Commit Graph

3402 Commits

Author SHA1 Message Date
Jaeden Amero
9ebcf9b00a Merge remote-tracking branch 'origin/pr/2538' into development
* origin/pr/2538:
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  Add eap-tls key derivation in the examples.
  Add ChangeLog entry
  Add an extra key export function
  Have the temporary buffer allocated dynamically
  Zeroize secret data in the exit point
  Add a single exit point in key derivation function
2019-05-20 10:58:36 +01:00
Jaeden Amero
fba7539ad7
Merge pull request #269 from ARMmbed/psa-slots_to_handles
Update API documentation to refer to handles and key ids, not slots
2019-05-17 10:18:34 +01:00
Gilles Peskine
eff4942202
Merge pull request #268 from ARMmbed/psa-error_tampering_detected
Rename PSA_ERROR_TAMPERING_DETECTED to PSA_ERROR_CORRUPTION_DETECTED
2019-05-17 11:06:09 +02:00
Gilles Peskine
35ef36b62f Rename psa_generate_random_key back to psa_generate_key
generate_key is a more classical name. The longer name was only
introduced to avoid confusion with getting a key from a generator,
which is key derivation, but we no longer use the generator
terminology so this reason no longer applies.

perl -i -pe 's/psa_generate_random_key/psa_generate_key/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
c93b80c350 Rename *KEYPAIR* to *KEY_PAIR*
Be consistent with PUBLIC_KEY.

perl -i -pe 's/KEYPAIR/KEY_PAIR/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Adrian L. Shaw
0a695bd13e Simplify description of psa_copy_key 2019-05-16 22:11:18 +02:00
Adrian L. Shaw
52d83dabd6 Mention psa_close_key in the description of psa_open_key 2019-05-16 22:11:17 +02:00
Adrian L. Shaw
d56456cbe8 Improve descriptions that mention handles and fix incorrect mention of psa_create_key 2019-05-16 22:10:51 +02:00
Adrian L. Shaw
67e1c7ac80 Remove remaining mentions of slots 2019-05-16 22:10:49 +02:00
Gilles Peskine
4b3eb69271 Rename PSA_ERROR_TAMPERING_DETECTED to ..._CORRUPTION_DETECTED
“Tampering detected” was misleading because in the real world it can
also arise due to a software bug. “Corruption detected” is neutral and
more precisely reflects what can trigger the error.

perl -i -pe 's/PSA_ERROR_TAMPERING_DETECTED/PSA_ERROR_CORRUPTION_DETECTED/gi' $(git ls-files)
2019-05-16 21:35:18 +02:00
Gilles Peskine
27a983d93c Grammar fix 2019-05-16 19:51:11 +02:00
Gilles Peskine
20a77aeac7 RSA key generation: require e=65537 2019-05-16 19:51:10 +02:00
Gilles Peskine
a130219ac0 Move remaining text about DSA out of the specification 2019-05-16 19:51:10 +02:00
Gilles Peskine
e38ab1ac4f Move DSA definitions out of the specification
Move DSA-related key types and algorithms to the
implementation-specific header file. Not that we actually implement
DSA, but with domain parameters, we should be able to.
2019-05-16 19:51:10 +02:00
Gilles Peskine
dcaefae849 Parametrize Diffie-Hellman keys by a group identifier
Parametrize finite-field Diffie-Hellman key types with a DH group
identifier, in the same way elliptic curve keys are parametrized with
an EC curve identifier.

Define the DH groups from the TLS registry (these are the groups from
RFC 7919).

Replicate the macro definitions and the metadata tests from elliptic
curve identifiers to DH group identifiers.

Define PSA_DH_GROUP_CUSTOM as an implementation-specific extension for
which domain parameters are used to specify the group.
2019-05-16 19:51:10 +02:00
Gilles Peskine
24f10f85e2 Remove domain parameters from the official API
Move psa_get_key_domain_parameters() and
psa_set_key_domain_parameters() out of the official API and declare
them to be implementation-specific extensions.

Expand the documentation of psa_set_key_domain_parameters() a bit to
explain how domain parameters are used.

Remove all mentions of domain parameters from the documentation of API
functions. This leaves DH and DSA effectively unusable.
2019-05-16 19:27:05 +02:00
Gilles Peskine
58fe9e8afe Correct the description of psa_raw_key_agreement
There was some copypasta from the KA+KDF function's description.
2019-05-16 18:55:25 +02:00
Gilles Peskine
be697d8324 Shorten the name of psa_key_agreement_raw_shared_secret
There is less of a risk of confusion with the KA+KDF function now.
2019-05-16 18:55:25 +02:00
Gilles Peskine
1cb9a08d6a Reorder key derivation functions in the header file
Present key derivation functions in a more logical order,
corresponding roughly to the order in which an application would call
them.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cf7292e257 Wrap and reindent some lines
After renaming several identifiers, re-wrap and re-indent some lines
to make the code prettier.
2019-05-16 18:55:25 +02:00
Gilles Peskine
35675b6b26 Terminology: say "key derivation operation", not "generator"
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology.

This commit updates the function descriptions.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cbe6650394 Rename generator-related internal identifiers
perl -pe 's/crypto_generator/key_derivation/gi' $(git ls-files)
    perl -pe 's/_generator/_key_derivation/gi' $(git ls-files)
2019-05-16 18:55:25 +02:00
Gilles Peskine
03410b5c5f Rename PSA_KDF_STEP_xxx -> PSA_KEY_DERIVATION_INPUT_xxx
More consistent with the new function names.
2019-05-16 18:55:25 +02:00
Gilles Peskine
a99d3fbd05 Rename generator functions to psa_key_derivation_xxx
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology. Call a generator a key
derivation operation structure, since it behaves like other multipart
operation structures. Furthermore, the function names are not fully
consistent.

In this commit, I rename the functions to consistently have the prefix
"psa_key_derivation_". I used the following command:

    perl -i -pe '%t = (
        psa_crypto_generator_t => "psa_key_derivation_operation_t",
        psa_crypto_generator_init => "psa_key_derivation_init",
        psa_key_derivation_setup => "psa_key_derivation_setup",
        psa_key_derivation_input_key => "psa_key_derivation_input_key",
        psa_key_derivation_input_bytes => "psa_key_derivation_input_bytes",
        psa_key_agreement => "psa_key_derivation_key_agreement",
        psa_set_generator_capacity => "psa_key_derivation_set_capacity",
        psa_get_generator_capacity => "psa_key_derivation_get_capacity",
        psa_generator_read => "psa_key_derivation_output_bytes",
        psa_generate_derived_key => "psa_key_derivation_output_key",
        psa_generator_abort => "psa_key_derivation_abort",
        PSA_CRYPTO_GENERATOR_INIT => "PSA_KEY_DERIVATION_OPERATION_INIT",
        PSA_GENERATOR_UNBRIDLED_CAPACITY => "PSA_KEY_DERIVATION_UNLIMITED_CAPACITY",
        ); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files)
2019-05-16 18:55:21 +02:00
Jaeden Amero
d35249e66f
Merge pull request #109 from gilles-peskine-arm/psa-key_attributes-set_persistent
Individual setters for persistent key attributes
2019-05-16 17:28:53 +01:00
Jaeden Amero
99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Gilles Peskine
f1b7694768 Minor documentation improvements 2019-05-16 16:10:59 +02:00
Gilles Peskine
280948a32b Fix copypasta in the documentation of PSA_KEY_ID_xxx_{MIN,MAX} 2019-05-16 15:27:14 +02:00
Jaeden Amero
16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero
76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero
826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Gilles Peskine
6c9514427b New macro to get the bit size of an elliptic curve 2019-05-16 00:16:46 +02:00
Gilles Peskine
73676cbc50 Put handle parameter last: psa_import_key
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
806051f17e Update an obsolete use of psa_import_key in documentation
psa_import_key now takes an attribute structure, not a type.
2019-05-15 23:15:49 +02:00
Gilles Peskine
98dd779eb5 Put handle parameter last: psa_generate_derived_key
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
9de5eb0a2f Remove psa_make_key_persistent 2019-05-15 19:14:05 +02:00
Gilles Peskine
dc8219a10d Replace psa_make_key_persistent by id/lifetime setters
Use individual setters for the id and lifetime fields of an attribute
structure, like the other attributes.

This commit updates the specification and adds an implementation of
the new setters.
2019-05-15 19:14:05 +02:00
Gilles Peskine
80b39ae753 Remove obsolete use of key policy structure in API text 2019-05-15 19:14:05 +02:00
Gilles Peskine
f9fbc38e66 Declare key id 0 as invalid
In keeping with other integral types, declare 0 to be an invalid key
identifier.

Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
Ron Eldor
c8b5f3f520 Documentation fixes
Rephrase documentation of the SAN to make it clearer.
2019-05-15 15:15:55 +03:00
Ron Eldor
51d3ab544f Add public API for tls_prf
Add a public API for key derivation, introducing an enum for `tls_prf`
type.
2019-05-15 13:53:02 +03:00
Ron Eldor
f5cc10d93b Add an extra key export function
Add an additional function `mbedtls_ssl_export_keys_ext_t()`
for exporting key, that adds additional information such as
the used `tls_prf` and the random bytes.
2019-05-15 13:38:39 +03:00
Ron Eldor
cc45cd177f Update SAN parsing documentation
1) Fix typo in `mbedtls_x509_parse_subject_alt_name()` documentation.
2) Add a not in `mbedtls_x509_parse_subject_alt_name()` documentation,
stating that the lifetime of the target structure is restricted
by the lifetime ofthe parsed certificate.
2019-05-15 10:20:09 +03:00
Gilles Peskine
d6a8f5f1b5 Improve description of PSA_KEY_USAGE_COPY
Be more clear about when EXPORT is also required.
2019-05-14 16:25:50 +02:00
Gilles Peskine
ac99e32b79 Documentation improvements 2019-05-14 16:11:07 +02:00
Gilles Peskine
36d477de44 Fix copypasta in PSA_AEAD_DECRYPT_OUTPUT_SIZE 2019-05-14 16:11:07 +02:00
Gilles Peskine
248010caa0 Fix calculation in PSA_AEAD_UPDATE_OUTPUT_SIZE 2019-05-14 16:11:07 +02:00
Gilles Peskine
8e0206aa26 New usage flag PSA_KEY_USAGE_COPY
Document the new flag and allow its use.
2019-05-14 14:24:28 +02:00
Gilles Peskine
4318dfc8ec psa_export_key, psa_export_public_key: document the EXPORT flag 2019-05-14 14:23:32 +02:00
Ron Eldor
f05f594acb change the type of hardware_module_name member
Change the type of `hardware_module_name` struct from
`mbedtls_x509_name` to a unique struct, to distinguish it from the
named data type.
2019-05-13 19:23:08 +03:00
Ron Eldor
890819a597 Change mbedtls_x509_subject_alternative_name
Make `mbedtls_x509_subject_alternative_name` to be a single item
rather than a list. Adapt the subject alternative name parsing function,
to receive a signle `mbedtls_x509_buf` item from the subject_alt_names
sequence of the certificate.
2019-05-13 19:23:07 +03:00
Ron Eldor
78c3040347 Rephrase x509_crt extension member description
Rephrase doxygen comments for subject alternative name
and certificate policies.
2019-05-13 15:49:53 +03:00
Jaeden Amero
1fe90fab30
Merge pull request #101 from gilles-peskine-arm/psa-key_attributes-verify_attributes
Check unused attributes in import and copy
2019-05-13 11:48:40 +01:00
Krzysztof Stachowiak
abdf1c608e Document the default value for the maximum fragment length 2019-05-13 12:45:12 +02:00
k-stachowiak
6d72212d45 Improve clarity of mbedtls_ssl_conf_max_frag_len documentation 2019-05-13 12:45:12 +02:00
k-stachowiak
db850c63b2 Reword ssl_conf_max_frag_len documentation 2019-05-13 12:45:12 +02:00
k-stachowiak
61aa74fb3d Fix typos and miswording in the mbedtls_ssl_conf_max_frag_len documentation comment 2019-05-13 12:45:12 +02:00
k-stachowiak
eb1bb3d2d0 Reword ssl_conf_max_frag_len documentation to clarify its necessity 2019-05-13 12:45:12 +02:00
Janos Follath
11b41eb12b Fix typos in x509_crt.h 2019-05-08 15:30:33 +01:00
Janos Follath
5091bec3ea Fix doxygen for new x509 structures
The documentation for some new structures and members was only a C style
comment and wasn't picked up by doxygen. This commit adds the missing
asterisks.
2019-05-08 15:23:08 +01:00
Ron Eldor
3c4734a2a5 Add Wisun Fan device certificate
Add certificate with Wisun fan device extended key usage,
support parsing it and add tests.
2019-05-07 17:06:47 +03:00
Ron Eldor
74d9acc144 Add support for certificate policies extension
Add support for certificate policies, as defined in rfc 5280.
Currently support only `anyPolicy` policy.
2019-05-07 17:05:45 +03:00
Ron Eldor
b2dc3fa72e Suppport otherName of type hardware module name
Add support of parsing of subject alternative name, of type otherName.
Currently supports only hardware module name, as defined in rfc 4108.
2019-05-07 17:04:57 +03:00
Gilles Peskine
4a231b8d3b Break up key identifiers into user, vendor and reserved ranges
Define a range of key identifiers for use by the application
(0..2^30-1), a range for use by implementations (2^30..2^31), and a
range that is reserved for future use (2^31..2^32-1).
2019-05-06 18:56:14 +02:00
Gilles Peskine
225010fdf7 Remove lifetime parameter from psa_open_key
Change the scope of key identifiers to be global, rather than
per lifetime. As a result, you now need to specify the lifetime of a
key only when creating it.
2019-05-06 18:52:22 +02:00
Jack Lloyd
5d9c9636fa Add support for RSA PKCSv1.5 signatures using RIPEMD-160 2019-05-06 12:15:17 -04:00
Gilles Peskine
f02aec90dc Allow AEAD update output to be delayed
Do not require finish() to have empty output for any algorithm. Some
hardware does not support immediate stream processing.
2019-05-06 15:59:44 +02:00
Gilles Peskine
3e79c8ecfd Declare ChaCha20 cipher and AEAD
Declare algorithms for ChaCha20 and ChaCha20-Poly1305, and a
corresponding (common) key type.

Don't declare Poly1305 as a separate algorithm because it's a one-time
authenticator, not a MAC, so the API isn't suitable for it (no way to
use a nonce).
2019-05-06 15:59:44 +02:00
Gilles Peskine
49dd8d8cec Add size macros for multipart AEAD
New macros PSA_AEAD_UPDATE_OUTPUT_SIZE, PSA_AEAD_FINISH_OUTPUT_SIZE
and PSA_AEAD_VERIFY_OUTPUT_SIZE to determine the output buffer sizes
for psa_aead_update(), psa_aead_finish() and psa_aead_verify().
2019-05-06 15:59:16 +02:00
Gilles Peskine
5211efb317 Add output parameter for psa_aead_verify
Like psa_aead_finish(), psa_aead_verify() needs to produce output from
the last partial block of input if psa_aead_update() cannot produce
output byte by byte.
2019-05-06 15:56:05 +02:00
Gilles Peskine
bdc27860c2 Reorder macros for clarity
Group PSA_AEAD_DECRYPT_OUTPUT_SIZE with PSA_AEAD_ENCRYPT_OUTPUT_SIZE.
2019-05-06 15:45:16 +02:00
Gilles Peskine
679693ee49 Algorithm encoding: add flag bit PSA_ALG_AEAD_FROM_BLOCK_FLAG
Make it easy to distinguish generic constructions on top of block
ciphers, such as CCM or GCM, from specialized algorithms such as
Chacha20-Poly1305.
2019-05-06 15:10:16 +02:00
Hanno Becker
4063ad22b3 Improve documentation of mbedtls_pem_write_buffer()
In particular, mention that it supports overlapping input and
output buffers.
2019-05-04 08:12:47 +01:00
Gilles Peskine
4ce2a9dcbf Check unused attributes in import and copy
In psa_import_key and psa_copy_key, some information comes from the
key data (input buffer or source key) rather than from the attributes:
key size for import, key size and type and domain parameters for copy.
If an unused attribute is nonzero in the attribute structure, check
that it matches the correct value. This protects against application
errors.
2019-05-03 16:57:15 +02:00
Adrian L. Shaw
5a5a79ae2a Rename psa_generate_key() and psa_generator_import_key() 2019-05-03 15:44:28 +01:00
Gilles Peskine
1ea5e44c93 Minor documentation improvement 2019-05-02 20:31:10 +02:00
Jaeden Amero
75d9a333ce Merge remote-tracking branch 'origin/pr/1633' into development
* origin/pr/1633: (26 commits)
  Fix uninitialized variable access in debug output of record enc/dec
  Adapt PSA code to ssl_transform changes
  Ensure non-NULL key buffer when building SSL test transforms
  Catch errors while building SSL test transforms
  Use mbedtls_{calloc|free}() in SSL unit test suite
  Improve documentation of mbedtls_record
  Adapt record length value after encryption
  Alternative between send/recv transform in SSL record test suite
  Fix memory leak on failure in test_suite_ssl
  Rename ssl_decrypt_buf() to mbedtls_ssl_decrypt_buf() in comment
  Add record encryption/decryption tests for ARIA to SSL test suite
  Improve documentation of mbedtls_ssl_transform
  Double check that record expansion is as expected during decryption
  Move debugging output after record decryption
  Add encryption/decryption tests for small records
  Add tests for record encryption/decryption
  Reduce size of `ssl_transform` if no MAC ciphersuite is enabled
  Remove code from `ssl_derive_keys` if relevant modes are not enabled
  Provide standalone version of `ssl_decrypt_buf`
  Provide standalone version of `ssl_encrypt_buf`
  ...
2019-05-02 09:08:43 +01:00
Jaeden Amero
7b3603c6d8 Merge remote-tracking branch 'tls/development' into development
Resolve merge conflicts by performing the following actions:

- Reject changes to deleted files.
- Reject changes to generate_errors.pl and generate_visualc_files.pl.
  Don't add an 'include-crypto' option which would attempt to use the
  non-existent crypto submodule.
- list-identifiers.sh had the `--internal` option added to it, which
  lists identifiers only in internal headers. Add PSA-specific internal
  headers to list-identifiers.sh.

* origin/development: (40 commits)
  Document the scripts behaviour further
  Use check_output instead of Popen
  all.sh: Require i686-w64-mingw32-gcc version >= 6
  generate_visualc_files.pl: add mbedtls source shadowing by crypto
  generate_errors.pl: refactor and simplify the code
  Start unused variable with underscore
  Correct documentation
  generate_errors.pl: typo fix
  revert changes to generate_features.pl and generate_query_config.pl
  Check that the report directory is a directory
  Use namespaces instead of full classes
  Fix pylint issues
  Don't put abi dumps in subfolders
  Add verbose switch to silence all output except the final report
  Fetch the remote crypto branch, rather than cloning it
  Prefix internal functions with underscore
  Add RepoVersion class to make handling of many arguments easier
  Reduce indentation levels
  Improve documentation
  Use optional arguments for setting repositories
  ...
2019-05-01 14:12:43 +01:00
Gilles Peskine
aa02c17dfa Add buffer size macro for psa_get_key_domain_parameters 2019-04-28 11:48:29 +02:00
Gilles Peskine
9c640f91d4 Improve documentation of key attributes 2019-04-28 11:48:26 +02:00
Gilles Peskine
06af0cd4a3 Always require reset after psa_get_key_attributes
There was a guarantee that psa_get_key_attributes() does not require a
subsequent psa_reset_key_attributes() to free resources as long as the
key was created with attributes having this property. This requirement
was hard to pin down because if a key is created with default
parameters, there are cases where it is difficult to ensure that the
domain parameters will be reported without allocating memory. So
remove this guarantee. Now the only case psa_reset_key_attributes() is
not required is if the attribute structure has only been modified with
certain specific setters.
2019-04-28 11:46:10 +02:00
Gilles Peskine
e56e878207 Remove extra parameter from psa_generate_key
Read extra data from the domain parameters in the attribute structure
instead of taking an argument on the function call.

Implement this for RSA key generation, where the public exponent can
be set as a domain parameter.

Add tests that generate RSA keys with various public exponents.
2019-04-26 17:37:50 +02:00
Gilles Peskine
b699f07af0 Switch psa_{get,set}_domain_parameters to attributes
Change psa_get_domain_parameters() and psa_set_domain_parameters() to
access a psa_key_attributes_t structure rather than a key handle.

In psa_get_key_attributes(), treat the RSA public exponent as a domain
parameter and read it out. This is in preparation for removing the
`extra` parameter of psa_generate_key() and setting the RSA public
exponent for key generation via domain parameters.

In this commit, the default public exponent 65537 is not treated
specially, which allows us to verify that test code that should be
calling psa_reset_key_attributes() after retrieving the attributes of
an RSA key is doing so properly (if it wasn't, there would be a memory
leak), even if the test data happens to use an RSA key with the
default public exponent.
2019-04-26 17:37:08 +02:00
Gilles Peskine
3a4f1f8e46 Set the key size as an attribute
Instead of passing a separate parameter for the key size to
psa_generate_key and psa_generator_import_key, set it through the
attributes, like the key type and other metadata.
2019-04-26 13:49:28 +02:00
Hanno Becker
cd430bc099 Improve documentation of mbedtls_record 2019-04-25 12:58:21 +01:00
Hanno Becker
0db7e0ce68 Improve documentation of mbedtls_ssl_transform 2019-04-25 12:58:21 +01:00
Hanno Becker
a18d1320da Add tests for record encryption/decryption
This commit adds tests exercising mutually inverse pairs of
record encryption and decryption transformations for the various
transformation types allowed in TLS: Stream, CBC, and AEAD.
2019-04-25 12:58:21 +01:00
Hanno Becker
d56ed2491b Reduce size of ssl_transform if no MAC ciphersuite is enabled
The hash contexts `ssl_transform->md_ctx_{enc/dec}` are not used if
only AEAD ciphersuites are enabled. This commit removes them from the
`ssl_transform` struct in this case, saving a few bytes.
2019-04-25 12:58:21 +01:00
Hanno Becker
2e24c3b672 Provide standalone version of ssl_decrypt_buf
Analogous to the previous commit, but concerning the record decryption
routine `ssl_decrypt_buf`.

An important change regards the checking of CBC padding:
Prior to this commit, the CBC padding check always read 256 bytes at
the end of the internal record buffer, almost always going past the
boundaries of the record under consideration. In order to stay within
the bounds of the given record, this commit changes this behavior by
always reading the last min(256, plaintext_len) bytes of the record
plaintext buffer and taking into consideration the last `padlen` of
these for the padding check. With this change, the memory access
pattern and runtime of the padding check is entirely determined by
the size of the encrypted record, in particular not giving away
any information on the validity of the padding.

The following depicts the different behaviors:

1) Previous CBC padding check

1.a) Claimed padding length <= plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

                                +------------------------------------...
                                |  read for padding check            ...
                                +------------------------------------...
                                                |
                                                 contents discarded
                                                 from here

1.b) Claimed padding length > plaintext length

  +----------------------------------------+----+
  |   Record plaintext buffer              | PL |
  +----------------------------------------+----+
                                           +-------------------------...
                                           |  read for padding check ...
                                           +-------------------------...
                                                |
                                                 contents discarded
                                                 from here

2) New CBC padding check

  +----------------------------------------+----+
  |   Record plaintext buffer   |          | PL |
  +----------------------------------------+----+
                                 \__ PL __/

        +---------------------------------------+
        |        read for padding check         |
        +---------------------------------------+
                                |
                                 contents discarded
                                 until here
2019-04-25 12:58:21 +01:00
Hanno Becker
9eddaebda5 Provide standalone version of ssl_encrypt_buf
The previous version of the record encryption function
`ssl_encrypt_buf` takes the entire SSL context as an argument,
while intuitively, it should only depend on the current security
parameters and the record buffer.

Analyzing the exact dependencies, it turned out that in addition
to the currently active `ssl_transform` instance and the record
information, the encryption function needs access to
- the negotiated protocol version, and
- the status of the encrypt-then-MAC extension.

This commit moves these two fields into `ssl_transform` and
changes the signature of `ssl_encrypt_buf` to only use an instance
of `ssl_transform` and an instance of the new `ssl_record` type.
The `ssl_context` instance is *solely* kept for the debugging macros
which need an SSL context instance.

The benefit of the change is twofold:
1) It avoids the need of the MPS to deal with instances of
   `ssl_context`. The MPS should only work with records and
   opaque security parameters, which is what the change in
   this commit makes progress towards.
2) It significantly eases testing of the encryption function:
   independent of any SSL context, the encryption function can
   be passed some record buffer to encrypt alongside some arbitrary
   choice of parameters, and e.g. be checked to not overflow the
   provided memory.
2019-04-25 12:58:21 +01:00
Hanno Becker
d362dc504d Improve documentation of mbedtls_ssl_transform 2019-04-25 12:58:21 +01:00
Hanno Becker
12a3a86b2d Add structure representing TLS records
This commit adds a structure `mbedtls_record` whose instances
represent (D)TLS records. This structure will be used in the
subsequent adaptions of the record encryption and decryption
routines `ssl_decrypt_buf` and `ssl_encrypt_buf`, which currently
take the entire SSL context as input, but should only use the
record to be acted on as well as the record transformation to use.
2019-04-25 12:58:21 +01:00
Hanno Becker
34f88afdf1 Fix definition of SSL_SOME_MODES_USE_MAC
The previous definition was lacking the case of the ARIA and DES ciphers.
2019-04-25 12:58:21 +01:00
Hanno Becker
52344c2972 Correct space needed for MAC in case of NULL cipher
The macro constant `MBEDTLS_SSL_MAC_ADD` defined in `ssl_internal.h`
defines an upper bound for the amount of space needed for the record
authentication tag. Its definition distinguishes between the
presence of an ARC4 or CBC ciphersuite suite, in which case the maximum
size of an enabled SHA digest is used; otherwise, `MBEDTLS_SSL_MAC_ADD`
is set to 16 to accomodate AEAD authentication tags.

This assignment has a flaw in the situation where confidentiality is
not needed and the NULL cipher is in use. In this case, the
authentication tag also uses a SHA digest, but the definition of
`MBEDTLS_SSL_MAC_ADD` doesn't guarantee enough space.

The present commit fixes this by distinguishing between the presence
of *some* ciphersuite using a MAC, including those using a NULL cipher.
For that, the previously internal macro `SSL_SOME_MODES_USE_MAC` from
`ssl_tls.c` is renamed and moved to the public macro
`MBEDTLS_SOME_MODES_USE_MAC` defined in `ssl_internal.h`.
2019-04-25 12:58:21 +01:00
Hanno Becker
e694c3ef3e Remove ciphersuite_info from ssl_transform
Prior to this commit, the security parameter struct `ssl_transform`
contained a `ciphersuite_info` field pointing to the information
structure for the negotiated ciphersuite. However, the only
information extracted from that structure that was used in the core
encryption and decryption functions `ssl_encrypt_buf`/`ssl_decrypt_buf`
was the authentication tag length in case of an AEAD cipher.

The present commit removes the `ciphersuite_info` field from the
`ssl_transform` structure and adds an explicit `taglen` field
for AEAD authentication tag length.

This is in accordance with the principle that the `ssl_transform`
structure should contain the raw parameters needed for the record
encryption and decryption functions to work, but not the higher-level
information that gave rise to them. For example, the `ssl_transform`
structure implicitly contains the encryption/decryption keys within
their cipher contexts, but it doesn't contain the SSL master or
premaster secrets. Likewise, it contains an explicit `maclen`, while
the status of the 'Truncated HMAC' extension -- which  determines the
value of `maclen` when the `ssl_transform` structure is created in
`ssl_derive_keys` -- is not contained in `ssl_transform`.

The `ciphersuite_info` pointer was used in other places outside
the encryption/decryption functions during the handshake, and for
these functions to work, this commit adds a `ciphersuite_info` pointer
field to the handshake-local `ssl_handshake_params` structure.
2019-04-25 12:58:21 +01:00
Hanno Becker
88aaf652b1 Remove key length field from ssl_transform
The `ssl_transform` security parameter structure contains opaque
cipher contexts for use by the record encryption/decryption functions
`ssl_decrypt_buf`/`ssl_encrypt_buf`, while the underlying key material
is configured once in `ssl_derive_keys` and is not explicitly dealt with
anymore afterwards. In particular, the key length is not needed
explicitly by the encryption/decryption functions but is nonetheless
stored in an explicit yet superfluous `keylen` field in `ssl_transform`.
This commit removes this field.
2019-04-25 12:57:19 +01:00
Jaeden Amero
651ae684e1 config: Enable using ARIA-GCM without other ciphers
Previously, GCM required enabling either AES or Camellia. However, we
also support using GCM with ARIA and without other ciphers. Enable
configurations with only ARIA enabled to use GCM.
2019-04-25 11:46:21 +01:00
Jaeden Amero
7accf444ea config: Simplify incorrect GCM comment
GCM is not just for AES, but for at least Camellia as well.
2019-04-25 11:46:21 +01:00
Jaeden Amero
7242ea688a config: Remove explicit ciphersuite lists
Make maintaining config files easier by removing any explicit
ciphersuite lists. These explicit lists are prone to being incomplete as
TLS defines more and more ciphersuites. Rather than try to play catch
up, let's refer to sets of ciphersuites with declarative language.
2019-04-25 11:46:21 +01:00
Jaeden Amero
32577734e2 doxygen: Update for Mbed Crypto
Remove references to the X.509, NET, and SSL modules. Update text from
"Mbed TLS" to "Mbed Crypto". Update version number.
2019-04-25 11:46:21 +01:00
Jaeden Amero
a4308b29a4 Remove unused TLS, NET, and X.509 files
We've removed all software that depends on or uses the TLS, NET, and
X.509 modules. This means TLS, NET, and X.509 are unused and can be
removed. Remove TLS, NET, and X.509.
2019-04-25 11:46:21 +01:00
Jaeden Amero
bb1f701212 config: Remove X.509 options
Note that this fails check-names.sh because options that TLS and X.509
files use are no longer present in config.h.
2019-04-25 11:46:21 +01:00
Jaeden Amero
1c66e48670 config: Remove TLS and NET options
Remove TLS and NET options from config files and scripts.

Note that this fails check-names.sh because options that TLS and NET
files use are no longer present in config.h.
2019-04-25 11:46:21 +01:00
Gilles Peskine
a3dd737be4 Move legacy definitions to crypto_extra.h
Types and functions that are not used in the attribute-based key
creation API are now implementation-specific extensions, kept around
until we finish transitioning to the new API.
2019-04-24 15:47:30 +02:00
Gilles Peskine
2062859496 Document the new functions related to key attributes
Also update the documentation of key creation functions that have been
modified to use key attributes.
2019-04-24 15:47:30 +02:00
Gilles Peskine
8c8f2ab66b Implement psa_get_key_attributes
Implement attribute querying.

Test attribute getters and setters. Use psa_get_key_attributes instead
of the deprecated functions psa_get_key_policy or
psa_get_key_information in most tests.
2019-04-24 15:46:04 +02:00
Gilles Peskine
db4b3abab1 Implement missing attributes setters and getters 2019-04-24 15:46:03 +02:00
Gilles Peskine
4747d19d18 Implement atomic-creation psa_import_key
Implement the new, attribute-based psa_import_key and some basic
functions to access psa_key_attributes_t. Replace
psa_import_key_to_handle by psa_import_key in a few test functions.

This commit does not handle persistence attributes yet.
2019-04-24 15:45:50 +02:00
Gilles Peskine
87a5e565f4 Rename functions that inject key material to an allocated handle
This commit starts a migration to a new interface for key creation.
Today, the application allocates a handle, then fills its metadata,
and finally injects key material. The new interface fills metadata
into a temporary structure, and a handle is allocated at the same time
it gets filled with both metadata and key material.

This commit was obtained by moving the declaration of the old-style
functions to crypto_extra.h and renaming them with the to_handle
suffix, adding declarations for the new-style functions in crypto.h
under their new name, and running

    perl -i -pe 's/\bpsa_(import|copy|generator_import|generate)_key\b/$&_to_handle/g' library/*.c tests/suites/*.function programs/psa/*.c
    perl -i -pe 's/\bpsa_get_key_lifetime\b/$&_from_handle/g' library/*.c tests/suites/*.function programs/psa/*.c

Many functions that are specific to the old interface, and which will
not remain under the same name with the new interface, are still in
crypto.h for now.

All functional tests should still pass. The documentation may have
some broken links.
2019-04-24 15:24:45 +02:00
Jaeden Amero
3956a847e6 Merge remote-tracking branch 'origin/pr/2092' into development
* origin/pr/2092:
  Add more missing parentheses around macro parameters
  Add further missing brackets around macro parameters
  Adapt ChangeLog
  Improve macro hygiene
2019-04-24 11:17:21 +01:00
Gilles Peskine
22c51517fb Use unsigned int for bitfields
uintN_t is not a standard type for a bitfield, as armcc points out.
2019-04-18 09:42:21 +02:00
Gilles Peskine
a52460c3ed Algorithm encoding: move two bits from derivation to agreement
This gives a little more room to encode key agreement algorithms,
while keeping enough space for key derivation algorithms.

This doesn't affect any of the already-defined algorithms.
2019-04-18 09:42:21 +02:00
Jaeden Amero
521dbc67da Merge remote-tracking branch 'tls/development' into development
Merge Mbed TLS at f790a6cbee into Mbed Crypto.

Resolve conflicts by performing the following:
    - Reject changes to README.md
    - Don't add crypto as a submodule
    - Remove test/ssl_cert_test from programs/Makefile
    - Add cipher.nist_kw test to tests/CMakeLists.txt
    - Reject removal of crypto-specific all.sh tests
    - Reject update to SSL-specific portion of component_test_valgrind
      in all.sh
    - Reject addition of ssl-opt.sh testing to component_test_m32_o1 in
      all.sh

* tls/development: (87 commits)
  Call mbedtls_cipher_free() to reset a cipher context
  Don't call mbedtls_cipher_setkey twice
  Update crypto submodule
  Minor fixes in get certificate policies oid test
  Add certificate policy oid x509 extension
  cpp_dummy_build: Add missing header psa_util.h
  Clarify comment mangled by an earlier refactoring
  Add an "out-of-box" component
  Run ssl-opt.sh on 32-bit runtime
  Don't use debug level 1 for informational messages
  Skip uncritical unsupported extensions
  Give credit to OSS-Fuzz for #2404
  all.sh: remove component_test_new_ecdh_context
  Remove crypto-only related components from all.sh
  Remove ssl_cert_test sample app
  Make CRT callback tests more robust
  Rename constant in client2.c
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix a rebase error
  ...
2019-04-17 12:12:24 +01:00
Jaeden Amero
fe7106755e Merge remote-tracking branch 'origin/pr/2539' into development
Resolve conflicts by performing the following:
  - Ensure calls to mbedtls_x509_crt_verify_* are made with callbacks

* origin/pr/2539:
  Make CRT callback tests more robust
  Rename constant in client2.c
  Fix typo
  Add test for configuration specific CRT callback
  Fix doxygen documentation of mbedtls_ssl_set_verify()
  Add test exercising context-specific CRT callback to ssl-opt.sh
  Add cmd to use context-specific CRT callback in ssl_client2
  Implement context-specific verification callbacks
  Add context-specific CRT verification callbacks
  Improve documentation of mbedtls_ssl_conf_verify()
2019-04-16 15:05:18 +01:00
Jaeden Amero
ff34d43720 Merge remote-tracking branch 'origin/pr/2532' into development
* origin/pr/2532: (29 commits)
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix name to function call
  Address comments for x509 tests
  Address review comments regarding ssl_client2 and ssl tests
  Remove mbedtls_ from the static function name
  Change docs according to review comments
  Change the verify function naming
  Fix ssl_client2 and ssl_server2 if !PLATFORM_C
  Correct placement of usage macro in ssl_client2
  Update version_features.c
  Remove trailing whitespace in test_suite_x509parse.function
  Update query_config.c
  Add ssl-opt.sh tests for trusted CA callbacks
  Only run X.509 CRT verification tests with CA callback tests if !CRL
  Minor fixes to CA callback tests
  Declare CA callback type even if feature is disabled
  Implement X.509 CRT verification using CA callback
  Add prototype for CRT verification with static and dynamic CA list
  Make use of CA callback if present when verifying peer CRT chain
  ...
2019-04-16 14:42:11 +01:00
Gilles Peskine
3135184cfc Merge remote-tracking branch 'upstream-crypto/development' into psa-api-beta2-merge-development
Merge the Mbed Crypto development branch a little after
mbedcrypto-1.0.0 into the PSA Crypto API 1.0 beta branch a little
after beta 2.

Summary of merge conflicts:

* Some features (psa_copy_key, public key format without
  SubjectPublicKeyInfo wrapping) went into both sides, but with a few
  improvements on the implementation side. For those, take the
  implementation side.
* The key derivation API changed considerably on the API side. This
  merge commit generally goes with the updated API except in the tests
  where it keeps some aspects of the implementation.

Due to the divergence between the two branches on key derivation and
key agreement, test_suite_psa_crypto does not compile. This will be
resolved in subsequent commits.
2019-04-09 12:00:00 +02:00
Janos Follath
846ae7a70d Document and test flags in x509_verify 2019-04-05 16:45:01 +01:00
Janos Follath
d7ecbd6914 Fix style issues and a typo 2019-04-05 16:44:42 +01:00
Jaeden Amero
aa3402018e Merge remote-tracking branch 'origin/pr/2535' into development
* origin/pr/2535:
  Add Wisun Fan device extended key usage
2019-04-05 14:36:08 +01:00
Janos Follath
924270f769 Fix typo 2019-04-04 12:49:44 +01:00
Hanno Becker
f345bafd30 Fix doxygen documentation of mbedtls_ssl_set_verify() 2019-04-03 13:43:15 +01:00
Hanno Becker
8927c83312 Implement context-specific verification callbacks 2019-04-03 12:53:28 +01:00
Hanno Becker
726c97a825 Add context-specific CRT verification callbacks 2019-04-03 12:52:35 +01:00
Hanno Becker
7b58fb1d1c Improve documentation of mbedtls_ssl_conf_verify() 2019-04-03 12:52:21 +01:00
Ron Eldor
b6dc105456 Add Wisun Fan device extended key usage
Add the Wisun extended key usage oid and tests.
2019-04-03 13:48:50 +03:00
Jack Lloyd
ffdf28851d Add NIST keywrap as a cipher mode
Closes #2003 see also #1658
2019-04-02 10:02:55 -07:00
Jarno Lamsa
f49fedc345 Change docs according to review comments 2019-04-01 14:58:30 +03:00
Jarno Lamsa
31d9db6195 Change the verify function naming
Change the naming to reflect that the function uses a new ca callback
feature to distinguish different callbacks.
2019-04-01 14:33:49 +03:00
Hanno Becker
e15dae7fcf Declare CA callback type even if feature is disabled 2019-03-28 16:13:44 +00:00
Hanno Becker
f53893b00c Implement X.509 CRT verification using CA callback 2019-03-28 16:13:44 +00:00
Hanno Becker
5adaad9846 Add X.509 CA callback to SSL configuration and implement setter API 2019-03-28 16:13:43 +00:00
Hanno Becker
8bf74f37dc Add SSL configuration API for trusted CA callbacks 2019-03-28 16:13:38 +00:00
Jaeden Amero
c70a3c76bf Merge remote-tracking branch 'tls/development' into development
Resolve conflicts actions:
 - Reject path changes to config.h
 - Reject submodule-related changes in build scripts (Makefile,
   CMakeLists.txt)
 - Add oid test suite to list of tests in tests/CMakeLists.txt,
   rejecting any test filtering related changes (which TLS uses to avoid
   duplicating crypto tests)
 - Add legacy ECDH test to all.sh without including
   all.sh tests that depend on SSL
2019-03-28 16:02:25 +00:00
Hanno Becker
902451db8b Improve documentation of old X.509 CRT verification functions
This commit applies the documentation improvements noticed and applied
while adding the documentation for the new X.509 CRT verification API
mbedtls_x509_crt_verify_with_cb() to the existing verification APIs.
2019-03-28 15:39:55 +00:00
Hanno Becker
5c8df78feb Add X.509 CRT verification API using trusted CA callbacks 2019-03-28 15:39:55 +00:00
Hanno Becker
288dedcc72 Add compile-time option to enable X.509 CA callbacks 2019-03-28 15:39:50 +00:00
Jaeden Amero
57773d4ede Merge remote-tracking branch 'restricted/pr/551' into development
* restricted/pr/551:
  ECP: Clarify test descriptions
  ECP: remove extra whitespaces
  Fix ECDH secret export for Mongomery curves
  Improve ECP test names
  Make ecp_get_type public
  Add more tests for ecp_read_key
  ECP: Catch unsupported import/export
  Improve documentation of mbedtls_ecp_read_key
  Fix typo in ECP module
  Remove unnecessary cast from ECP test
  Improve mbedtls_ecp_point_read_binary tests
  Add Montgomery points to ecp_point_write_binary
  ECDH: Add test vectors for Curve25519
  Add little endian export to Bignum
  Add mbedtls_ecp_read_key
  Add Montgomery points to ecp_point_read_binary
  Add little endian import to Bignum
2019-03-27 17:01:24 +00:00
Jaeden Amero
0ea33776ce Merge remote-tracking branch 'restricted/pr/552' into development
Ensure this merge passes tests by auto-generating query_config.c, adding
MBEDTLS_ECDH_LEGACY_CONTEXT to it.

* restricted/pr/552:
  Fix mbedtls_ecdh_get_params with new ECDH context
  Test undefining MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh
  Define MBEDTLS_ECDH_LEGACY_CONTEXT in config.h
  Add changelog entry for mbedtls_ecdh_get_params robustness
  Fix ecdh_get_params with mismatching group
  Add test case for ecdh_get_params with mismatching group
  Add test case for ecdh_calc_secret
  Fix typo in documentation
2019-03-27 17:01:16 +00:00
Jaeden Amero
c73fde725b Merge remote-tracking branch 'origin/pr/2531' into development
Ensure tests pass when the submodule is used by updating the list of
crypto tests to include test_suite_oid in both tests/CMakeLists.txt and
tests/Makefile.

* origin/pr/2531:
  Add changeLog entry
  Add certificate policy of type any policy id
2019-03-27 16:52:08 +00:00
Jaeden Amero
3930e18c3c Merge remote-tracking branch 'origin/pr/2509' into development
* origin/pr/2509:
  all.sh: Generate seedfile for crypto submodule tests
  Update crypto submodule to test with private headers
  tests: Use globbing in test suite exclusion list
  Update crypto submodule to Mbed Crypto development
  tests: Test crypto via the crypto submodule
2019-03-27 14:45:26 +00:00
Jaeden Amero
d5d01a0435 Merge remote-tracking branch 'origin/pr/2525' into development
* origin/pr/2525:
  Update library version to 2.17.0
2019-03-26 14:50:06 +00:00
Ron Eldor
11ee07191f Add certificate policy of type any policy id
Add a function for getting the certificate policy. Currently only
"Any Policy" is supported.
2019-03-26 14:41:07 +02:00
Jaeden Amero
3f8d78411a Update library version to 2.17.0 2019-03-19 16:12:55 +00:00
Jaeden Amero
57f4d9e4fe Update crypto submodule to test with private headers
Update the crypto submodule to the top of the Mbed Crypto development
branch. This brings in a version of Mbed Crypto that enables building
Mbed Crypto tests that depend on private headers, like
'psa_crypto_invasive.h'.

This also requires updating our config.h to include new configuration
options added to Mbed Crypto. MBEDTLS_PSA_ITS_FILE_C replaces
MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C and MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C.
MBEDTLS_PSA_INJECT_ENTROPY replaces MBEDTLS_PSA_HAS_ITS_IO.
2019-03-19 15:45:09 +00:00
Gilles Peskine
e3dbdd8d90 Gate entropy injection through a dedicated configuration option
Entropy injection has specific testing requirements. Therefore it
should depend on a specific option.
2019-03-15 11:15:21 +01:00
Gilles Peskine
6bf4baef95 Remove compilation option MBEDTLS_PSA_HAS_ITS_IO
MBEDTLS_PSA_HAS_ITS_IO is not really useful since it doesn't actually
enable anything except the entropy seed file support, which only
requires the ITS interface and not a native implemetation. Remove it.
2019-03-15 11:15:13 +01:00
Gilles Peskine
088b77f39c Merge psa_crypto_storage_its into psa_crypto_storage
Since the ITS API has stabilized and we don't plan to make use of more
than ITS, we don't need an abstraction layer between key storage and
key storage over ITS. Merge the ITS code into the generic storage
module.
2019-03-15 11:15:01 +01:00
Gilles Peskine
e435f23019 Remove psa_crypto_storage_file
Now that we have ITS over files, we no longer need a direct backend
for key storage over files. Remove psa_crypto_storage_file and its
tests.

Switch MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C and MBEDTLS_PSA_ITS_FILE_C on
by default. This preserves functionality and test coverage in the
default configuration, but forgets any key previously stored using the
file backend.
2019-03-15 11:14:51 +01:00
Gilles Peskine
23793482ac Support ITS over file in PSA crypto 2019-03-15 11:14:37 +01:00
Gilles Peskine
6194dc2062 Implement PSA ITS over files
Implement the PSA ITS API over stdio files.
2019-03-15 11:14:09 +01:00
Gilles Peskine
ee67dd61bc Fix Doxygen warnings 2019-03-12 13:23:17 +01:00
Gilles Peskine
5579971cb1 psa_generator_import_key (ECC): minor corrections 2019-03-12 11:55:43 +01:00
Gilles Peskine
2de2c0d9ce Clarify deterministic generation by re-drawing
For DH, ECC (Weierstrass curves) and DSA, specify that the re-drawing
method is the one defined by NIST as
"key-pair generation by testing candidates", and describe it
unambiguously.

Also specify DES explicitly.
2019-03-11 18:10:07 +01:00
Jaeden Amero
9afb2e9921 Remove tests that depend on TLS or X.509 2019-03-11 16:49:26 +00:00
Jaeden Amero
d8087713ae asn1: Remove dependency on X.509
Doxygen will fail to build if we have references to files that don't
exist. Since we are planning on removing X.509 soon, we even need to
remove explicit Doxygen references to X.509 things as those will no
longer resolve once the X.509 files are deleted.

fixup! asn1: Remove dependency on X.509
2019-03-11 16:48:36 +00:00
Jaeden Amero
ed16ca7b63 dhm: Remove dependency on TLS 2019-03-11 16:46:20 +00:00
Jaeden Amero
de0a41b716 ecp: Remove dependency on TLS and X.509 2019-03-11 16:46:20 +00:00
Gilles Peskine
fa4486d7ec Specify psa_generator_import_key for each key type
psa_generator_import_key() was only specified for "symmetric keys",
and there were some mistakes in the specification. Rewrite the
specification and extend it to other key types.

* For most private key types, specify that the function draws a byte
  string repeatedly until the byte string is suitable.
* For DES, despite being a symmetric key type, re-drawing is
  necessary.
* For Montgomery curves, despite being asymmetric, no re-drawing is
  necessary.
* Specify the behavior for every standard key type other than RSA.
  An implementation doesn't have to support all key types, but if it
  does, it's better to have a standard.
2019-03-11 17:30:31 +01:00
Gilles Peskine
3be6b7f553 Fix some copypasta in references to parameter names
Validated by

perl -ne 'if (/^\/\*\*/) {%param=(); @p=()} if (/\\param.*? (\w+)/) {$param{$1}=1} while (/\\p \*?(\w+)/g) {push @p,[$1,ARGV->input_line_number()]} if (/^\ \*\//) {foreach (@p) {if (!$param{$_->[0]}) {printf "%s:%d: bad \\p %s\n", $ARGV, $_->[1], $_->[0]}}} close ARGV if eof' include/psa/*.h
2019-03-11 15:11:31 +01:00
Gilles Peskine
ae2e5e0806 Remove copypasta'ed error reason in psa_aead_finish 2019-03-11 15:11:31 +01:00
Gilles Peskine
2e37c0dc5d Fix leftover occurrences of "key selection algorithm" 2019-03-11 15:11:31 +01:00
Jaeden Amero
2b9eb0bd6c Merge remote-tracking branch 'tls/development' into development
* origin/development: (113 commits)
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
  Fix unused variable warning in ssl_parse_certificate_coordinate()
  Update the crypto submodule to a78c958
  Fix ChangeLog entry to correct release version
  Fix typo in x509write test data
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for named bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Add new function mbedtls_asn1_write_named_bitstring()
  Add missing compile time guard in ssl_client2
  Update programs/ssl/query_config.c
  ssl_client2: Reset peer CRT info string on reconnect
  Add further debug statements on assertion failures
  ...
2019-03-07 12:02:18 +00:00
Jaeden Amero
03a60301d7
Merge pull request #248 from ARMmbed/dreemkiller_rename_driver
Various Changes for the PSA Driver Model
2019-03-06 18:59:46 +00:00
Gilles Peskine
32668ce268 Pacify check-names.sh 2019-03-06 18:29:57 +01:00
Gilles Peskine
c079f5692d Pass check-files.py 2019-03-06 18:01:52 +01:00
Gilles Peskine
e5c025c7ab Fix Doxygen warnings 2019-03-06 18:01:43 +01:00
Gilles Peskine
c3044a6a36 Remove trailing whitespace
check-files.py doesn't like trailing whitespace.
2019-03-06 17:56:28 +01:00
Jaeden Amero
a96f4fe94e Merge remote-tracking branch 'origin/pr/2380' into development
* origin/pr/2380:
  Fix backwards config dependency on oid.c
  Fix backwards include of x509.h in oid.h
2019-03-05 16:37:40 +00:00
Simon Butcher
535ee4a35b Merge remote-tracking branch 'public/pr/2421' into development
* public/pr/2421: (68 commits)
  Fix unused variable warning in ssl_parse_certificate_coordinate()
  Add missing compile time guard in ssl_client2
  Update programs/ssl/query_config.c
  ssl_client2: Reset peer CRT info string on reconnect
  Add further debug statements on assertion failures
  Fix typo in documentation of ssl_parse_certificate_chain()
  Add debug output in case of assertion failure
  Fix typo in SSL ticket documentation
  Add config sanity check for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
  ssl_client2: Zeroize peer CRT info buffer when reconnecting
  Reintroduce numerous ssl-opt.sh tests if !MBEDTLS_SSL_KEEP_PEER_CERT
  ssl_client2: Extract peer CRT info from verification callback
  Improve documentation of mbedtls_ssl_get_peer_cert()
  Improve documentation of MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
  Fix indentation of Doxygen comment in ssl_internal.h
  Set peer CRT length only after successful allocation
  Remove question in comment about verify flags on cli vs. server
  Remove misleading and redundant guard around restartable ECC field
  Add test for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to all.sh
  Free peer CRT chain immediately after verifying it
  ...
2019-03-01 12:46:07 +00:00
Simon Butcher
195bddebcc Merge remote-tracking branch 'restricted/pr/528' into development
* restricted/pr/528:
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
2019-03-01 12:45:45 +00:00
Simon Butcher
74ac6e3fec Merge remote-tracking branch 'public/pr/2028' into development
* public/pr/2028:
  Update the crypto submodule to a78c958
  Fix ChangeLog entry to correct release version
  Fix typo in x509write test data
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for named bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Add new function mbedtls_asn1_write_named_bitstring()
2019-03-01 12:44:19 +00:00
Simon Butcher
bbed914b41 Merge remote-tracking branch 'public/pr/2447' into development
* public/pr/2447:
  Unbump version to 0.0.0
2019-03-01 12:41:25 +00:00
Andres Amaya Garcia
bdfba79f0d Fix documentation for 3DES removal 2019-03-01 10:21:11 +01:00
Andres Amaya Garcia
22a8905686 Fix wording of ChangeLog and 3DES_REMOVE docs 2019-03-01 10:21:11 +01:00
Andres Amaya Garcia
4a512281ec Reduce priority of 3DES ciphersuites 2019-03-01 10:19:27 +01:00
Andres Amaya Garcia
d8233f76db Improve docs for named bitstrings and their usage 2019-02-28 09:36:30 +00:00
Andres Amaya Garcia
6e95914f0e Add new function mbedtls_asn1_write_named_bitstring()
Add a new function mbedtls_asn1_write_named_bitstring() that removes
trailing 0s at the end of DER encoded bitstrings. The function is
implemented according to Hanno Becker's suggestions.

This commit also changes the functions x509write_crt_set_ns_cert_type
and crt_set_key_usage to call the new function as the use named
bitstrings instead of the regular bitstrings.
2019-02-28 09:36:30 +00:00
Jaeden Amero
a78c958b17 Merge remote-tracking branch 'tls/pr/2028' into development 2019-02-27 15:21:44 +00:00
Jaeden Amero
a9d6ba2510 Merge remote-tracking branch 'tls/development' into development
Additional work done as part of merge:
    - Run ./tests/scripts/check-generated-files.sh and check in the
      resulting changes to programs/ssl/query_config.c
2019-02-27 15:15:53 +00:00
Janos Follath
df9295b7ec Make ecp_get_type public
The ecp_get_type function comes handy in higher level modules and tests
as well. It is not inline anymore, to enable alternative implementations
to implement it for themselves.
2019-02-26 16:49:42 +00:00
Janos Follath
28eb06df16 ECP: Catch unsupported import/export
mbedtls_ecp_read_key() module returned without an error even when
importing keys corresponding to the requested group was not
implemented.

We change this and return an error when the requested group is not
supported and make the remaining import/export functions more robust.
2019-02-26 16:48:40 +00:00
Janos Follath
b65853c6b6 Improve documentation of mbedtls_ecp_read_key 2019-02-26 16:48:40 +00:00
Hanno Becker
fe4ef0c1ae Add config sanity check for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
Hanno Becker
958efeb481 Improve documentation of mbedtls_ssl_get_peer_cert() 2019-02-26 14:38:09 +00:00
Hanno Becker
fd7f298c6a Improve documentation of MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
Hanno Becker
3fd3f5ebe4 Fix indentation of Doxygen comment in ssl_internal.h 2019-02-26 14:38:09 +00:00
Hanno Becker
1aed7779ec Remove misleading and redundant guard around restartable ECC field
`MBEDTLS_SSL__ECP_RESTARTABLE` is only defined if
`MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED` is set, which
requires `MBEDTLS_X509_PARSE_C` to be set (this is checked
in `check_config.`). The additional `MBEDTLS_X509_PARSE_C`
guard around the `ecrs_peer_cert` field is therefore not
necessary; moreover, it's misleading, because it hasn't
been used consistently throughout the code.
2019-02-26 14:38:09 +00:00
Hanno Becker
abe6f66c00 Remove peer CRT from mbedtls_ssl_session if new option is disabled 2019-02-26 14:38:09 +00:00
Hanno Becker
75173121fe Add field for peer's raw public key to TLS handshake param structure
When removing the (session-local) copy of the peer's CRT chain, we must
keep a handshake-local copy of the peer's public key, as (naturally) every
key exchange will make use of that public key at some point to verify that
the peer actually owns the corresponding private key (e.g., verify signatures
from ServerKeyExchange or CertificateVerify, or encrypt a PMS in a RSA-based
exchange, or extract static (EC)DH parameters).

This commit adds a PK context field `peer_pubkey` to the handshake parameter
structure `mbedtls_handshake_params_init()` and adapts the init and free
functions accordingly. It does not yet make actual use of the new field.
2019-02-26 14:38:09 +00:00
Hanno Becker
494dd7a6b4 Add raw public key buffer bounds to mbedtls_x509_crt struct
This commit adds an ASN.1 buffer field `pk_raw` to `mbedtls_x509_crt`
which stores the bounds of the raw public key data within an X.509 CRT.

This will be useful in subsequent commits to extract the peer's public
key from its certificate chain.
2019-02-26 14:38:09 +00:00
Hanno Becker
a887d1a5b6 Remove peer CRT from cache if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 2019-02-26 14:38:09 +00:00
Hanno Becker
3dad311ef0 Parse and verify peer CRT chain in local variable
`mbedtls_ssl_parse_certificate()` parses the peer's certificate chain
directly into the `peer_cert` field of the `mbedtls_ssl_session`
structure being established. To allow to optionally remove this field
from the session structure, this commit changes this to parse the peer's
chain into a local variable instead first, which can then either be freed
after CRT verification - in case the chain should not be stored - or
mapped to the `peer_cert` if it should be kept. For now, only the latter
is implemented.
2019-02-26 14:38:09 +00:00
Hanno Becker
9198ad1101 Extend mbedtls_ssl_session by buffer holding peer CRT digest 2019-02-26 14:38:09 +00:00
Hanno Becker
bb278f52ca Add configuration option to remove peer CRT after handshake 2019-02-26 14:38:09 +00:00
Hanno Becker
4a82c1ccb4 Improve documentation of mbedtls_ssl_get_peer_cert() 2019-02-26 14:38:09 +00:00
Hanno Becker
52055ae91f Give ssl_session_copy() external linkage
A subsequent commit will need this function in the session ticket
and session cache implementations. As the latter are server-side,
this commit also removes the MBEDTLS_SSL_CLI_C guard.

For now, the function is declared in ssl_internal.h and hence not
part of the public API.
2019-02-26 14:38:09 +00:00
Hanno Becker
7177a88a36 Introduce helper function to determine whether suite uses server CRT
This commit introduces a static helper function

   `mbedtls_ssl_ciphersuite_uses_srv_cert()`

which determines whether a ciphersuite may make use of server-side CRTs.

This function is in turn uses in `mbedtls_ssl_parse_certificate()` to
skip certificate parsing for ciphersuites which don't involve CRTs.

Note: Ciphersuites not using server-side CRTs don't allow client-side CRTs
either, so it is safe to guard `mbedtls_ssl_{parse/write}_certificate()`
this way.

Note: Previously, the code uses a positive check over the suites

- MBEDTLS_KEY_EXCHANGE_PSK
- MBEDTLS_KEY_EXCHANGE_DHE_PSK
- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
- MBEDTLS_KEY_EXCHANGE_ECJPAKE,

while now, it uses a negative check over `mbedtls_ssl_ciphersuite_uses_srv_cert()`,
which checks for the suites

- MBEDTLS_KEY_EXCHANGE_RSA
- MBEDTLS_KEY_EXCHANGE_RSA_PSK
- MBEDTLS_KEY_EXCHANGE_DHE_RSA
- MBEDTLS_KEY_EXCHANGE_ECDH_RSA
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA

This is equivalent since, together, those are all ciphersuites.
Quoting ssl_ciphersuites.h:

```
typedef enum {
    MBEDTLS_KEY_EXCHANGE_NONE = 0,
    MBEDTLS_KEY_EXCHANGE_RSA,
    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
    MBEDTLS_KEY_EXCHANGE_PSK,
    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
} mbedtls_key_exchange_type_t;
```
2019-02-26 14:38:09 +00:00
Jaeden Amero
81cefed27f psa: Explicitly include platform_util.h
crypto_extra.h has a dependency on platform_util.h for
MBEDTLS_DEPRECATED_NUMERIC_CONSTANT. Make the dependency explicit by
including platform_util.h. Although in most use cases the header should
already be included by something else, it doesn't hurt to include it
again and helps to clarify dependencies.
2019-02-25 10:25:48 +00:00
Gilles Peskine
bf7a98b791 Fix typos found in PSA Crypto API 1.0 beta2 before publication 2019-02-22 16:42:11 +01:00
Janos Follath
e344d0f6fc Add little endian export to Bignum
The function `mbedtls_mpi_write_binary()` writes big endian byte order,
but we need to be able to write little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs ..` to transform the test data to little endian.
2019-02-22 15:41:31 +00:00