Commit Graph

6242 Commits

Author SHA1 Message Date
Gilles Peskine
ae3741e8a4 Fix an incorrect error code if RSA private operation glitched
mbedtls_rsa_private() could return the sum of two RSA error codes
instead of a valid error code in some rare circumstances:

* If rsa_prepare_blinding() returned  MBEDTLS_ERR_RSA_RNG_FAILED
  (indicating a misbehaving or misconfigured RNG).
* If the comparison with the public value failed (typically indicating
  a glitch attack).

Make sure not to add two high-level error codes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:22:40 +01:00
Gilles Peskine
40d8160c8e mbedtls_to_psa_error: fix a copypasta and a missing translation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:22:40 +01:00
Gilles Peskine
a51e1dbe76
Merge pull request #3895 from gilles-peskine-arm/psa-external-random
Alternative random generator support for PSA
2021-01-06 17:09:11 +01:00
Manuel Pégourié-Gonnard
75fdd0640f
Merge pull request #3973 from stroebeljc/development
Fixed seed variable concatenation pointer.
2021-01-06 10:07:52 +01:00
Gilles Peskine
73d783244f
Merge pull request #3969 from frestr/bugfix/psa_close_key_leak
PSA Crypto: Don't skip key data removal when SE driver is not in use
2021-01-05 16:55:52 +01:00
Gilles Peskine
9c3e060253 Explain the design of mbedtls_psa_get_random better
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-05 16:03:55 +01:00
Gilles Peskine
0c59ba88cb Fix the error detection in psa_generate_random
If a call to mbedtls_psa_get_random other than the last one failed,
this went undetected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-05 14:10:59 +01:00
stroebeljc
d4de1b5d4e Updated per comments from @gilles-peskine-arm.
Signed-off-by: stroebeljc <stroebeljc1@gmail.com>
2021-01-04 18:14:32 -06:00
Gilles Peskine
71ddab9154 Simplify the chunk loop in psa_generate_random
Make the code slightly more readable and slightly smaller.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-04 21:01:07 +01:00
Gilles Peskine
88fa5c463e Minor documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-04 21:00:53 +01:00
ENT\stroej1
70f63d0883 Added references to the NIST test data used in the self-test function.
Signed-off-by: ENT\stroej1 <john.stroebel@medtronic.com>
2020-12-28 08:50:23 -06:00
ENT\stroej1
df307002cf Updated self test to use NIST test vectors and produce proper result.
Signed-off-by: ENT\stroej1 <john.stroebel@medtronic.com>
2020-12-26 12:41:04 -06:00
ENT\stroej1
a0deec0509 Extended test vectors to accomodate addition of nonce to test input array and updated results.
Signed-off-by: ENT\stroej1 <john.stroebel@medtronic.com>
2020-12-24 15:26:27 -06:00
ENT\stroej1
1446211e5e Update self-test vectors to include nonce and test it as part of reseeding.
Signed-off-by: ENT\stroej1 <john.stroebel@medtronic.com>
2020-12-24 12:24:35 -06:00
ENT\stroej1
4b91986a76 Fixed seed variable concatenation pointer.
Signed-off-by: ENT\stroej1 <john.stroebel@medtronic.com>
2020-12-23 19:23:05 -06:00
Fredrik Strupe
462aa575a4 PSA Crypto: Don't skip key data removal when SE driver is not in use
Closing a wrapped key with the new SE driver interface while
MBEDTLS_PSA_CRYPTO_SE_C is also enabled leads to the key material not
being freed, even though an old SE driver is not in use, leading to a
memory leak. This is because a wrapped key is also considered external.

This commit extends the check for skipping by checking whether an
old-style SE driver is registered with the provided slot, in addition to
checking whether the key is external.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-12-17 11:05:36 +01:00
Gilles Peskine
b3cd9633f4 Pacify check-names.sh
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 19:54:24 +01:00
Gilles Peskine
b2b64d3642 Rename psa_crypto_random.h to psa_crypto_random_impl.h
Make it clear that this is an abstraction of the random generator
abstraction, and not an abstraction of the PSA random generator.

mbedtls_psa_get_random and MBEDTLS_PSA_RANDOM_STATE are public-facing
definitions and will be moved in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 16:43:58 +01:00
Gilles Peskine
8814fc4a34 Make mbedtls_psa_get_random more usable outside psa_crypto.c
In the external RNG case, don't make mbedtls_psa_get_random() a
static inline function: this would likely result in identical
instances of this function in every module that uses it. Instead, make
it a single function with external linkage.

In the non-external case, instead of a trivial wrapper function, make
mbedtls_psa_get_random a constant pointer to whichever DRBG function
is being used.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 15:33:44 +01:00
Gilles Peskine
5894e8e7a4 Replace mbedtls_psa_random_state( ... ) by MBEDTLS_PSA_RANDOM_STATE
Hide the obtention of the pointer to the RNG state behind a macro.

To make it possible to use this macro in a module other than
psa_crypto.c, which will happen in the future, make sure that the
definition of the macro does not reference internal variables of
psa_crypto.c. For this purpose, in the internal-DRBG case, export a
symbol containing the address of the DRBG state.

When the RNG state is a pointer a DRBG state, just keep this pointer
in a variable: there's no need to store a pointer to a larger structure.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 14:57:24 +01:00
Janos Follath
0cbdc61171 Bump version to Mbed TLS 2.25.0
Executed ./scripts/bump_version.sh --version 2.25.0 --so-crypto 6

Increasing the SO version of the crypto library, because the openless
API improvement came with API/ABI incompatibilities. For example
    - the size of psa_key_handle_t changed
    - the type of a parameter in 18 public functions has changed from
      psa_key_handle_t to mbedtls_svc_key_id_t

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 15:05:22 +00:00
Janos Follath
a946dcf8b2 Merge branch 'development-restricted' into mbedtls-2.25.0r0-pr 2020-12-08 20:59:45 +00:00
Gilles Peskine
6d5c7bc69a
Merge pull request #3898 from paul-elliott-arm/fix_pem_write
Remove Extraneous bytes from buffer post pem write
2020-12-08 12:31:40 +01:00
Gilles Peskine
2b759626a9
Merge pull request #3948 from bensze01/update_psa_values
Update the values of PSA Crypto API macros to version 1.0.0
2020-12-08 11:03:33 +01:00
Bence Szépkúti
cbe395332c Substitute PSA_ALG_STREAM_CIPHER into all files
Deprecate PSA_ALG_ARC4 and PSA_ALG_CHACHA20.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 00:01:31 +01:00
Bence Szépkúti
1de907d4a4 Introduce PSA_ALG_STREAM_CIPHER
This algorithm replaces the pre-existing stream cipher algorithms.
The underlying stream cipher is determined by the key type.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-07 21:03:05 +01:00
Paul Elliott
557b8d663a Remove Extraneous bytes from buffer post pem write
In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 17:29:42 +00:00
Ronald Cron
771090659e
Merge pull request #3393 from geecrypt/development
Support set *_drbg reseed interval before seed
2020-12-07 14:29:52 +01:00
Janos Follath
3aae5d4ed7
Merge pull request #781 from mpg/cipher-auth-crypt-restricted
Fix buffer overflow with NIST-KW in cipher layer
2020-12-07 12:58:36 +00:00
Gilles Peskine
3a0535b465
Merge pull request #3916 from jdurkop/psa-crypto-config-hashes-3672
Add support to crypto config for hashes
2020-12-07 13:50:56 +01:00
Manuel Pégourié-Gonnard
841b6fa97f Fix unused param warnings in auth_xxcrypt_ext()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-07 10:42:21 +01:00
Janos Follath
7973e2b358
Merge pull request #772 from chris-jones-arm/development-restricted
Fix Diffie-Hellman large key size DoS
2020-12-07 09:28:55 +00:00
Gilles Peskine
4e0a4d444d Clarifying comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:08:30 +01:00
Gilles Peskine
a56d3d9e75 cipher_auth_xxcrypt_ext: Make NIST_KW case more robust
Don't invoke classic NIST_KW in case PSA gains support for NIST_KW.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:08:10 +01:00
Gilles Peskine
e09aeb4923 Remove redundant NIST_KW checks in cipher_auth_xxcrypt()
The internal functions mbedtls_cipher_aead_{encrypt,decrypt} reject
unsupported algorithms, so there's no need for an additional check in
the legacy wrappers.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:07:26 +01:00
Gilles Peskine
70edd689a8 cipher_auth_xxcrypt(): fix some null pointer handling
Make sure that if a buffer is allowed to be empty, a null pointer is
accepted if the buffer length is 0. This was already the case for most
but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}.

Make sure to pass NULL for an empty buffer in the tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:26 +01:00
Gilles Peskine
e54be3a9c3 Fix uncaught error if fix_negative fails
fix_negative allocates memory for its result. The calling site didn't
check the return value, so an out-of-memory error could lead to an
incorrect calculation. Fix this.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Gilles Peskine
89b4130098 Fix memory leak in mbedtls_mpi_sub_abs
Fix a memory leak in mbedtls_mpi_sub_abs when the output parameter is
aliased to the second operand (X = A - X) and the result is negative.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
John Durkop
6ca2327150 Update guards for ALG_SHA_224 and ALG_SHA_384 in crypto library
The previous revision of guards around SHA_224 and SHA_384 were not
correct. This set of changes ensures the proper code is available
when SHA_224 and SHA_384 are enabled for use.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-12-03 06:07:04 -08:00
Gilles Peskine
227366b4b0 Merge branch 'development' into development-restricted 2020-12-03 12:39:44 +01:00
Gilles Peskine
54a6f23393
Merge pull request #3930 from ccvca/fix_missing_argument
Fix: Add missing arguments to debug message.
2020-12-03 12:29:03 +01:00
Manuel Pégourié-Gonnard
f5cf71e14a Stop using deprecated functions in the library
all.sh -k '*deprecated*' now passes again

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:10 +01:00
Manuel Pégourié-Gonnard
513c243317 Deprecate mbedtls_cipher_auth_xxcrypt()
This temporarily breaks all.sh '*deprecated*' (deprecated functions still used
in the library), which will be fix in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:09 +01:00
Manuel Pégourié-Gonnard
f2ffbc4387 Stop supporting NIST_KW in cipher_auth_xxcrypt()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:09 +01:00
Gilles Peskine
a282984c3d
Merge pull request #773 from paul-elliott-arm/discrepancy_cert
Add missing tag check to signature check on certificate load
2020-12-03 12:19:39 +01:00
Manuel Pégourié-Gonnard
faddf98bea Implement cipher_auth_{en,de}crypt_ext()
Work in progress: next step is to test it!

Extract the part that is common with non-ext version to a new internal
function. (We can't just use the non-ext version for that, as it's going to be
deprecated.)

Currently the NIST_KW part is somewhat duplicated between the ext
and non-ext versions, but that's OK because it will soon be removed from the
non-ext version.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 10:42:46 +01:00
Manuel Pégourié-Gonnard
489c058b52 Merge branch 'development' into development-restricted
* development: (488 commits)
  Fix removal of deprecated PSA constants
  Use GitHub-compatible table formatting
  Remove psa header files in uninstall part
  Change function casting in `ssl_calc_finished_tls_sha384`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Add changelog entry file to `ChangeLog.d`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Fix GCC warning about `test_snprintf`
  Fix mismatched function parameters (prototype/definition)
  Fix build failure on gcc-11
  Copyediting
  Clarifications around key import
  Fix copypasta
  A variable is unused in some configurations
  Rename test_driver_keygen to test_driver_key_management
  Move "internal use" sentence attached to the wrong function
  Added changelog
  Plug in the entry point for public key export through driver
  tests: psa: Reset key attributes where needed
  Improve/fix documentation
  ...
2020-12-03 09:59:42 +01:00
Chris Jones
9246d04150 Fix potential DoS by limiting number sizes in exponentiation
Check that the exponent and modulus is below `MBEDTLS_MPI_MAX_BITS` before
performing a time expensive operation (modular exponentiation). This prevents
a potential DoS from Diffie-Hellman computations with extremely
large key sizes.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-02 15:25:27 +00:00
Christian von Arnim
883d304785
Fix: Add missing arguments to debug message.
Signed-off-by: Christian von Arnim <christian.von-arnim@isw.uni-stuttgart.de>
2020-12-02 10:13:02 +01:00
John Durkop
d62b678473 Minor updates to address review comments
Removed unecessary checks on the ALG_SHA_224 and ALG_SHA_384 since
those are handled in config_psa.h by ensuring the correct _C is
included. Reformatted config_psa.h to be alphabetical and made the
assignments line up correctly for consistency. Fixed the guards
for ALG_SHA_224 and ALG_SHA_384 to be correct in the crypto library
source.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-11-30 21:06:05 -08:00