Commit graph

6905 commits

Author SHA1 Message Date
Yuto Takano 284857ee55 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:30:34 +01:00
Yuto Takano bc6eaf7976 Replace _B with B to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:29:53 +01:00
Paul Elliott 610a9cc43f Bump SO version for libmbedcrypto
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 14:59:26 +01:00
Paul Elliott bece7374ce Bump Library Version Number
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:52:07 +01:00
Paul Elliott 4128c2032e Merge remote-tracking branch 'restricted/development_2.x-restricted' into mbedtls-2.27.0rc0-pr 2021-07-01 17:26:38 +01:00
Dave Rodgman ba940cc695
Merge pull request #4182 from gabor-mezei-arm/3258_implement_one-shot_MAC_and_cipher
[Backport 2.x] Implement one-shot cipher
2021-06-30 17:04:11 +01:00
Dave Rodgman af9b4841fb
Merge pull request #4605 from gabor-mezei-arm/3267_sign_verify_key_policies
[Backport 2.x] Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:51:03 +01:00
gabor-mezei-arm e4be8a3bea
Remove obsolete comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:34:28 +02:00
Dave Rodgman 0a4046e9ca
Merge pull request #4736 from daverodgman/alert_bugfixes_2.x
Backport 2.x: Fix alert raised for invalid fragment length
2021-06-30 09:02:49 +01:00
gabor-mezei-arm 252304594b
Fix minor issues
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:06:30 +02:00
gabor-mezei-arm 809634d5d9
Check the return status of the functions first
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm 42373bdde7
Add buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm 6f8d43df20
Remove invalid buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:39:49 +02:00
Dave Rodgman 0dfb7dbe15 TLS UNSUPPORTED_EXTENSION error code changes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 15:21:44 +01:00
Nick Child b6d5693be2 pk.c: Ensure hash_len equals hash in pk_hashlen_helper
The function `pk_hashlen_helper` exists to ensure a valid hash_len is
used in pk_verify and pk_sign functions. This function has been
used to adjust to the corrsponding hash_len if the user passes in 0
for the hash_len argument based on the md algorithm given. If the user
does not pass in 0 as the hash_len, then it is not adjusted. This is
problematic if the user gives a hash_len and hash buffer that is less than the
associated length of the md algorithm. This error would go unchecked
and eventually lead to buffer overread when given to specific pk_sign/verify
functions, since they both ignore the hash_len argument if md_alg is not MBEDTLS_MD_NONE.

This commit, adds a conditional to `pk_hashlen_helper` so that an
error is thrown if the user specifies a hash_length (not 0) and it is
not equal to the expected for the associated message digest algorithm.
This aligns better with the api documentation where it states "If
hash_len is 0, then the length associated with md_alg is used instead,
or an error returned if it is invalid"

Signed-off-by: Nick Child <nick.child@ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2021-06-29 09:31:06 -04:00
Dave Rodgman dd5f624f32 Fix TLS alert codes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 09:45:08 +01:00
gabor-mezei-arm 6c18541a5e
Fix comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 16:41:31 +02:00
Dave Rodgman 78c601b529
Merge pull request #4717 from daverodgman/psa_cipher_and_mac_abort_on_error_2.x
Backport 2.x: Psa cipher and mac abort on error
2021-06-25 15:39:43 +01:00
Janos Follath 2667fb708e Fix unused parameter warning
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 15:36:55 +01:00
Janos Follath bc58902a32 Add prefix to BYTES_TO_T_UINT_*
These macros were moved into a header and now check-names.sh is failing.
Add an MBEDTLS_ prefix to the macro names to make it pass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath 7d4ebddbb6 Reject low-order points on Curve448 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources (RFC
7748 say we MAY reject 0 as a result) and recommended by some to reject
those points (either to ensure contributory behaviour, or to protect
against timing attack when the underlying field arithmetic is not
constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath 1c6a439783 Use mbedtls_mpi_lset() more
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath bc96a79854 Move mpi constant macros to bn_mul.h
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:01 +01:00
gabor-mezei-arm 0e1d31bf06
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm d52c8dc783
Fix possible unreachable code
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm f4cc6c9064
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm 3fd792d076
Add checks for buffer size
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm 7fbea09847
Use local variable instead of an ouput parameter
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm 52ae871b27
Initialize output buffer length to 0
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:21:11 +02:00
Janos Follath b4c676e6b3 Prevent memory leak in ecp_check_pubkey_x25519()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard 520f0a0ea0 Avoid complaints about undeclared non-static symbols
Clang was complaining and check-names.sh too

This only duplicates macros, so no impact on code size. In 3.0 we can
probably avoid the duplication by using an internal header under
library/ but this won't work for 2.16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard ae48111294 Use more compact encoding of Montgomery curve constants
Base 256 beats base 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard 10b8e5a5c9 Use a more compact encoding of bad points
Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:22 +01:00
Manuel Pégourié-Gonnard f2268d1c17 Reject low-order points on Curve25519 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources
(RFC 7748 say we MAY reject 0 as a result) and recommended by some to
reject those points (either to ensure contributory behaviour, or to
protect against timing attack when the underlying field arithmetic is
not constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:06:45 +01:00
Dave Rodgman 478ab5443b Use more standard label name
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-25 09:09:30 +01:00
Ronald Cron 132e8c3cab
Merge pull request #4715 from gilles-peskine-arm/psa_crypto_spm-from_platform_h-2.x
Backport 2.x: Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
Straightforward backport from development to developement_2.x plus one trivial commit, only one approval is enough.
2021-06-25 09:00:58 +02:00
gabor-mezei-arm dad6f3b5a0
Remove confising comments
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 17:29:09 +02:00
Dave Rodgman d73e1b0ccd Tidy up logic in psa_mac_sign_finish
Simplify the logic in psa_mac_sign_finish.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:57 +01:00
Dave Rodgman db861797c1 Correct coding style issues
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:53 +01:00
gabor-mezei-arm 22984de191
Remove comments
These comment cannot bring more information than the code does.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 17:20:22 +02:00
gabor-mezei-arm f67d8af106
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:58:27 +02:00
gabor-mezei-arm fa990b5ffe
Dispatch cipher functions through the driver interface
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
gabor-mezei-arm 0ef3b85381
Implement one-shot cipher
Implement one-shot cipher APIs, psa_cipher_encrypt and psa_cipher_decrypt, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
Dave Rodgman cccb05def4 Call abort on error in psa_mac/cipher setup
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:47 +01:00
Dave Rodgman 4e0a82e274 Update multipart hash operations to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:23 +01:00
gabor-mezei-arm 6439e85094 Do key usage policy extension when loading keys
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 11:58:19 +02:00
Dave Rodgman c88b0a57da Update cipher and mac functions to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-23 19:05:35 +01:00
Ronald Cron eaacabf98d
Merge pull request #4392 from gilles-peskine-arm/psa-storage-format-test-lifetimes
Backport 2.x: PSA storage format: test lifetimes
2021-06-23 15:22:24 +02:00
Gilles Peskine 76dec15d54 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Janos Follath 53d1cf8e2b
Merge pull request #4644 from gilles-peskine-arm/mpi_montmul-null-2.x
Backport 2.x: Fix several bugs with the value 0 in bignum
2021-06-23 13:40:05 +01:00
Gilles Peskine 478ac0bcc1
Merge pull request #4704 from mpg/issue-3990-fix_psa_verify_with_alt-2.x
[Backport 2.x] Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:42 +02:00
Ronald Cron 4ed836883e psa: mac: Add driver delegation support for psa_mac_verify()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron ef0d8f17f8 psa: mac: Introduce psa_mac_compute_internal
Introduce psa_mac_compute_internal with an
additional `is_sign` parameter compared to
the psa_mac_compute API. The intent is to
call psa_mac_compute_internal() from
psa_mac_verify() as well to compute the
message MAC.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron 882eb780fb psa: mac: Improve MAC finalization code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron dbb8646c2c psa: mac: Add driver delegation support for psa_mac_compute()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron bfdfaa676c psa: mac: Add MAC compute builtin implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron def68e722a psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron 1c650a1a37 psa: mac: Split psa_mac_setup()
Split out of psa_mac_setup() the final checks on
the requested algorithm and the key attributes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron 48f875e809 psa: mac: Re-organize psa_mac_setup() internal function
Re-organize psa_mac_setup() to prepare the move
to a dedicated function of the additional checks
on the algorithm and the key attributes done by
this function. We want to move those checks in
a dedicated function to be able to do them
without duplicating them in psa_mac_compute().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
gabor-mezei-arm a00616fc6b Implement one-shot MAC functions
Implement one-shot MAC APIs, psa_mac_compute and psa_mac_verify, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-22 13:43:13 +02:00
Janos Follath 03daae6894 Improve psa_rsa_decode_md_type()
Remove a case that cannot be triggered as PSA_ALG_SIGN_GET_HASH always
returns 0 for raw algorithms.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:05 +02:00
Janos Follath b23b5745b5 PSA RSA PSS: pass pre-hash algorithm to Mbed TLS
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well
as Mbed TLS does not use this parameter for anything beyond determining
the input lengths.

Some alternative implementations however check the consistency of the
algorithm used for pre-hash and for other uses in verification (verify
operation and mask generation) and fail if they don't match. This makes
all such verifications fail.

Furthermore, the PSA Crypto API mandates that the pre-hash and internal
uses are aligned as well.

Fixes #3990.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:00 +02:00
Gilles Peskine 37d690c45b Correct some statements about the ordering of A and B
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine b798b35374 Clarification in a comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 38a384d2cc Simplify is-zero check
The loop exits early iff there is a nonzero limb, so i==0 means that
all limbs are 0, whether the number of limbs is 0 or not.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine ea9aa14b3a Write a proof of correctness for mbedtls_mpi_gcd
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 6537bdb5e0 Explain how the code relates to the description in HAC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine d65b50063a Fix multiplication with negative result and a low-order 0 limb
Fix a bug introduced in "Fix multiplication producing a negative zero" that
caused the sign to be forced to +1 when A > 0, B < 0 and B's low-order limb
is 0.

Add a non-regression test. More generally, systematically test combinations
of leading zeros, trailing zeros and signs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 0759cadddf Whitespace fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine d48761317c mbedtls_mpi_read_string: make an empty bignum for an empty string
In mbedtls_mpi_read_string, if the string is empty, return an empty bignum
rather than a bignum with one limb with the value 0.

Both representations are correct, so this is not, in principle, a
user-visible change. The change does leak however through
mbedtls_mpi_write_string in base 16 (but not in other bases), as it writes a
bignum with 0 limbs as "" but a bignum with the value 0 and at least one
limb as "00".

This change makes it possible to construct an empty bignum through
mbedtls_mpi_read_string, which is especially useful to construct test
cases (a common use of mbedtls_mpi_read_string, as most formats use in
production encode numbers in binary, to be read with mbedtls_mpi_read_binary
or mbedtls_mpi_read_binary_le).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine 70a7dcda3f Fix multiplication producing a negative zero
Fix mbedtls_mpi_mul_mpi() when one of the operands is zero and the
other is negative. The sign of the result must be 1, since some
library functions do not treat {-1, 0, NULL} or {-1, n, {0}} as
representing the value 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine c86acc5434 mbedtls_mpi_gcd: small optimization
Shifting TA and TB before the loop is not necessary. If A != 0, it will be
done at the start of the loop iteration. If A == 0, then lz==0 and G is
correctly set to B after 0 loop iterations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine b5e56ec5fd mbedtls_mpi_gcd: fix the case B==0
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine f643e8e8a9 Fix null pointer dereference in mbedtls_mpi_exp_mod
Fix a null pointer dereference in mbedtls_mpi_exp_mod(X, A, N, E, _RR) when
A is the value 0 represented with 0 limbs.

Make the code a little more robust against similar bugs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Manuel Pégourié-Gonnard 6a55de9057
Merge pull request #4623 from gilles-peskine-arm/debug-print-mpi-null-2.x
Backport 2.x: Fix mbedtls_debug_print_mpi crash on 0
2021-06-22 12:08:57 +02:00
Manuel Pégourié-Gonnard 9a11ac9cc1
Merge pull request #4621 from gilles-peskine-arm/default-hashes-curves-2.x
Backport 2.x: Curve and hash selection for X.509 and TLS
2021-06-22 12:08:43 +02:00
Manuel Pégourié-Gonnard 82a5a9dcdd Merge branch 'development_2.x' into development_2.x-restricted
* development_2.x:
  Reword changelog - Test Resource Leak
  Fix fd range for select on Windows
  Refactor file descriptor checks into a common function
  Update changelog formatting - Missing Free Context
  Update changelog formatting Missing Free Context
  Update changelog formatting - Missing Free Context
  Changelog entry for Free Context in test_suite_aes fix
  Free context in at the end of aes_crypt_xts_size()
  Fix copypasta in test data
  Use UNUSED wherever applicable in derive_input tests
  Fix missing state check for tls12_prf output
  Key derivation: add test cases where the secret is missing
  Add bad-workflow key derivation tests
  More explicit names for some bad-workflow key derivation tests
2021-06-22 10:42:04 +02:00
Gilles Peskine 51859aaff2 Fix fd range for select on Windows
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows: they were testing that the file
descriptor is in range for fd_set, but on Windows socket descriptors are not
limited to a small range. Fixes #4465.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:17:39 +02:00
Gilles Peskine 0f6351f8a9 Refactor file descriptor checks into a common function
This will make it easier to change the behavior uniformly.

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:17:39 +02:00
Manuel Pégourié-Gonnard c94b6b07dc Homogenize coding patterns
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 16:39:47 +02:00
Gilles Peskine f216f0d5d4 Fix missing state check for tls12_prf output
Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Manuel Pégourié-Gonnard 0b3bde57f1 Silence MSVC type conversion warnings
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:22 +02:00
Manuel Pégourié-Gonnard f10d289441 Simplify sign selection
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:22 +02:00
Manuel Pégourié-Gonnard 5325b976b9 Avoid UB caused by conversion to int
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:22 +02:00
Manuel Pégourié-Gonnard 464fe6a4d7 Use bit operations for mpi_safe_cond_swap()
Unrelated to RSA (only used in ECP), but while improving one
mbedtls_safe_cond_xxx function, let's improve the other as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard c3be399591 Use bit operations for mpi_safe_cond_assign()
- copied limbs
- sign
- cleared limbs

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard eaafa494e1 Avoid using == for sensitive comparisons
mbedtls_mpi_cf_bool_eq() is a verbatim copy of mbedtls_ssl_cf_bool_eq()

Deduplication will be part of a future task.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard e10e8db6d4 Use constant-time look-up for modular exponentiation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-11 10:13:21 +02:00
Manuel Pégourié-Gonnard c4c0d819ce Merge branch 'development_2.x' into development_2.x-restricted
* development_2.x:
  Disable OS X builds on Travis
  config: Allow Mbed to implement TIMING_C
  Fix misuse of MD API in SSL constant-flow HMAC
2021-06-11 10:09:53 +02:00
Gilles Peskine 2bfbb17f30 Remove duplicate wipe call in psa_destroy_key
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 23:27:54 +02:00
Gilles Peskine 4de5a6096b Add missing parentheses
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:42:15 +02:00
Gilles Peskine e247b10cd6 Indicate that the truncation from size_t to int is deliberate
MPI sizes do fit in int. Let MSVC know this conversion is deliberate.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:42:08 +02:00
Gilles Peskine 2ee0bb333c Simplify mbedtls_debug_print_mpi and fix the case of empty bignums
Rewrite mbedtls_debug_print_mpi to be simpler and smaller. Leverage
mbedtls_mpi_bitlen() instead of manually looking for the leading
zeros.

Fix #4608: the old code made an invalid memory dereference when
X->n==0 (freshly initialized bignum with the value 0).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:41:59 +02:00
Gilles Peskine 0ecd719edf Document more precisely what goes into the default profile
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:24:26 +02:00
Gilles Peskine 7a4c7589c8
Merge pull request #4541 from mpg/fix-ssl-cf-hmac-alt-2.x
[Backport 2.x] Fix misuse of MD API in SSL constant-flow HMAC
2021-06-07 20:53:48 +02:00
Gilles Peskine 74f66bb5c3 Fix non-constant-time comparison in mbedtls_mpi_random
Calling mbedtls_mpi_cmp_int reveals the number of leading zero limbs
to an adversary who is capable of very fine-grained timing
measurements. This is very little information, but could be practical
with secp521r1 (1/512 chance of the leading limb being 0) if the
adversary can measure the precise timing of a large number of
signature operations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-04 14:50:23 +02:00
Manuel Pégourié-Gonnard 62da8ac37a
Merge pull request #4276 from gilles-peskine-arm/random-range-uniformity
Backport 2.x: Fix non-uniform random generation in a range
2021-06-04 10:43:25 +02:00
Gilles Peskine 23422e424c Note that the byte order in mpi_fill_random_internal() is deliberate
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 11:51:09 +02:00
Gilles Peskine c0b68bf03a Use MBEDTLS_MPI_CHK where warranted
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-03 11:38:26 +02:00
Gilles Peskine 3130ce24f4 New internal function mbedtls_mpi_resize_clear
The idiom "resize an mpi to a given size" appeared 4 times. Unify it
in a single function. Guarantee that the value is set to 0, which is
required by some of the callers and not a significant expense where
not required.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 23:48:07 +02:00