Commit graph

12632 commits

Author SHA1 Message Date
Janos Follath cf4a40ba0a
Merge pull request #370 from yanesca/update-version-2.21.0
Bump version to Mbed TLS 2.21.0
2020-02-19 14:21:11 +00:00
Janos Follath bc7c2424c9 Bump version to Mbed TLS 2.21.0 2020-02-19 11:51:13 +00:00
Gilles Peskine f841eab48f
Merge pull request #367 from mpg/fix-rsa-complete
Fix pk_parse_key()'s use of rsa_complete()
2020-02-19 10:23:03 +01:00
Manuel Pégourié-Gonnard f8b9329125
Merge pull request #365 from soby-mathew/sm/static_fns_compat
Change the compatibility API to inline functions
2020-02-18 12:59:50 +01:00
Manuel Pégourié-Gonnard bbb5a0a94a Fix pkparse bug wrt MBEDTLS_RSA_ALT
Some code paths want to access members of the mbedtls_rsa_context structure.
We can only do that when using our own implementation, as otherwise we don't
know anything about that structure.
2020-02-18 10:31:29 +01:00
Manuel Pégourié-Gonnard 9bbe328752 Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 10:31:29 +01:00
Manuel Pégourié-Gonnard b65370f97d Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 10:18:43 +01:00
Manuel Pégourié-Gonnard c42267920c Check public part when parsing private RSA key 2020-02-18 10:18:43 +01:00
Manuel Pégourié-Gonnard a04a2c3ef1 Don't pass zero to rsa_complete() as a param
When parsing a PKCS#1 RSAPrivateKey structure, all parameters are always
present. After importing them, we need to call rsa_complete() for the sake of
alternative implementations. That function interprets zero as a signal for
"this parameter was not provided". As that's never the case, we mustn't pass
any zero value to that function, so we need to explicitly check for it.
2020-02-18 10:18:43 +01:00
Soby Mathew 0a4270d732 Change the compatibility API to inline functions
This patch changes the compatibility API defined in crypto_compat.h
to static inline functions as the previous macro definitions were
causing issues for the C pre-processor when included in projects
which need to redefine the PSA function names. Making it static
inline function solves this problem neatly and also modern compilers
do a good job at inlining the function which makes the need for making
it a macro redundant.

Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2020-02-10 17:26:22 +00:00
Manuel Pégourié-Gonnard 4d8c836cdc
Merge pull request #346 from gilles-peskine-arm/mpi_copy_shrink
Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:01 +01:00
Janos Follath f317dc4918
Merge pull request #350 from gilles-peskine-arm/asn1-tests-parse_prefixes-trailing_garbage
test_suite_asn1parse: improve testing of trailing garbage in parse_prefixes
2020-02-05 15:40:22 +00:00
Janos Follath 4fde885d1f
Merge pull request #357 from gilles-peskine-arm/merge-crypto-development-20200203
Update Mbed Crypto with latest Mbed TLS changes as of 2020-02-03
2020-02-04 11:00:51 +00:00
Gilles Peskine 2579675935 Merge remote-tracking branch 'upstream-public/development' into development
Files deleted by us: keep them deleted.

```
git rm $(git status -s | sed -n 's/^DU //p')
```

Individual files with conflicts:

* `README.md`: keep the crypto version.
* `doxygen/input/doc_mainpage.h`: keep the crypto version (with an obsolete Mbed Crypto version number).
* `include/mbedtls/error.h`:
    * `ERROR`: similar additions made through parallel commits, with only whitespace differences. Align with the tls version.
* `library/CMakeLists.txt`: keep the crypto version.
* `library/Makefile`: keep the crypto version.
* `scripts/generate_errors.pl`: keep the crypto version (the relevant changes were made through parallel commits).
* `tests/scripts/check-test-cases.py`:
    * `Results`: keep the crypto version, which has both the new argument to the constructor (added in crypto only) and the class docstring (added through parallel commits).
* `tests/suites/helpers.function`:
    * `ARRAY_LENGTH`, `ASSERT_ALLOC`: additions in the same location. Keep both, in indifferent order.
* `tests/suites/target_test.function`:
    * `receive_uint32`: keep the crypto version which has an additional bug fix. The tls changes made in tls are irrelevant after this bug fix.
* `visualc/VS2010/mbedTLS.vcxproj`: run `scripts/generate_visualc_files.pl`.

Review of non-conflicting changes:

* `all.sh`: 1 change.
    * zlib test components: don't add them.
* `include/CMakeLists.txt`: 1 change.
    * `target_include_directories`: doesn't work as is (different target name). Don't take the change.
* All other non-conflicting changes: take them.
2020-02-03 18:52:36 +01:00
Gilles Peskine a9da093617 shrink tests: clearer description 2020-02-03 16:18:30 +01:00
Gilles Peskine 9a6ecee4de Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-02-03 16:15:47 +01:00
Janos Follath b7000d4b2f
Merge pull request #345 from gilles-peskine-arm/psa_mac_verify_finish-status
Fix possible error code mangling in psa_mac_verify_finish
2020-02-03 13:55:11 +00:00
Gilles Peskine c69c2c5bf5
Merge pull request #263 from hanno-arm/asn1_traversal_api
Introduce ASN.1 SEQUENCE traversal API
2020-02-03 13:35:19 +01:00
Hanno Becker 34aada2df5 Replace use of uint8_t by unsigned char in ASN.1 seq traversal API
The rest of the ASN.1 API uses `unsigned char`, too.
2020-02-03 10:39:55 +00:00
Hanno Becker 1505f636a2 ASN.1: Reimplement mbedtls_asn1_get_sequence_of() via traversal API 2020-01-31 15:40:51 +00:00
Gilles Peskine 36ce88be1e
Merge pull request #2999 from catenacyber/fuzzrsa
Checks mbedtls_rsa_export return in fuzz targets
2020-01-31 16:38:43 +01:00
Gilles Peskine c0611a5a61
Merge pull request #352 from jack-fortanix/jack/parse-rsa-crt-params
Parse RSA parameters DP, DQ and QP from PKCS1 private keys
2020-01-31 16:37:31 +01:00
Hanno Becker 199b709e53 ASN.1: Add ASN.1 SEQUENCE traversal API 2020-01-31 15:37:26 +00:00
Gilles Peskine b5c74a53d8 Document one more error code for mbedtls_asn1_get_sequence_of
Also fix a copypasta.
2020-01-31 15:37:26 +00:00
Hanno Becker 12ae27dd0e ASN.1: Introduce helper function to free ASN.1 sequence 2020-01-31 15:37:26 +00:00
Hanno Becker 63e38fe914 ASN.1: Add helper macro to compare ASN.1 buffer to OID string 2020-01-31 15:37:26 +00:00
Hanno Becker cba7122d74 ASN.1: Add helper macro to detect string types 2020-01-31 15:37:26 +00:00
Gilles Peskine 512d040963
Merge pull request #2964 from gilles-peskine-arm/psa-streamline_encodings-types_and_curves-ls
USE_PSA_CRYPTO: update elliptic curve encoding
2020-01-31 16:30:02 +01:00
Jaeden Amero 2b91abaae6
Merge pull request #2984 from piotr-now/iotssl-2955-move-handshake-to-prescribed-state
Add test for prescribed states of handshake with the custom IO callbacks
2020-01-31 14:16:53 +00:00
Gilles Peskine 42459805ce USE_PSA_CRYPTO: don't rely on the curve encoding
Adapt to the change of encoding of elliptic curve key types in PSA
crypto. Before, an EC key type encoded the TLS curve identifier. Now
the EC key type only includes an ad hoc curve family identifier, and
determining the exact curve requires both the key type and size. This
commit moves from the old encoding and old definitions from
crypto/include/mbedtls/psa_util.h to the new encoding and definitions
from the immediately preceding crypto submodule update.
2020-01-31 14:57:43 +01:00
Gilles Peskine 81d3100250 Update crypto submodule
Previously in d8752858fc22fa3ee4be21bc27e04d8fedaeaea4:
* #333: Streamline PSA key type encodings: prepare
* #323: Initialise return values to an error

Previously in dbcb44202c9b67184a72afd21c7191c17eee352e:
* #291: Test MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
* #334: Fix some pylint warnings

Previously in ceceedb532a4bc9e569f02261ab841b102a8c167:
* #348: Bump version to Mbed TLS 2.20.0 and crypto SO version to 4
* #354: Fix incrementing pointer instead of value

In this commit:
* #349: Fix minor defects found by Coverity
* #179: Add option to build SHA-512 without SHA-384
* #327: Implement psa_hash_compute and psa_hash_compare
* #330: Streamline PSA key type and curve encodings
2020-01-31 14:57:16 +01:00
Gilles Peskine 819799cfc6
Merge pull request #330 from gilles-peskine-arm/psa-streamline_encodings-types_and_curves
Streamline PSA key type and curve encodings
2020-01-31 14:52:15 +01:00
Gilles Peskine 3e819b7d69 psa_key_agreement_ecdh: zeroize output on failure
If psa_key_agreement_ecdh fails, there may be output that leaks
sensitive information in the output buffer. Zeroize it.

If this is due to an underlying failure in the ECDH implementation, it
is currently not an issue since both the traditional Mbed TLS/Crypto
implementation and Everest only write to the output buffer once every
intermediate step has succeeded, but zeroizing is more robust. If this
is because the recently added key size check fails, a leak could be a
serious issue.
2020-01-31 10:24:21 +01:00
Gilles Peskine 7cfcb3fc03 Change the encoding of key types to have a parity bit
Change the encoding of key types, EC curve families and DH group
families to make the low-order bit a parity bit (with even parity).

This ensures that distinct key type values always have a Hamming
distance of at least 2, which makes it easier for implementations to
resist single bit flips.
2020-01-31 10:24:21 +01:00
Gilles Peskine 7d7c8dc8b0 Test parsing invalid key type in storage 2020-01-31 10:24:21 +01:00
Gilles Peskine 46e6f9de4a Document the vendor range for EC curve and DH group families 2020-01-31 10:24:21 +01:00
Gilles Peskine f65ed6f254 Change key types to a 16-bit encoding
All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.

Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.

Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.

Reorder psa_core_key_attributes_t to avoid padding.
2020-01-31 10:24:21 +01:00
Gilles Peskine b87b719467 Remove old values of curve encodings
Remove the values of curve encodings that are based on the TLS registry
and include the curve size, keeping only the new encoding that merely
encodes a curve family in 8 bits.

Keep the old constant names as aliases for the new values and
deprecate the old names.
2020-01-31 10:24:21 +01:00
Gilles Peskine d1959dcd4a Change auxiliary functions for TLS to the new PSA EC curve encoding
This is a change to an internal API that is exposed only for the sake
of Mbed TLS.
2020-01-31 10:24:21 +01:00
Gilles Peskine 80d26fb56f Switch psa_crypto tests to the new curve encoding 2020-01-31 10:24:21 +01:00
Gilles Peskine 4080c91e73 pk: USE_PSA_CRYPTO: don't translate via the TLS ID
Use the same translation function that the PSA crypto implementation
uses.
2020-01-31 10:15:32 +01:00
Gilles Peskine 89177e862b Convert USE_PSA_CRYPTO pk interface to the new PSA EC curve encoding 2020-01-31 10:15:32 +01:00
Gilles Peskine 33b1c69908 pk tests: USE_PSA_CRYPTO: test several curves 2020-01-31 10:15:32 +01:00
Gilles Peskine 85f47c9d69 pk tests: USE_PSA_CRYPTO: test attributes of the PSA key 2020-01-31 10:15:32 +01:00
Gilles Peskine 45c29ce4c0 Move size-specific curve/group constants to crypto_compat.h 2020-01-31 10:15:32 +01:00
Gilles Peskine 228abc5773 Define EC curve family constants
Define constants for ECC curve families and DH group families. These
constants have 0x0000 in the lower 16 bits of the key type.

Support these constants in the implementation and in the PSA metadata
tests.

Switch the slot management and secure element driver HAL tests to the
new curve encodings. This requires SE driver code to become slightly
more clever when figuring out the bit-size of an imported EC key since
it now needs to take the data size into account.

Switch some documentation to the new encodings.

Remove the macro PSA_ECC_CURVE_BITS which can no longer be implemented.
2020-01-31 10:15:32 +01:00
Gilles Peskine 025fccdc32 Change the encoding of EC curves and DH groups to include the size
Change the representation of psa_ecc_curve_t and psa_dh_group_t from
the IETF 16-bit encoding to a custom 24-bit encoding where the upper 8
bits represent a curve family and the lower 16 bits are the key size
in bits. Families are based on naming and mathematical similarity,
with sufficiently precise families that no two curves in a family have
the same bit size (for example SECP-R1 and SECP-R2 are two different
families).

As a consequence, the lower 16 bits of a key type value are always
either the key size or 0.
2020-01-31 10:15:32 +01:00
Gilles Peskine d8197cb902 mbedtls_psa_parse_tls_ecc_group: make no assumption on PSA encodings
Don't assume that the PSA encoding of elliptic curves is identical to
the TLS encoding. This is currently true but about to change.

The new implementation only works when MBEDTLS_ECP_C is defined. This
is ok because the function is only used with MBEDTLS_ECP_C defined.
2020-01-31 10:15:32 +01:00
Gilles Peskine fc2459db13 Remove mbedtls_psa_translate_ecc_group
Internally, use the corresponding function from psa_crypto.c instead.
Externally, this function is not used in Mbed TLS and is documented as
"may change at any time".
2020-01-31 10:15:32 +01:00
Gilles Peskine 5055b239bf Expose mbedtls/psa curve identifier conversions from psa_crypto.c 2020-01-31 10:15:32 +01:00