Commit graph

13534 commits

Author SHA1 Message Date
Hanno Becker ecea07d6c3 Unify ciphersuite related debug output on client and server
The client previously reproted the offered ciphersuites through
their numerical identifier only, while the server reported them
through their name.

This commit modifies the debug output on client and server to
both use the format `ID (NAME)` for the ciphersuites.
2020-08-14 09:58:51 +01:00
Hanno Becker ca04fdc2cc Add support for password protected key file to ssl_client2
The example application programs/ssl/ssl_client2 allows the
configuration of a client CRT through the parameters
- crt_file, key_file
However, password protected key files are not supported.

This commit adds a new command line option
- key_pwd
which allow to specify a password for the key file specified
in the key_file parameter.
2020-08-14 09:58:51 +01:00
Hanno Becker e58a630cb0 Add support for password protected key file to ssl_server2
The example application programs/ssl/ssl_server2 allows the
configuration of up to two CRTs through the command line
parameters
- crt_file, key_file
- crt_file2, key_file2.
However, password protected key files are not supported.

This commit adds command line options
- key_pwd
- key_pwd2
which allow to specify passwords for the key files specified
in key_file and key_file2, respectively.
2020-08-14 09:58:51 +01:00
danh-arm 0ca6d38bc3
Merge pull request #3493 from gilles-peskine-arm/psa-unified-driver-specs
PSA unified driver specification
2020-08-06 16:10:17 +01:00
Gilles Peskine 404e1dbd5a Clarify updates to the persistent state in storage
Rename psa_crypto_driver_update_persistent_state to
psa_crypto_driver_commit_persistent_state.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:37:29 +02:00
Gilles Peskine 5001da4aee With multiple applicable transparent drivers, the order is unspecified
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:32:36 +02:00
Gilles Peskine b320d0833d Minor clarifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:27:41 +02:00
Gilles Peskine ea739f0814 Give some examples of purpsoses of pure-software transparent driver
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:27:41 +02:00
Gilles Peskine e265b9d183 Fix typos
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:27:41 +02:00
Gilles Peskine 3d1bcc68cb Add a link to the PSA API specification
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:20:09 +02:00
Gilles Peskine 929ab8af2b Explain locations vs lifetimes
Locations aren't in the official PSA API specification yet (they've
only be made public in Mbed TLS). Until version 1.0.1 of the API
specification is out, this document needs to explain locations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-05 22:18:38 +02:00
Gilles Peskine 67a85d1d3b
Merge pull request #3492 from stevew817/rework/key_slot_contains_key_buffer
Rework PSA Crypto core to store keys in export representation
2020-08-05 21:16:11 +02:00
Steven Cooreman d4867877f1 Initialize key pointer in ecdh to NULL
Since it is being dereferenced by free on exit it should be inited to NULL.
Also added a small test that would trigger the issue.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:47 +02:00
Steven Cooreman b7f6deaae7 Add buffer zeroization when ecp_write_key fails
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:47 +02:00
Steven Cooreman fd4d69a72e Simplified key slot deletion
And zeroize key buffer before freeing to avoid keys hanging around on the
heap.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:32 +02:00
Steven Cooreman 291498600b Style fixes
* return is treated as a function call
* space between opening and closing parentheses
* remove whiteline between assignment and checking of same variable

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 16:44:24 +02:00
Steven Cooreman 4fed455347 Apply review feedback
* No need to check for NULL before free'ing
* No need to reset variables that weren't touched
* Set output buffer to zero if key output fails
* Document internal functions and rearrange order of input arguments to
  better match other functions.
* Clean up Montgomery fix to be less verbose code

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-03 14:46:12 +02:00
Gilles Peskine ab808e7592 Update open question section about public key storage
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-03 13:43:02 +02:00
Gilles Peskine c93c4ed653 Remove the paragraph about declaring application needs
It's out of scope.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-03 13:38:03 +02:00
Gilles Peskine c1d388ae54 Change driver persistent data to a callback interface
Rather than have some functions take the in-memory copy of the
persistent data as argument, allow all of them to access the
persistent data, including modifying it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-03 12:04:46 +02:00
Gilles Peskine 8d06ad0177 Rework and expand key management in opaque drivers
Opaque drivers only have a destroy function if the key is stored in
the secure element.

Expand on how key creation works. Provide more explanations of
allocate_key in drivers for secure elements with storage. Discuss key
destruction as well.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-03 12:04:46 +02:00
Gilles Peskine 921492625c Fix typos and copypasta
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-03 12:04:45 +02:00
Gilles Peskine b6c43f61a4 Call driver entry point functions "entry point"
Call the functions listed in the driver description "entry points".
It's more precise than "functions", which could also mean any C
function defined in the driver code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-03 11:21:07 +02:00
Steven Cooreman 3fa684ed91 Allow importing Montgomery public keys in PSA Crypto
PSA Crypto was checking the byte length of a to-be-imported public ECP key
against the expected length for Weierstrass keys, forgetting that
Curve25519/Curve448 exists.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:35:14 +02:00
Steven Cooreman 7f39187d6b Convert load_xxx_representation to take buffers instead of a whole slot
Avoids stack-allocating a key slot during ECDH, and mock-attaching a
key to a key slot during key import.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:21:41 +02:00
Steven Cooreman 6d839f05bf Cleanup
* No null-check before calling free
* Close memory leak
* No need for double check of privkey validity

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:21:41 +02:00
Steven Cooreman a2371e53e4 Update after feedback from #3492
* Allocate internal representation contexts on the heap (i.e. don't change
  where they're being allocated)
* Unify load_xxx_representation in terms of allocation and init behaviour

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-28 14:30:39 +02:00
Steven Cooreman 75b743666e Update after feedback on #3492
* Updated wording
* Split out buffer allocation to a convenience function
* Moved variable declarations to beginning of their code block

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-28 14:30:13 +02:00
Steven Cooreman 19fd574b3a Disconnect knowing about a PSA key type from knowing the mbedTLS API
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:46:21 +02:00
Steven Cooreman 560c28a1ac Unify key handling logic
Now that both ECP and RSA keys are represented in export representation,
they can be treated more uniformly.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman acda8346bf Remove ECP internal representation from key slot
Change to on-demand loading of the internal representation when required
in order to call an mbed TLS cryptography API.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman a01795d609 Remove RSA internal representation from key slot
Change to on-demand loading of the internal representation when required
in order to call an mbed TLS cryptography API.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman 81be2fa0b2 Pull apart slot memory allocation from key validation.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:31 +02:00
Steven Cooreman 71fd80d279 Re-define members of psa_key_slot_t
In preparation for the implementation of the accelerator APIs. This is
ramping up to the goal of only storing the export representation in the
key slot, and not keeping the crypto implementation-specific representations
around.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-24 23:44:25 +02:00
Manuel Pégourié-Gonnard ee7e85f5b9
Merge pull request #2019 from gilles-peskine-arm/build_with_only_montgomery_curves-conditional_mul_add
Build with only Montgomery curves (conditional mul_add)
2020-07-22 13:13:36 +02:00
Gilles Peskine 6d9c8d7b2d Minor documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-22 03:17:25 +02:00
Gilles Peskine a3de08d0b5 Reorder curve enumeration like mbedtls_ecp_group_id
No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine d3beca9e38 Test Everest with only Curve25519 enabled
tests/scripts/curves.pl tests the library with a single curve enabled.
This uses the legacy ECDH context and the default ECDH implementation.
For Curve25519, there is an alternative implementation, which is
Everest. Test this. This also tests the new ECDH context, which
Everest requires.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine 0478c2f77e Add ChangeLog entry for single-curve build fixes
Fix #941, #1412, #1147, #2017

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine 5997005611 Fix unused variables in Montgomery-only configuration
Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine a2611604d4 curves.pl: test with each elliptic curve enabled
Previously curves.pl tested with all elliptic curves enabled except
one, for each curve. This catches tests that are missing dependencies
on one of the curve that they use, but does not catch misplaced
conditional directives around parts of the library.

Now, we additionally test with a single curve, for each curve. This
catches missing or extraneous guards around code that is specific to
one particular curve or to a class of curves.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine a088c81fcb Adjust ECP self-test to support Curve448
Adjust the Montgomery self-test to use Curve448 in builds without
Curve25519.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine 24666795e4 ECP self test: add self-test step for Montgomery curves
Run some self-test both for a short Weierstrass curve and for a
Montgomery curve, if the build-time configuration includes a curve of
both types. Run both because there are significant differences in the
implementation.

The test data is suitable for Curve25519.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine c95696fec4 Factor common code in mbedtls_ecp_self_test
No intended behavior change.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine d9767a5799 Tweak ECP self-test to work with secp192k1
The constants used in the test worked with every supported curve
except secp192k1. For secp192k1, the "N-1" exponent was too large.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:24 +02:00
Gilles Peskine 7ab66a6bf1 Add missing dependencies for ECDH_xxx key exchanges
ECDH_ECDSA requires ECDSA and ECDH_RSA requires RSA.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:23 +02:00
Gilles Peskine 963a207678 Document what needs to be done when adding a new curve
Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:23 +02:00
Gilles Peskine aa9493a411 Add guards around code that is specific to dynamically-loaded groups
For some curves (semi-coincidentally, short Weierstrass curves), the
ECP module calculates some group parameters dynamically. Build the
code to calculate the parameters only if a relevant curve is enabled.
This fixes an unused function warning when building with only
Montgomery curves.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:23 +02:00
Gilles Peskine e8c04fed51 Replace ECP_xxx by MBEDTLS_ECP__xxx_ENABLED
Replace the now-redundant internal curve type macros ECP_xxx by the
macros MBEDTLS_ECP__xxx_ENABLED which are declared in ecp.h.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 03:17:22 +02:00
Gilles Peskine 9b99a8942f mbedtls_ecp_muladd is only for short Weierstrass curves
Document that mbedtls_ecp_muladd and mbedtls_ecp_muladd_restartable
are only implemented on short Weierstrass curves.

Exclude these functions at build time if no short Weierstrass curve
is included in the build. Before, these functions failed to compile in
such a configuration.

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2020-07-22 02:48:31 +02:00