make this a configuration option
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER, to make the conditional
compilation flow easier to follow. Declare it in config.h to
pacify check_names.sh.

Support for a specific implementation of psa_key_owner_id_t in storage
backends will come in a subsequent commit.
2019-02-20 12:52:09 +01:00
Gilles Peskine 5b229a06f4 Support encoding an owner in key file IDs
Differentiate between _key identifiers_, which are always `uint32_t`,
and _key file identifiers_, which are platform-dependent. Normally,
the two are the same.

In `psa/crypto_platform.h`, define `psa_app_key_id_t` (which is always
32 bits, the standard key identifier type) and
`psa_key_file_id_t` (which will be different in some service builds).
A subsequent commit will introduce a platform where the two are different.

It would make sense for the function declarations in `psa/crypto.h` to
use `psa_key_file_id_t`. However this file is currently part of the
PSA Crypto API specification, so it must stick to the standard type
`psa_key_id_t`. Hence, as long as the specification and Mbed Crypto
are not separate, use the implementation-specific file
`psa/crypto_platform.h` to define `psa_key_id_t` as `psa_key_file_id_t`.

In the library, systematically use `psa_key_file_id_t`.

    perl -i -pe 's/psa_key_id_t/psa_key_file_id_t/g' library/*.[hc]
2019-02-20 12:52:07 +01:00
Gilles Peskine e988a66b5b Fix PSA_MAX_PERSISTENT_KEY_IDENTIFIER to mean what it says
PSA_MAX_PERSISTENT_KEY_IDENTIFIER was actually one plus the maximum
key identifier. Change it to be the maximum value, and change the code
that uses it accordingly.

There is no semantic change here (the maximum value hasn't changed).
This commit only makes the implementation clearer.
2019-02-20 12:51:37 +01:00
Gilles Peskine c8569bc5c2 Move key id validity check into its own function 2019-02-20 12:51:34 +01:00
Jaeden Amero 3497323f79 Initialize PSA Crypto operation contexts
It is now required to initialize PSA Crypto operation contexts before
calling psa_*_setup(). Otherwise, one gets a PSA_ERROR_BAD_STATE error.
2019-02-20 10:58:55 +00:00
Jaeden Amero fe96fbec2c Initialize PSA Crypto operation contexts
It is now required to initialize PSA Crypto operation contexts before
calling psa_*_setup(). Otherwise, one gets a PSA_ERROR_BAD_STATE error.
2019-02-20 10:51:42 +00:00
Hanno Becker 26d02e1327 Add more missing parentheses around macro parameters 2019-02-19 17:59:57 +00:00
Hanno Becker 818bac55ef Add further missing brackets around macro parameters 2019-02-19 17:59:57 +00:00
Hanno Becker 1eeca41472 Improve macro hygiene
This commit improves hygiene and formatting of macro definitions
throughout the library. Specifically:
- It adds brackets around parameters to avoid unintended
  interpretation of arguments, e.g. due to operator precedence.
- It adds uses of the `do { ... } while( 0 )` idiom for macros that
  can be used as commands.
2019-02-19 17:59:00 +00:00
itayzafrir 7723ab1739 Add common header for crypto service integration 2019-02-19 15:09:14 +02:00
itayzafrir 7132dd9796 Prepare support for 64 bit key ids in a PSA system.
Preparation for type separation between SPE and NSPE.
2019-02-19 15:08:07 +02:00
Jaeden Amero cf2010cf58 psa: Check generator validity before read
Check generator validity (i.e. that alg has been initialized) before
allowing reads from the generator or allowing reads of the generator's
capacity.

This aligns our implementation with the documented error code behavior
in our crypto.h and the PSA Crypto API.
2019-02-18 17:05:50 +00:00
Hanno Becker 0a94a64bbd Add debugging output to confirm that PSA was used for ECDHE 2019-02-18 16:42:02 +00:00
Hanno Becker c14a3bb5a6 Make variable in ssl_write_client_key_exchange() more descriptive 2019-02-18 16:42:02 +00:00
Hanno Becker 4a63ed421c Implement ClientKeyExchange writing in PSA-based ECDHE suites
- Populate the ECDH private key slot with a fresh private EC key
  designated for the correct algorithm.
- Export the public part of the ECDH private key from PSA and
  reformat it to suite the format of the ClientKeyExchange message.
- Perform the PSA-based ECDH key agreement and store the result
  as the premaster secret for the connection.
2019-02-18 16:42:01 +00:00
Hanno Becker bb89e2727f Implement ServerKeyExchange parsing for PSA-based ECDHE suites
- Reformat the server's ECDH public key to make it suitable
  for the PSA key agreement API. Currently, the key agreement
  API needs a full SubjectPublicKeyInfo structure, while the
  TLS ServerKeyExchange message only contains a ECPoint structure.
2019-02-18 16:42:01 +00:00
Jaeden Amero 9654e11b1d
Merge pull request #55 from davidsaada/david_its_ps_err_codes
Modify PSA related error codes and types
2019-02-18 15:39:27 +00:00
David Saada a2523b2c6d Replace ITS specific types with more generic PSA storage types
PSA spec now defines more generic PSA storage types instead of the ITS
specific ones. This is necessary in order to integrate with
the newer implementation of PSA ITS landing in Mbed OS soon.
Changes include the following:
- psa_status_t replaces psa_its_status_t
- psa_storage_info_t replaces psa_its_info_t
- psa_storage_uid_t replaces psa_its_uid_t
2019-02-18 13:56:26 +02:00
David Saada b4ecc27629 Replace PSA error code definitions with the ones defined in PSA spec 2019-02-18 13:53:13 +02:00
k-stachowiak 28cb6fbd47 Unbump version to 0.0.0 2019-02-18 12:01:03 +01:00
Jaeden Amero db29ab528a psa: Fix builds without MBEDTLS_PLATFORM_C
When `MBEDTLS_PLATFORM_C` is not enabled, our PSA Crypto implementation
depends on the standard C library for functions like snprintf() and
exit(). However, our implementation was not including the proper header
files nor redefining all `mbedtls_*` symbols properly to ensure
successful builds without MBEDTLS_PLATFORM_C. Add the necessary header
files and macro definitions to our PSA Crypto implementation.
2019-02-14 16:01:14 +00:00
Jaeden Amero 892cd6df70 psa: Use new generic error codes
Mbed TLS has deprecated a few module specific error codes in favor of
more general-purpose or cross-module error codes. Use these new error
codes instead of the deprecated error codes.
2019-02-14 16:01:14 +00:00
Jaeden Amero 67ea2c5e6d Merge branch 'development-psa-proposed' into development
Resolve conflicts by performing the following.

- Take the upstream Mbed TLS ChangeLog verbatim.
- Reject changes to Makefiles and CMake that are related to using Mbed
  Crypto as a submodule. It doesn't make sense to use Mbed Crypto as a
  submodule of itself.
- Reject README changes, as Mbed Crypto has its own, different README.
- Reject PSA-related changes to config.h. We don't want to disable the
  availability of the PSA Crypto API by default in the Mbed Crypto
  config.h.
- Don't inadvertently revert dead code removal in
  mbedtls_cipher_write_tag() which was added in f2a7529403 ("Fix
  double return statement in cipher.c")
- Where Mbed Crypto already had some MBEDTLS_USE_PSA_CRYPTO code (from
  past companion PRs) take the latest version from Mbed TLS which
  includes integration with MBEDTLS_CHECK_PARAMS.
- Update the version of the shared library files to match what's
  currently present in Mbed TLS.
- Reject removal of testing with PSA from config full tests.
- Resolve conflicts in test tests/suites/helpers.function, where both
  Mbed Crypto and Mbed TLS both added documentation for TEST_ASSERT.
  Combine text from both documentation efforts.
- Reject adding a submodule of ourselves.
- Reject addition of submodule tests in all.sh.
- Reject addition of submodule to library path in
  tests/scripts/run-test-suites.pl.
- Avoid using USE_CRYPTO_SUBMODULE=1 in
  component_test_use_psa_crypto_full_cmake_asan() in all.sh.
2019-02-14 15:58:43 +00:00
Ron Eldor 3467dcf452 Use certificates from data_files and refer them
Use the server certificate from `data_files` folder, for formality,
and refer to the source, for easier reproduction.
2019-02-12 15:30:26 +02:00
Darryl Green 8096cafa94 Only zeroize buffer if the buffer length is non-zero 2019-02-11 14:03:03 +00:00
Darryl Green 8593bca7f8 Allow NULL buffers in psa_copy_key_material when the key size is zero 2019-02-11 13:26:36 +00:00
Jaeden Amero 6f7703df3a rsa: Enable use of zero-length null output
Enable handling of zero-length null output in PKCS1 v1.5 decryption.
Prevent undefined behavior by avoiding a memcpy() to zero-length null
output buffers.
2019-02-11 03:39:51 -05:00
Gilles Peskine 004f87b98d RSA encryption: accept input=NULL if ilen=0
In mbedtls_rsa_rsaes_oaep_encrypt and
mbedtls_rsa_rsaes_pkcs1_v15_encrypt, if the input length is 0 (which
is unusual and mostly useless, but permitted) then it is fine for the
input pointer to be NULL. Don't return an error in this case.

When `input` is NULL, `memcpy( p, input, ilen )` has undefined behavior
even if `ilen` is zero. So skip the `memcpy` call in this case.
Likewise, in `mbedtls_rsa_rsaes_oaep_decrypt`, skip the `memcpy` call if
`*olen` is zero.
2019-02-11 03:39:21 -05:00
Hanno Becker 46f34d0ac0 Fix style issue and wording 2019-02-08 14:26:41 +00:00
Hanno Becker c1e18bdf06 Fix memory leak 2019-02-08 14:26:41 +00:00
Hanno Becker e2734e2be4 Improve formatting of ssl_parse_certificate_chain() 2019-02-08 14:26:41 +00:00
Hanno Becker 84879e32ef Add compile-time guards around helper routine 2019-02-08 14:26:41 +00:00
Hanno Becker def9bdc152 Don't store the peer CRT chain twice during renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).
During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit removes the simultaneous presence of two peer CRT chains
in memory during renegotiation, in the following way:
- Unlike in the case of SessionTickets handled in the previous commit,
  we cannot simply free the peer's CRT chain from the previous handshake
  before parsing the new one, as we need to verify that the peer's end-CRT
  hasn't changed to mitigate the 'Triple Handshake Attack'.
- Instead, we perform a binary comparison of the original peer end-CRT
  with the one presented during renegotiation, and if it succeeds, we
  avoid re-parsing CRT by moving the corresponding CRT pointer from the
  old to the new session structure.
- The remaining CRTs in the peer's chain are not affected by the triple
  handshake attack protection, and for them we may employ the canonical
  approach of freeing them before parsing the remainder of the new chain.

Note that this commit intends to not change any observable behavior
of the stack. In particular:
- The peer's CRT chain is still verified during renegotiation.
- The tail of the peer's CRT chain may change during renegotiation.
2019-02-08 14:26:41 +00:00
Hanno Becker b2964cbe14 SSL/TLS client: Remove old session ticket on renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).

During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit starts removing this memory inefficiency by freeing the old
session's SessionTicket before the one for the new session is allocated.
2019-02-08 14:26:41 +00:00
Hanno Becker 1a65dcd44f Add a new X.509 API call for copy-less parsing of CRTs
Context:
The existing API `mbedtls_x509_parse_crt_der()` for parsing DER
encoded X.509 CRTs unconditionally makes creates a copy of the
input buffer in RAM. While this comes at the benefit of easy use,
-- specifically: allowing the user to free or re-use the input
buffer right after the call -- it creates a significant memory
overhead, as the CRT is duplicated in memory (at least temporarily).
This might not be tolerable a resource constrained device.

As a remedy, this commit adds a new X.509 API call

   `mbedtls_x509_parse_crt_der_nocopy()`

which has the same signature as `mbedtls_x509_parse_crt_der()`
and almost the same semantics, with one difference: The input
buffer must persist and be unmodified for the lifetime of the
established instance of `mbedtls_x509_crt`, that is, until
`mbedtls_x509_crt_free()` is called.
2019-02-08 14:24:58 +00:00
Jaeden Amero fb236739da Revert "Forbid passing NULL input buffers to RSA encryption routines"
Resolve incompatibilties in the RSA module where changes made for
parameter validation prevent Mbed Crypto from working. Mbed Crypto
depends on being able to pass zero-length buffers that are NULL to RSA
encryption functions.

This reverts commit 2f660d047d.
2019-02-08 08:43:31 -05:00
Jaeden Amero 2a0f48ae1f
Merge pull request #43 from Patater/update-2.16-dev
Update to a development version of Mbed TLS 2.16.0
2019-02-08 08:13:41 +00:00
Andrzej Kurek 3c2b15d31e Update version_features file 2019-02-08 02:38:45 -05:00
Jaeden Amero 6fd4ee2af1
Merge pull request #20 from gilles-peskine-arm/psa-copy_key
New function psa_copy_key
2019-02-07 15:40:42 +00:00
Jaeden Amero 4728469f53 rsa: Re-enable use of zero-length null output
After merging the latest RSA implementation from Mbed TLS, we have a
regression in that we no longer properly handle zero-length null output
in PKCS1 v1.5 decryption. Prevent undefined behavior by avoiding a
memcpy() to zero-length null output buffers.
2019-02-07 12:19:59 +00:00
Jaeden Amero 68933640f5 Merge commit '01b34fb316a5' into development
Merge a development version of Mbed TLS 2.16.0 that doesn't have
parameter validation into development.

The following conflicts were resolved:

- Update ChangeLog to include release notes merged from development so
  far, with a version of "2.14.0+01b34fb316a5" and release date of
  "xxxx-xx-xx" to show this is not a released version, but instead a
  snapshot of the development branch equivalent to version of the 2.14.0
  with additional commits from the mbedtls/development branch up through
  01b34fb316 included. Entries added for unreleased versions of Mbed
  Crypto remain at the top of the file for Mbed TLS 2.xx.x.
- Replace the Mbed Crypto version of
  mbedtls_rsa_rsaes_pkcs1_v15_decrypt() with the version from Mbed TLS
  which fixes timing variations and memory access variations that could
  lead to a Bleichenbacher-style padding oracle attack. This will
  prevent using psa_asymmetric_decrypt() with zero-length output buffers
  until a follow up commit is made to restore this capability.
- In ssl_srv.c, include changes for both the new ECDH interface and
  opaque PSK as already added to development previously.
2019-02-07 12:19:59 +00:00
Manuel Pégourié-Gonnard f2a7529403 Fix double return statement in cipher.c
This was introduced in ce1ddee13a
2019-02-05 13:13:21 +01:00
Andrzej Kurek 8a2e97c2df Merge development-psa commit 80b5662 into development-psa-merged branch
Adjust crypto submodule version to use new, forked crypto version accordingly.
2019-02-05 06:02:51 -05:00
Andrzej Kurek d142856846 cipher: remove unnecessary precondition
Already checked by parameter validation macros
2019-02-05 05:11:03 -05:00
Andrzej Kurek efed323698 pk: restructure precondition check 2019-02-05 05:09:05 -05:00
Jaeden Amero 80b566267f Merge remote-tracking branch 'origin/pr/2386' into development-psa 2019-02-04 16:42:23 +00:00
Jaeden Amero d18b264eaf Merge remote-tracking branch 'origin/pr/2382' into development-psa 2019-02-04 16:41:46 +00:00
Jaeden Amero 65408c5f92 Merge remote-tracking branch 'origin/pr/2355' into development-psa 2019-02-04 16:41:12 +00:00
Hanno Becker 23cfea01e8 Improve documentation of mbedtls_mpi_write_string() 2019-02-04 09:45:07 +00:00
Hanno Becker c983c81a23 Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
This can only occur for negative numbers. Fixes #2404.
2019-02-01 16:41:30 +00:00
Jaeden Amero acdf07c033
Merge pull request #41 from hanno-arm/ec_pubkey_fmt_fixes
Make further adaptations to new EC public key format
2019-02-01 13:05:48 +00:00
Andrzej Kurek de5a007316 Merge development commit f352f7 into development-psa 2019-02-01 07:03:03 -05:00
Hanno Becker 9acfd730ed Adapt mbedtls_pk_write_pubkey_der() to the new PSA public key format
Context: There are two public key writing functions in Mbed TLS. First,
mbedtls_pk_write_pubkey(), which exports a public key in the form of a
SubjectPublicKey structure containing the raw keying material
(for example, EC point coordinates for an EC public key, without
reference to the underlying curve). Secondly, mbedtls_pk_write_pubkey_der(),
which exports a public key in the form of a SubjectPublicKeyInfo structure,
wrapping the SubjectPublicKey structure by additional information
identifying the type of public key (and for ECC, e.g., it'd also contain
the ECC group identifier). The implementation of mbedtls_pk_write_pubkey_der()
calls mbedtls_pk_write_pubkey() first and then adds the corresponding
algorithm identifier wrapper.

Both of these functions need to be provided for PSA-based opaque PK contexts,
based on PSA's public key export function.

Previously, PSA used the SubjectPublicKeyInfo structure as its export format,
so mbedtls_pk_write_pubkey_der() could be easily implemented, while
mbedtls_pk_write_pubkey() would need to trim the output of the PSA export.

The previous implementation of mbedtls_pk_write_pubkey() is not quite right
because it calls PSA export doesn't do any trimming, hence exporting the large
SubjectPublicKeyInfo structure instead of the small SubjectPublicKey.
mbedtls_pk_write_pubkey_der(), in turn, immediately returns after calling
mbedtls_pk_write_pubkey(), hence also returning the SubjectPublicKeyInfo
structure, which is correct.

By now, the PSA public key export format has changed to the smaller
SubjectPublicKey structure. This means that, now, mbedtls_pk_write_pubkey()
can be implemented by just calling the PSA export, and that
mbedtls_pk_write_pubkey_der() needs to add the algorithm information around
it, just as in the other types of PK contexts. While not correct for the
old format, the existing code for mbedtls_pk_write_pubkey() is therefore
correct for the new PSA public key format, and needs no change apart from
the missing pointer shift in the last commit.

The implementation of mbedtls_pk_write_pubkey_der() needs a special code
path for PSA-based opaque PK contexts, as the PK context only contains
the PSA key handle, and the PSA API needs to be used to extract the
underlying EC curve to be able to write the AlgorithmParameter structure
that's part of the SubjectPublicKeyInfo structure.

That's what this commit does, (hopefully) making both
mbedtls_pk_write_pubkey() and mbedtls_pk_write_pubkey_der() export
the correctly formatted public key based on the new PSA public key format.
2019-02-01 11:56:37 +00:00
Hanno Becker 65935d90c9 Add missing include to library/pkwrite.c 2019-02-01 11:55:03 +00:00
Hanno Becker cd0f276cee Update pointer in PSA-based mbedtls_pk_write_pubkey() 2019-02-01 11:52:58 +00:00
Hanno Becker 493c171a1c Adapt mbedtls_pk_write_pubkey_der() to the new PSA public key format
Context: There are two public key writing functions in Mbed TLS. First,
mbedtls_pk_write_pubkey(), which exports a public key in the form of a
SubjectPublicKey structure containing the raw keying material
(for example, EC point coordinates for an EC public key, without
reference to the underlying curve). Secondly, mbedtls_pk_write_pubkey_der(),
which exports a public key in the form of a SubjectPublicKeyInfo structure,
wrapping the SubjectPublicKey structure by additional information
identifying the type of public key (and for ECC, e.g., it'd also contain
the ECC group identifier). The implementation of mbedtls_pk_write_pubkey_der()
calls mbedtls_pk_write_pubkey() first and then adds the corresponding
algorithm identifier wrapper.

Both of these functions need to be provided for PSA-based opaque PK contexts,
based on PSA's public key export function.

Previously, PSA used the SubjectPublicKeyInfo structure as its export format,
so mbedtls_pk_write_pubkey_der() could be easily implemented, while
mbedtls_pk_write_pubkey() would need to trim the output of the PSA export.

The previous implementation of mbedtls_pk_write_pubkey() is not quite right
because it calls PSA export doesn't do any trimming, hence exporting the large
SubjectPublicKeyInfo structure instead of the small SubjectPublicKey.
mbedtls_pk_write_pubkey_der(), in turn, immediately returns after calling
mbedtls_pk_write_pubkey(), hence also returning the SubjectPublicKeyInfo
structure, which is correct.

By now, the PSA public key export format has changed to the smaller
SubjectPublicKey structure. This means that, now, mbedtls_pk_write_pubkey()
can be implemented by just calling the PSA export, and that
mbedtls_pk_write_pubkey_der() needs to add the algorithm information around
it, just as in the other types of PK contexts. While not correct for the
old format, the existing code for mbedtls_pk_write_pubkey() is therefore
correct for the new PSA public key format, and needs no change apart from
the missing pointer shift in the last commit.

The implementation of mbedtls_pk_write_pubkey_der() needs a special code
path for PSA-based opaque PK contexts, as the PK context only contains
the PSA key handle, and the PSA API needs to be used to extract the
underlying EC curve to be able to write the AlgorithmParameter structure
that's part of the SubjectPublicKeyInfo structure.

That's what this commit does, (hopefully) making both
mbedtls_pk_write_pubkey() and mbedtls_pk_write_pubkey_der() export
the correctly formatted public key based on the new PSA public key format.
2019-02-01 10:25:25 +00:00
Hanno Becker 4fb8db23b9 Update pointer in PSA-based mbedtls_pk_write_pubkey() 2019-02-01 09:57:20 +00:00
Andrzej Kurek f093a3dc61 Use ecdh_setup instead of ecp_group_load
Align files with development to ensure the same state of repositories.
2019-02-01 02:50:36 -05:00
Peter Kolbus e6bcad3f79 Fix DEADCODE in mbedtls_mpi_exp_mod()
In mbedtls_mpi_exp_mod(), the limit check on wsize is never true when
MBEDTLS_MPI_WINDOW_SIZE is at least 6. Wrap in a preprocessor guard
to remove the dead code and resolve a Coverity finding from the
DEADCODE checker.

Change-Id: Ice7739031a9e8249283a04de11150565b613ae89
2019-01-31 19:37:51 -06:00
Andrzej Kurek c470b6b021 Merge development commit 8e76332 into development-psa
Additional changes to temporarily enable running tests:
ssl_srv.c and test_suite_ecdh use mbedtls_ecp_group_load instead of
mbedtls_ecdh_setup
test_suite_ctr_drbg uses mbedtls_ctr_drbg_update instead of 
mbedtls_ctr_drbg_update_ret
2019-01-31 08:20:20 -05:00
Jaeden Amero f352f75f6b Merge remote-tracking branch 'origin/pr/2332' into development 2019-01-30 15:53:00 +00:00
Jaeden Amero 91af329a55 Merge remote-tracking branch 'origin/pr/2214' into development 2019-01-30 15:08:25 +00:00
Jaeden Amero 14eca249f1 Merge remote-tracking branch 'origin/pr/2213' into development 2019-01-30 15:01:20 +00:00
Jaeden Amero dac9f45e5a Merge remote-tracking branch 'origin/pr/1551' into development 2019-01-30 13:24:55 +00:00
Jaeden Amero e6e2686cf8 Merge remote-tracking branch 'origin/pr/2055' into development
Resolve conflicts in ctr_drbg.c where zeroization had been added upon
exit.
2019-01-30 13:23:03 +00:00
Jaeden Amero 730ecdf3b1 Merge remote-tracking branch 'origin/pr/2371' into development 2019-01-30 13:15:40 +00:00
Andrzej Kurek 2ad229725c ssl_tls: add psa_hash_abort when reseting checksum 2019-01-30 03:32:12 -05:00
Andrzej Kurek 972fba51ed ssl_tls: rename sha_512_psa to sha_384_psa 2019-01-30 03:29:12 -05:00
Andrzej Kurek eb342241a5 ssl_tls: use PSA to compute running handshake hash for TLS 1.2 2019-01-29 09:14:33 -05:00
Jaeden Amero 472c20b4f2
Merge pull request #28 from hanno-arm/ec_pubkey_fmt_adapt_ecdsa_verify_wrap
Adapt ECDSA wrapper to new EC public key format
2019-01-29 10:01:50 +00:00
Hanno Becker ccf574e030 Fix outdated comment in ecdsa_verify_wrap() 2019-01-29 08:26:15 +00:00
Hanno Becker d288494c3a Fix outdated comment in ecdsa_verify_wrap() 2019-01-29 08:21:24 +00:00
Andrzej Kurek 2d4faa6afa ssl_tls: remove redundant status check 2019-01-29 03:14:15 -05:00
Jaeden Amero fa6f146bba
Merge pull request #30 from orenc17/its_update
Use new ITS uid type
2019-01-28 13:41:58 +00:00
Gilles Peskine 122d002912 Fix memory leak in psa_copy_key 2019-01-28 14:41:11 +01:00
Gilles Peskine f603c718c9 New function psa_copy_key
Copy a key from one slot to another.

Implemented and smoke-tested.
2019-01-28 14:41:11 +01:00
Jaeden Amero 43bafcca94
Merge pull request #15 from gilles-peskine-arm/psa-signature_policy_wildcard
Support wildcard hash in signature policies
2019-01-28 13:31:14 +00:00
Andrzej Kurek 2f76075b78 ssl_tls: adjust to the new key policy initialization and key allocation 2019-01-28 08:08:15 -05:00
Oren Cohen 231bf5b693 Use new ITS uid type
ITS switched from using uint32_t to psa_its_uid_t (uint64_t)
2019-01-28 14:51:50 +02:00
Andrzej Kurek ac5dc3423a Fix key allocation for tls_prf_generic 2019-01-28 07:49:56 -05:00
Andrzej Kurek 3317126819 ssl_tls: add missing return brackets 2019-01-28 07:49:56 -05:00
Andrzej Kurek 70737ca827 ssl_tls: add key destruction upon generator failure 2019-01-28 07:49:56 -05:00
Andrzej Kurek c929a82a6b Implement tls_prf_generic using the PSA API 2019-01-28 07:49:56 -05:00
Jaeden Amero d46548c833
Merge pull request #23 from orenc17/its_update
Update usage of PSA ITS to comply with v1.0
2019-01-28 12:06:26 +00:00
Andrzej Kurek 5615dabeef ssl_tls: remove line breaks from a debug message 2019-01-28 07:04:19 -05:00
Andrzej Kurek e85414edd0 ssl-opt: add a check for PSA computation of digest of ServerKeyExchange 2019-01-28 07:04:19 -05:00
Andrzej Kurek 814feffd15 Whitespace, logging and documentation fixes
Introduce a psa_status_t status to handle return values.
Add a debug message with API usage description.
2019-01-28 07:04:19 -05:00
Andrzej Kurek d6db9be598 Adapt mbedtls_ssl_get_key_exchange_md_tls1_2 to PSA hashing 2019-01-28 07:04:19 -05:00
Hanno Becker a98511164f Adapt ecdsa_verify_wrap() to new EC public key format
Previously, PSA used SubjectPublicKeyInfo structures to serialize EC public keys.
This has recently been changed to using ECPoint structures instead, but the wrapper
making PSA ECDSA verification available through Mbed TLS' PK API hasn't yet been
adapted accordingly - which is what this commit does.

Luckily, Mbed TLS' PK API offers two functions mbedtls_pk_write_pubkey()
and mbedtls_pk_write_pubkey_der(), the latter exporting a SubjectPublicKeyInfo
structure and the former exporting an ECPoint structure in case of EC public
keys. For the adaptation of the ECDSA wrapper ecdsa_verify_wrap() it is therefore
sufficient to use mbedtls_pk_write_pubkey() instead of mbedtls_pk_write_pubkey_der().
2019-01-28 11:45:19 +00:00
Hanno Becker 5d5e90a610 Adapt ecdsa_verify_wrap() to new EC public key format
Previously, PSA used SubjectPublicKeyInfo structures to serialize EC public keys.
This has recently been changed to using ECPoint structures instead, but the wrapper
making PSA ECDSA verification available through Mbed TLS' PK API hasn't yet been
adapted accordingly - which is what this commit does.

Luckily, Mbed TLS' PK API offers two functions mbedtls_pk_write_pubkey()
and mbedtls_pk_write_pubkey_der(), the latter exporting a SubjectPublicKeyInfo
structure and the former exporting an ECPoint structure in case of EC public
keys. For the adaptation of the ECDSA wrapper ecdsa_verify_wrap() it is therefore
sufficient to use mbedtls_pk_write_pubkey() instead of mbedtls_pk_write_pubkey_der().
2019-01-28 11:41:37 +00:00
Jaeden Amero 37a8c0c144
Merge pull request #27 from hanno-arm/crypto_submodule_update_prs_6_18_19_sibling
PSA integration sibling: Update crypto submodule (Hash clone, Key Policy Init, Key slot alloc)
2019-01-28 11:33:28 +00:00
Manuel Pégourié-Gonnard 430a66f19a Fix backwards config dependency on oid.c
The file oid.c had conditional inclusion of functions based on a config.h
define that belongs to X.509, which is backwards. For now, just include those
functions unconditionally and rely on the linker to garbage-collect them if
not used.

In the longer term X.509-specific functions are likely to be removed from
libmbedcrypto, but at this step the goal is to preserve the API (and even ABI)
of libmbedcrypto for as long as possible while separating the source trees of
Mbed Crypto and Mbed TLS.
2019-01-28 10:31:39 +01:00
Manuel Pégourié-Gonnard c49ada41d4 Fix backwards include of x509.h in oid.h
As agreed during the workshop, temporarily move definitions to oid.h even if
they might not semantically belong here, as a short-term measure allowing to
build libmbecrypto on its own (without X.509 files present in the source tree)
but still provide all the things Mbed TLS currently expects, and more
specifically preserve the API and ABI exposed by libmbedtls.
2019-01-28 09:26:19 +01:00
Oren Cohen 23a6784cb9 Update usage of PSA ITS to comply with v1.0 2019-01-27 10:19:18 +02:00
Hanno Becker 2169a5e54d PSA: Adapt pk.c, pk_wrap.c, cipher.c to new key policy init API 2019-01-25 14:36:28 +00:00
Hanno Becker 242da1e2c2 PSA: Adapt cipher.c, pk.c, pk_wrap.c to new key slot allocation API 2019-01-25 14:36:28 +00:00
Hanno Becker f99c2ec9d7 PSA: Adapt pk.c, pk_wrap.c, cipher.c to new key policy init API 2019-01-25 14:36:07 +00:00
Hanno Becker e34f636f8d PSA: Adapt cipher.c, pk.c, pk_wrap.c to new key slot allocation API 2019-01-25 14:31:06 +00:00
Jaeden Amero 4d69cf1a84
Merge pull request #13 from Patater/pubkey-format
Simplify RSA and EC public key formats
2019-01-25 10:09:40 +00:00
Antonin Décimo 36e89b5b71 Fix #2370, minor typos and spelling mistakes 2019-01-24 10:37:40 +01:00
Jaeden Amero c67200d0e6 psa: Remove extra status handling from import
Remove extra status handling code from psa_import_key_into_slot(). This
helps save a tiny amount of code space, but mainly serves to improve the
readability of the code.
2019-01-23 17:39:46 +00:00
Jaeden Amero cd09d8c83a psa: Refactor psa_import_rsa_key() pk-using code
Move pk-using code to inside psa_import_rsa_key(). This aligns the shape
of psa_import_rsa_key() to match that of psa_import_ec_private_key() and
psa_import_ec_public_key().
2019-01-23 17:39:46 +00:00
Jaeden Amero ccdce90adb psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-23 17:39:46 +00:00
Jaeden Amero 97271b37c8 psa: Use psa_status_t in psa_key_agreement_ecdh()
Use the PSA-native status type in psa_key_agreement_ecdh() in
preparation for us calling PSA functions (and not just Mbed TLS
functions) and still being able to return a psa_status_t (without having
to translate it to a Mbed TLS error and then back again).
2019-01-23 17:31:50 +00:00
Jaeden Amero 25384a236e psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-23 17:31:50 +00:00
Jaeden Amero 0b6b871056
Merge pull request #22 from ARMmbed/iotssl-2697-psa-key-allocation-crypto
Adapting to the new PSA key slot allocation mechanism
2019-01-23 15:00:19 +00:00
Jaeden Amero cfb7ae9318
Merge pull request #16 from itayzafrir/spm-support-crypto-handles-api
Support for slots to handles crypto API changes under SPM
2019-01-23 13:38:50 +00:00
Andrzej Kurek f410a5c251 Fix indentation of documentation 2019-01-23 06:23:31 -05:00
Andrzej Kurek e1a8187df9 pk_wrap: pass curve size instead of a larger size of the exported key
Whitespace fixes
2019-01-23 06:23:21 -05:00
Andrzej Kurek 1ec0fee458 pk: wrap curve_id before passing it to PSA
Add a helper function in PSA utils
2019-01-23 06:23:12 -05:00
Andrzej Kurek 08dfceaba4 cipher: fixed key ownership scope
Indicate key ownership earlier, so that it gets destroyed on faulty policy setting.
2019-01-23 06:22:42 -05:00
Andrzej Kurek c750932f2c Adapt to the new key allocation mechanism 2019-01-23 06:22:32 -05:00
Simon Butcher 8e763329ad Merge remote-tracking branch 'public/pr/2040' into development 2019-01-23 10:28:25 +01:00
Simon Butcher d4e327c4ff Merge remote-tracking branch 'public/pr/2345' into development 2019-01-23 10:14:52 +01:00
Jaeden Amero 494624d299
Merge pull request #18 from gilles-peskine-arm/psa-hash_clone
New function psa_hash_clone
2019-01-22 17:35:25 +00:00
Gilles Peskine eb35d78a11 Style fix 2019-01-22 17:56:16 +01:00
Gilles Peskine ea2e3604b1 Merge branch 'psa-copy_key' into psa-api-1.0-beta
New function psa_copy_key().

Conflicts:
* library/psa_crypto.c: trivial conflicts due to consecutive changes.
* tests/suites/test_suite_psa_crypto.data: the same code
  was added on both sides, but with a conflict resolution on one side.
* tests/suites/test_suite_psa_crypto_metadata.function: the same code
  was added on both sides, but with a conflict resolution on one side.
2019-01-19 13:56:35 +01:00
Gilles Peskine 4cb9dde84a New function psa_copy_key
Copy a key from one slot to another.

Implemented and smoke-tested.
2019-01-19 13:46:36 +01:00
Gilles Peskine 0ce26e35d6 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-19 13:42:51 +01:00
Gilles Peskine b865df005c Merge branch 'psa-no_type_on_allocate_key' into psa-api-1.0-beta
Remove the type and bits arguments from psa_allocate_key() and
psa_create_key().
2019-01-19 12:24:18 +01:00
Gilles Peskine d40c1fbd50 Don't require a type and size when creating a key slot
Remove the type and bits arguments to psa_allocate_key() and
psa_create_key(). They can be useful if the implementation wants to
know exactly how much space to allocate for the slot, but many
implementations (including ours) don't care, and it's possible to work
around their lack by deferring size-dependent actions to the time when
the key material is created. They are a burden to applications and
make the API more complex, and the benefits aren't worth it.

Change the API and adapt the implementation, the units test and the
sample code accordingly.
2019-01-19 12:20:52 +01:00
Gilles Peskine b37af92eb9 Merge branch 'psa-hash_clone' into psa-api-1.0-beta
Add psa_hash_clone.
2019-01-19 12:07:27 +01:00
Gilles Peskine ebb2c3e419 New function psa_hash_clone
Clone a hash operation.

Test good cases as part as multipart tests. Add new test functions for
the state machine.
2019-01-19 12:03:41 +01:00
Gilles Peskine 9dcc80e628 Merge branch 'psa-derive_input_steps-agreement_as_one_step' into psa-api-1.0-beta
Change the key derivation API to take inputs in multiple steps,
instead of a single one-site-fits-poorly function.

Conflicts:
* include/psa/crypto.h: merge independent changes in the documentation
  of psa_key_agreement (public_key from the work on public key formats
  vs general description and other parameters in the work on key derivation).
* tests/suites/test_suite_psa_crypto.data: update the key agreement
  tests from the work on key derivation to the format from the work on
  public key formats.
* tests/suites/test_suite_psa_crypto_metadata.function: reconcile the
  addition of unrelated ALG_IS_xxx macros
2019-01-18 18:54:15 +01:00
Gilles Peskine 6843c29713 Simplify the encoding of key agreement algorithms
Get rid of "key selection" algorithms (of which there was only one:
raw key selection).

Encode key agreement by combining a raw key agreement with a KDF,
rather than passing the KDF as an argument of a key agreement macro.
2019-01-18 18:38:08 +01:00
Gilles Peskine 969c5d61f7 Make key agreement the secret input for key derivation
* Documentation
* Proof-of-concept implementation
* Updates to the tests (work in progress)
2019-01-18 18:34:28 +01:00
Gilles Peskine 6cdfdb75a9 Improve the rules on key derivation input types
Use separate step types for a KDF secret and for the private key in a
key agreement.

Determine which key type is allowed from the step type, independently
of the KDF.

Forbid raw inputs for certain steps. They definitely should be
forbidden for asymmetric keys, which are structured. Also forbid them
for KDF secrets: the secrets are supposed to be keys, even if they're
unstructured.
2019-01-18 18:33:12 +01:00
Gilles Peskine b70a0fd1a5 Key derivation by small input steps: proof-of-concept
Document the new API. Keep the old one.

Implement for HKDF. Use it in a few test cases.

Key agreement is still unchanged.
2019-01-18 18:33:12 +01:00
Gilles Peskine 7666edbfe1 Merge branch 'psa-aead_multipart' into psa-api-1.0-beta
Add multipart AEAD API.

Add one-shot API for hash, MAC and cipher.
2019-01-18 17:59:30 +01:00
Gilles Peskine 1f9e58a1bb Merge branch 'psa-signature_policy_wildcard' into psa-api-1.0-beta
For hash-and-sign algorithms, allow a policy to specify a wildcard
instead of a specific hash algorithm.
2019-01-18 17:52:17 +01:00
Gilles Peskine d71dbd888b Merge branch 'pubkey-format-dh-dsa-pass_type_to_set_domain_parameters' into psa-api-1.0-beta
Change the import/export format of DSA and DH public keys to use just
the key data, without a SubjectPublicKeyInfo wrapping.

Add an API to set and query domain parameters for DSA and DH keys.
2019-01-18 17:30:16 +01:00
Jaeden Amero 283dfd1613 psa: Add get/set domain parameters
DSA and static DH need extra domain parameters. Instead of passing these
in with the keys themselves, add get and set functions to set and
retrieve this information about keys.
2019-01-18 17:19:54 +01:00
Gilles Peskine 2d22647ce3 Merge remote-tracking branch 'upstream-crypto/pr/13' into psa-api-1.0-beta
Change the import/export format of RSA and ECC public keys to use just
the key data, without a SubjectPublicKeyInfo wrapping.
2019-01-18 17:04:12 +01:00
ILUXONCHIK acfee8eb04 refactor CA and SRV certificates into separate blocks 2019-01-17 00:35:40 +02:00
ILUXONCHIK 2bd7f99685 refactor SHA-1 certificate defintions and assignment
As per refactoring suggestion that I made in #1520.
2019-01-17 00:32:36 +02:00
ILUXONCHIK d94b3e7368 refactor server SHA-1 certificate definition into a new block 2019-01-17 00:29:18 +02:00
ILUXONCHIK 2f27790565 define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME 2019-01-17 00:25:26 +02:00
ILUXONCHIK 914df7937d server SHA-256 certificate now follows the same logic as CA SHA-256 certificate 2019-01-17 00:25:26 +02:00
Andres Amaya Garcia ec6329f23d Add new function mbedtls_asn1_write_named_bitstring()
Add a new function mbedtls_asn1_write_named_bitstring() that removes
trailing 0s at the end of DER encoded bitstrings. The function is
implemented according to Hanno Becker's suggestions.

This commit also changes the functions x509write_crt_set_ns_cert_type
and crt_set_key_usage to call the new function as the use named
bitstrings instead of the regular bitstrings.
2019-01-16 10:35:13 +00:00
itayzafrir 14e7678790 Documentation update regarding SPM integration 2019-01-16 11:16:39 +02:00
itayzafrir 99974e344a SPM integration update due to crypto API changes
When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM (Secure Partition Manager)
integration which separates the code into two parts: NSPE (Non-Secure Processing Environment) and SPE
(Secure Processing Environment). When building for the SPE, an additional header file should be included.
2019-01-16 11:13:19 +02:00
Jaeden Amero 08ad32721c psa: Remove extra status handling from import
Remove extra status handling code from psa_import_key_into_slot(). This
helps save a tiny amount of code space, but mainly serves to improve the
readability of the code.
2019-01-15 11:29:19 +00:00
Jaeden Amero ec6ff863b5 psa: Refactor psa_import_rsa_key() pk-using code
Move pk-using code to inside psa_import_rsa_key(). This aligns the shape
of psa_import_rsa_key() to match that of psa_import_ec_private_key() and
psa_import_ec_public_key().
2019-01-15 11:29:19 +00:00
Jaeden Amero 0ae445f8fd psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-15 11:29:18 +00:00
Jaeden Amero 1e5c2bd8e3 psa: Use psa_status_t in psa_key_agreement_ecdh()
Use the PSA-native status type in psa_key_agreement_ecdh() in
preparation for us calling PSA functions (and not just Mbed TLS
functions) and still being able to return a psa_status_t (without having
to translate it to a Mbed TLS error and then back again).
2019-01-15 10:40:54 +00:00
Andrzej Kurek c0a1be08a0 Fix indentation of documentation 2019-01-15 03:33:35 -05:00
Gilles Peskine 30f77cdfc1 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-14 19:38:56 +01:00
Gilles Peskine 30a9e41076 Declare multipart AEAD functions
Declare and document multipart AEAD functions.

This commit does not contain any implementation or tests.
2019-01-14 18:36:12 +01:00
Gilles Peskine 5f25dd00c0 Document that destroying a key aborts any ongoing operation
Document that psa_close_key() and psa_destroy_key() abort any ongoing
multipart operation that is using the key. This is not implemented
yet.
2019-01-14 18:29:46 +01:00
Jaeden Amero 8d4be19517
Merge pull request #7 from gilles-peskine-arm/all_sh-mbedcrypto
[mbedcrypto] all.sh: make it possible to run a subset of the components
2019-01-14 10:47:20 +00:00
Andrzej Kurek 62594a8b12 pk_wrap: pass curve size instead of a larger size of the exported key
Whitespace fixes
2019-01-14 05:14:18 -05:00
Andrzej Kurek 93a38a3101 pk: wrap curve_id before passing it to PSA
Add a helper function in PSA utils
2019-01-14 05:09:46 -05:00
Andrzej Kurek a62a58ece5 cipher: fixed key ownership scope
Indicate key ownership earlier, so that it gets destroyed on faulty policy setting.
2019-01-14 05:01:28 -05:00
Jaeden Amero 6b19600fba psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-11 18:08:53 +00:00
Jaeden Amero 83d293951c psa: Call init when importing private EC keys
Previously we weren't initializing the freshly allocated ECP keypair
when importing private EC keys. This didn't seem to cause problems, at
least according to our current test coverage, but it's better to ensure
we don't have a partially initialized object by explicitly initializing
the keypair.
2019-01-10 20:25:55 +00:00
Hanno Becker a9375b35c0 Avoid MSVC compiler warning
MSVC warns about use of unary `-` operator on unsigned integers.
2019-01-10 09:21:24 +00:00
Hanno Becker 783f9c3514 Fix signed-to-unsigned integer conversion warning in X.509 module
Fixes #2212.
2019-01-10 09:21:24 +00:00
Ron Eldor adb5234aa9 Return error code of underlying function.
Return the error code if failed, instead of returning value `1`.
If not failed, return the call of the underlying function,
in `mbedtls_ecdsa_genkey()`.
2019-01-10 10:47:42 +02:00
Gilles Peskine 1927565f9b Use CMAKE_BUILD_TYPE to do Asan builds
Use `cmake -D CMAKE_BUILD_TYPE=Asan` rather than manually setting
`-fsanitize=address`. This lets cmake determine the necessary compiler
and linker flags.

With UNSAFE_BUILD on, force -Wno-error. This is necessary to build
with MBEDTLS_TEST_NULL_ENTROPY.
2019-01-10 09:32:04 +01:00
Andrzej Kurek ee3c435063 Whitespace fix for ccm, gcm, and pkcs5
Fix whitespace mistakes  in ccm, gcm, and pkcs5.
2019-01-10 03:17:34 -05:00
Michał Janiszewski c79e92b802 Rename remaining test data 2019-01-10 03:14:00 -05:00
Michał Janiszewski 9aeea93cc3 Rename globals to avoid shadowing by various function arguments
It's easier and more telling to rename the globals used only for test,
rather than rename all the shadowing function arguments.
2019-01-10 03:14:00 -05:00
Gilles Peskine 5fa32a7a7a Use CMAKE_BUILD_TYPE to do Asan builds
Use `cmake -D CMAKE_BUILD_TYPE=Asan` rather than manually setting
`-fsanitize=address`. This lets cmake determine the necessary compiler
and linker flags.

With UNSAFE_BUILD on, force -Wno-error. This is necessary to build
with MBEDTLS_TEST_NULL_ENTROPY.
2019-01-09 22:35:57 +01:00
Andrzej Kurek 2349c4db88 Adapt to the new key allocation mechanism 2019-01-08 09:36:01 -05:00
Jaeden Amero 70261c513a psa: Add initializers for key policies
Add new initializers for key policies and use them in our docs, example
programs, tests, and library code. Prefer using the macro initializers
due to their straightforwardness.
2019-01-08 14:28:04 +00:00
Hanno Becker 0e810b9648 Don't call memcpy with NULL pointer in mbedtls_mpi_read_binary()
mbedtls_mpi_read_binary() calls memcpy() with the source pointer being
the source pointer passed to mbedtls_mpi_read_binary(), the latter may
be NULL if the buffer length is 0 (and this happens e.g. in the ECJPAKE
test suite). The behavior of memcpy(), in contrast, is undefined when
called with NULL source buffer, even if the length of the copy operation
is 0.

This commit fixes this by explicitly checking that the source pointer is
not NULL before calling memcpy(), and skipping the call otherwise.
2019-01-03 17:13:11 +00:00
Hanno Becker 9f6d16ad79 Fix preprocessor macro existence check in bignum.c 2019-01-02 17:15:06 +00:00
Hanno Becker 6dab6200c6 Fix typo after rebase 2019-01-02 16:42:29 +00:00
Hanno Becker 5d91c0bbee Add missing macro existence check in byte swapping code in bignum.c 2019-01-02 11:38:14 +00:00
Hanno Becker f872007782 Optimize mpi_bigendian_to_host() for speed and size
Use GCC / Clang builtins for byte swapping.
2019-01-02 11:38:14 +00:00
Hanno Becker 2be8a55f72 Change signature of mpi_bigendian_to_host() to reflect usage 2019-01-02 11:37:25 +00:00
Hanno Becker da1655a48e Remove temporary stack-buffer from mbedtls_mpi_fill_random()
Context: The function `mbedtls_mpi_fill_random()` uses a temporary stack
buffer to hold the random data before reading it into the target MPI.

Problem: This is inefficient both computationally and memory-wise.
Memory-wise, it may lead to a stack overflow on constrained devices with
limited stack.

Fix: This commit introduces the following changes to get rid of the
temporary stack buffer entirely:

1. It modifies the call to the PRNG to output the random data directly
   into the target MPI's data buffer.

This alone, however, constitutes a change of observable behaviour:
The previous implementation guaranteed to interpret the bytes emitted by
the PRNG in a big-endian fashion, while rerouting the PRNG output into the
target MPI's limb array leads to an interpretation that depends on the
endianness of the host machine.
As a remedy, the following change is applied, too:

2. Reorder the bytes emitted from the PRNG within the target MPI's
   data buffer to ensure big-endian semantics.

Luckily, the byte reordering was already implemented as part of
`mbedtls_mpi_read_binary()`, so:

3. Extract bigendian-to-host byte reordering from
   `mbedtls_mpi_read_binary()` to a separate internal function
   `mpi_bigendian_to_host()` to be used by `mbedtls_mpi_read_binary()`
   and `mbedtls_mpi_fill_random()`.
2019-01-02 11:37:25 +00:00
Simon Butcher 6c164e754b Update the version of the library to 2.16.0 2018-12-21 10:51:51 +00:00
Simon Butcher b6cdf980bc Merge remote-tracking branch 'public/pr/1721' into development-restricted 2018-12-20 12:37:13 +00:00
Simon Butcher ad7c2105a2 Merge remote-tracking branch 'public/pr/2274' into development 2018-12-20 12:16:57 +00:00
Simon Butcher 12b4240300 Merge remote-tracking branch 'public/pr/2288' into development 2018-12-20 12:16:46 +00:00
Simon Butcher c831193c85 Merge remote-tracking branch 'public/pr/2302' into development 2018-12-20 12:16:39 +00:00
Simon Butcher 1efda39f8a Merge remote-tracking branch 'public/pr/2297' into development 2018-12-20 12:16:29 +00:00
Simon Butcher 5aa7809ac8 Merge remote-tracking branch 'public/pr/2275' into development 2018-12-20 12:15:19 +00:00
Simon Butcher 780cf189b0 Merge remote-tracking branch 'public/pr/2271' into development 2018-12-20 12:15:08 +00:00
Simon Butcher 032c037052 Merge remote-tracking branch 'public/pr/2270' into development 2018-12-20 12:04:13 +00:00
Simon Butcher a033633bb0 Merge remote-tracking branch 'public/pr/2269' into development 2018-12-20 12:02:56 +00:00
Simon Butcher 70935a4001 Merge remote-tracking branch 'public/pr/2299' into development 2018-12-20 12:02:23 +00:00
Simon Butcher 003c0e032f Merge remote-tracking branch 'public/pr/2292' into development 2018-12-20 12:02:17 +00:00
Simon Butcher decf2f5c2c Merge remote-tracking branch 'public/pr/2291' into development 2018-12-20 12:02:11 +00:00
Simon Butcher 65ce5dc981 Merge remote-tracking branch 'public/pr/2290' into development 2018-12-20 12:02:05 +00:00
Simon Butcher ad2e0dae32 Merge remote-tracking branch 'public/pr/2283' into development 2018-12-20 12:01:58 +00:00
Simon Butcher 0bbf7f450d Merge remote-tracking branch 'public/pr/2279' into development 2018-12-20 12:01:49 +00:00
Simon Butcher 962b7b17d5 Merge remote-tracking branch 'public/pr/2273' into development 2018-12-20 12:01:17 +00:00
Simon Butcher 6be67a6518 Merge remote-tracking branch 'public/pr/2281' into development 2018-12-20 12:01:09 +00:00
Simon Butcher dac513e246 Merge remote-tracking branch 'public/pr/2282' into development 2018-12-20 12:01:04 +00:00
Simon Butcher ccafd14fee Merge remote-tracking branch 'public/pr/2276' into development 2018-12-20 12:00:57 +00:00
Simon Butcher 2a8d32c6c1 Merge remote-tracking branch 'public/pr/2287' into development 2018-12-20 12:00:50 +00:00
Manuel Pégourié-Gonnard 01d4b76b7e Remove faulty cipher_finish calls from nist_kw
The calls to cipher_finish didn't actually do anything:
- the cipher mode is always ECB
- in that case cipher_finish() only sets *olen to zero, and returns either 0
  or an error depending on whether there was pending data
- olen is a local variable in the caller, so setting it to zero right before
  returning is not essential
- the return value of cipher_finis() was not checked by the caller so that's
  not useful either
- the cipher layer does not have ALT implementations so the behaviour
  described above is unconditional on ALT implementations (in particular,
cipher_finish() can't be useful to hardware as (with ECB) it doesn't call any
functions from lower-level modules that could release resources for example)

Since the calls are causing issues with parameter validation, and were no
serving any functional purpose, it's simpler to just remove them.
2018-12-20 12:15:40 +01:00
Hanno Becker 2f6de42622 Move SHA256_VALIDATE[_RET] outside of MBEDTLS_SHA256_ALT guard
Somehow, mbedtls_sha256_ret() is defined even if MBEDTLS_SHA256_ALT
is set, and it is using SHA256_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA256_ALT does _not_ replace
the entire module, but only the core SHA-256 functions.
2018-12-20 10:24:29 +00:00
Hanno Becker c756049dc3 Move SHA512_VALIDATE[_RET] outside of MBEDTLS_SHA512_ALT guard
Somehow, mbedtls_sha512_ret() is defined even if MBEDTLS_SHA512_ALT
is set, and it is using SHA512_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA512_ALT does _not_ replace
the entire module, but only the core SHA-512 functions.
2018-12-20 10:24:00 +00:00
Hanno Becker b3c70230d2 Move SHA1_VALIDATE[_RET] outside of MBEDTLS_SHA1_ALT guard
Somehow, mbedtls_sha1_ret() is defined even if MBEDTLS_SHA1_ALT
is set, and it is using SHA1_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA1_ALT does _not_ replace
the entire module, but only the core SHA-1 functions.
2018-12-20 10:18:05 +00:00
k-stachowiak 6adb0574ea Improve details of CCM parameter validation and documentation 2018-12-19 19:02:39 +01:00
k-stachowiak f712534801 Add missing validation code in CCM 2018-12-19 19:02:39 +01:00
k-stachowiak ff8a0989c8 Allow empty arguments in some CCM functions' parameter validation 2018-12-19 19:02:39 +01:00
k-stachowiak fd42d531ba Explicitly allow NULL as an argument to mbedtls_ccm_free() 2018-12-19 19:02:39 +01:00
k-stachowiak 26d365eb54 Add parameter validation for CCM 2018-12-19 19:02:39 +01:00
Gilles Peskine 6af45ec53e PK: document context validity requirements
Document when a context must be initialized or not, when it must be
set up or not, and whether it needs a private key or a public key will
do.

The implementation is sometimes more liberal than the documentation,
accepting a non-set-up context as a context that can't perform the
requested information. This preserves backward compatibility.
2018-12-19 18:10:03 +01:00
Hanno Becker f25ee7f79d Fix parameter validation for mbedtls_mpi_lsb()
The MPI_VALIDATE_RET() macro cannot be used for parameter
validation of mbedtls_mpi_lsb() because this function returns
a size_t.

Use the underlying MBEDTLS_INTERNAL_VALIDATE_RET() insteaed,
returning 0 on failure.

Also, add a test for this behaviour.
2018-12-19 16:51:50 +00:00
Gilles Peskine 8c71b3ecb3 pk_parse*keyfile: explicitly validate path=NULL
Don't rely on the check in pk_load_file, that's fragile.
2018-12-19 17:37:02 +01:00
k-stachowiak 516897a44a Remove unnecessary parameter validation from the Cipher module 2018-12-19 17:34:58 +01:00
k-stachowiak 1a9df6bcb7 Improve style in the Cipher module 2018-12-19 17:34:58 +01:00
k-stachowiak 95070a8286 Make some cipher parameter validation unconditional 2018-12-19 17:34:58 +01:00
k-stachowiak c29d94c7bf Account for optional NULL buffer arguments in the Cipher module 2018-12-19 17:34:13 +01:00
k-stachowiak a539070f82 Make all parameter validation tests optional 2018-12-19 17:34:13 +01:00
Krzysztof Stachowiak e0215d7869 Add Cipher module parameter validation 2018-12-19 17:34:13 +01:00
k-stachowiak 21298a20c4 Improve parameter validation in mbedtls_gcm_free() 2018-12-19 17:32:19 +01:00
k-stachowiak 8ffc92a1e8 Add parameter validation for the GCM module 2018-12-19 17:30:38 +01:00
Hanno Becker 8ce11a323e Minor improvements to bignum module 2018-12-19 16:18:52 +00:00
Gilles Peskine ee3cfec3cc PK sign/verify: hash=NULL is ok if md_alg=0 and hash_len=0 2018-12-19 17:11:44 +01:00
Gilles Peskine 159171b72a PK parse/write: support keylen=0 correctly
A 0-length buffer for the key is a legitimate edge case. Ensure that
it works, even with buf=NULL. Document the key and keylen parameters.

There are already test cases for parsing an empty buffer. A subsequent
commit will add tests for writing to an empty buffer.
2018-12-19 17:03:28 +01:00
Hanno Becker 70ded3602c Minor improvements to Camellia module and documentation 2018-12-19 13:42:05 +00:00
Gilles Peskine 1f19fa6f62 PK: Fix free(NULL) in library and tests
free() functions are documented as no-ops on NULL. Implement and test
this correctly.
2018-12-19 14:18:39 +01:00
Hanno Becker 541aa69de4 Implement parameter validation for Blowfish module 2018-12-19 12:52:59 +00:00
Hanno Becker b54ae0bc0d Implement parameter validation for ARIA module 2018-12-19 12:51:00 +00:00
Hanno Becker ff62f44ad7 Remove duplicated parameter check in CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker b4b7fb7504 Implement parameter validation for CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker 9994e0d7cf Regenerate errors.c 2018-12-19 09:55:40 +00:00
Hanno Becker d8e4f4a764 Regenerate errors.c 2018-12-19 09:54:55 +00:00
Hanno Becker 859522a31c Regenerate errors.c 2018-12-19 09:54:14 +00:00
Hanno Becker 185e516309 Minor fixes to ECJPAKE parameter validation 2018-12-19 09:48:50 +00:00
Hanno Becker b7a04a7851 Fix mbedtls_ecp_curve_info_from_name() for NULL input 2018-12-19 08:52:05 +00:00
Hanno Becker 80f71689ee Add parameter validation to mbedtls_ecp_restart_init() 2018-12-19 08:51:52 +00:00
Simon Butcher 54b789aa74 Merge remote-tracking branch 'public/pr/2298' into development 2018-12-19 08:08:14 +00:00
Gilles Peskine e97dc60b42 Implement parameter validation in pk, pkparse and pkwrite
Add checks for null pointers under MBEDTLS_CHECK_PARAMS.

In functions that perform operations with a context, only check if the
context pointer is non-null under MBEDTLS_CHECK_PARAMS. In the default
configuration, unconditionally dereference the context pointer.

In functions that query a context, support NULL as a
pointer-to-context argument, and return the same value as for a
context which has been initialized but not set up.
2018-12-19 00:55:36 +01:00
Hanno Becker c81cfece8f Minor fixes to parameter validation in ECDH module 2018-12-18 23:32:42 +00:00
Hanno Becker a7634e8347 Fix wrong invocation of parameter validation macro in ECDH module 2018-12-18 18:45:00 +00:00
Hanno Becker 54c91dd235 Remove double semicolon from bignum.c 2018-12-18 18:12:13 +00:00
Hanno Becker 73d7d79bc1 Implement parameter validation for MPI module 2018-12-18 18:12:13 +00:00
Hanno Becker 38e15d49f3 Don't declare MBEDTLS-namespace identifiers in sha512.c 2018-12-18 17:54:00 +00:00
Hanno Becker 8d215e7130 Don't define MBEDTLS-namespace macros in sha256.c 2018-12-18 17:53:21 +00:00
Hanno Becker 039ccab243 Don't declare MBEDTLS-namespace macros in sha1.c 2018-12-18 17:52:14 +00:00
Hanno Becker 2f660d047d Forbid passing NULL input buffers to RSA encryption routines 2018-12-18 17:07:30 +00:00
Hanno Becker adc9b178ca Minor improvements to DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker 5c14ed6f86 Implement parameter validation for DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker ca6f4585c7 Fix parameter validation in SHA-512 module 2018-12-18 16:36:26 +00:00