Commit Graph

14048 Commits

Author SHA1 Message Date
Gilles Peskine
c6468ee247 Revert "Use glibc's getrandom() instead of syscall when glibc > 2.25."
This reverts commit 9c46a60e6c.

When the library is dynamically linked against Glibc (as is usually
the case with Glibc), it now requires a recent Glibc at runtime if it
was compiled with a recent Glibc. This is a loss of functionality for
no demonstrated benefit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-10-01 11:22:18 +02:00
Fredrik Strupe
9d3391483c Add changelog entry
Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-10-01 10:44:46 +02:00
Gilles Peskine
e9a1e13d62 2.24.0 is still covered by the old policy
“Prior to Mbed TLS 2.24” suggests that 2.24 itself didn't use the old
policy anymore, but it did. Change to “Until”, and also give the exact
version number “2.24.0”.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-10-01 00:35:49 +02:00
Gilles Peskine
2acbed387d psa_generate_key: remove the bit-size sanity check
In psa_generate_key_internal() for ECC keys, remove the check that the
bit-size according to Mbed TLS is equal to the requested bit-size.
This check was necessary back when the PSA API encoded curves and key
sizes independently, in order to reject combinations such as SECP256R1
with a 512-bit size. Since the curve encoding changed to specifying a
curve family and a size separately, the Mbed TLS curve id (grp_id) and
the curve data (curve_info) are now determined from the size, and
checking that (curve_info->bit_size == bits) is now only a redundant
sanity check.

This check is actually buggy, because PSA Crypto and Mbed TLS don't
have exactly the same notion of key size. PSA thinks Curve25519 is
255-bit and secp224k1 is 225-bit, but Mbed TLS thinks they're 256-bit
and 224-bit respectively. Removing the check allows key generation to
work for these curves.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 22:03:29 +02:00
Janos Follath
e85c0c469d
Merge pull request #3717 from pkolbus/issue-3647
Restore retry in rsa_prepare_blinding()
2020-09-30 16:23:10 +01:00
Gilles Peskine
360e2c41d8 List Montgomery curves in mbedtls_ecp_curve_list()
mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
"x25519" and "x448". These curves support ECDH but not ECDSA.

This was meant ever since the introduction of mbedtls_ecdsa_can_do()
in 0082f9df6f, but
2c69d10bac had removed the claim
that Montgomery curves support ECDH except through Everest.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 17:02:25 +02:00
Gilles Peskine
326e474a6d Add basic test cases for Curve25519
Test import and key generation, each followed by a key agreement. Only
good cases in this commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 17:01:18 +02:00
Manuel Pégourié-Gonnard
c427aa74f1
Merge pull request #3642 from okhowang/getrandom
Use glibc's getrandom when glibc > 2.25
2020-09-30 13:55:04 +02:00
Fredrik Strupe
f90e3019dd Use PSA_ERROR_INVALID_ARGUMENT for invalid cipher input sizes
... as opposed to PSA_ERROR_BAD_STATE.

The spec on psa_cipher_finish() states that PSA_ERROR_INVALID_ARGUMENT
should be returned when:

"The total input size passed to this operation is not valid for this
particular algorithm. For example, the algorithm is a based on block
cipher and requires a whole number of blocks, but the total input size
is not a multiple of the block size."

Currently, there is a distinction between encryption and decryption
on whether INVALID_ARGUMENT or BAD_STATE is returned, but this is not
a part of the spec.

This fix ensures that PSA_ERROR_INVALID_ARGUMENT is returned
consistently on invalid cipher input sizes.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-09-30 12:26:58 +02:00
okhowang(王沛文)
76158ce9b7 Use socklen_t on Android and other POSIX-compliant system
Fixes #2977

Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
2020-09-30 16:53:37 +08:00
okhowang(王沛文)
9c46a60e6c Use glibc's getrandom() instead of syscall when glibc > 2.25.
Fixes #3432

Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
2020-09-30 16:10:49 +08:00
Gilles Peskine
4bcfe9269f When to write a changelog: minor improvements
Mention sample programs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 09:55:27 +02:00
John Durkop
76228acfb9 Fix typo in define in comment
This fixes error in check-names.sh test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-29 22:33:49 -07:00
John Durkop
714e3a1318 Minor cleanup to fix errors with some unit tests
With the new feature MBEDTLS_PSA_CRYPTO_CONFIG, needed to
add support that when the feature is disabled, if there
are defines like MBEDTLS_ECDSA_C defined, then the PSA_WANT_
equivalent define is also enabled. This ensures the guards in
the library psa_crypto will work properly.

Also fixed an error return code in the driver wrapper for cipher
encrypt setup so it will properly pass unit tests.

Ensured config.py full works properly with the new
MBEDTLS_PSA_CRYPTO_CONFIG, it should not be set when the full
option is used.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-29 22:07:04 -07:00
Gilles Peskine
ece00a0cd0 Explain when to write a changelog entry
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 01:16:59 +02:00
Gilles Peskine
3b4edc78df We no longer credit contributors in the changelog
From now on, external contributions are no longer acknowledged in the
changelog file. They of course remain acknowledged in the Git history.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 01:13:05 +02:00
Gilles Peskine
27ed799109 Remove changelog entries without a user-visible impact
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 01:11:39 +02:00
Manuel Pégourié-Gonnard
6d6f8a4b97 Clarify descriptions of constant-flow helpers
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-28 09:51:41 +02:00
Peter Kolbus
ca8b8e7c31 Restore retry in rsa_prepare_blinding()
Starting with commit 49e94e3, the do/while loop in
`rsa_prepare_blinding()` was changed to a `do...while(0)`, which
prevents retry from being effective and leaves dead code.

Restore the while condition to retry, and lift the calls to finish the
computation out of the while loop by by observing that they are
performed only when `mbedtls_mpi_inv_mod()` returns zero.

Signed-off-by: Peter Kolbus <peter.kolbus@garmin.com>
2020-09-25 08:43:57 -05:00
Gilles Peskine
7829748cd4
Merge pull request #3709 from CameronNemo/issue-3524
programs/psa/psa_constant_names_generated.c: commit generated file
2020-09-25 15:23:48 +02:00
Ronald Cron
bf4f40883e Rework mbedtls_test_param_failed_get_state_buf()
Rework mbedtls_test_param_failed_get_state_buf() and
its documentation.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-25 10:45:06 +02:00
John Durkop
736eb1de47 Update to VS project file for PSA crypto config
The new header files to support PSA crypto config needed to be
added to the VS project file.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:11:10 -07:00
John Durkop
39e09672a3 Update version_features for new PSA crypto config
The version features library needed updating to support the new
MBEDTLS_PSA_CRYPTO_CONFIG definition.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:09:25 -07:00
John Durkop
2542c21ba8 Add MBEDTLS_PSA_CRYPTO_CONFIG to test program
Since the recent changes required the addition of a new definition
in mbedtls/config.h, we also need to update query_config.c to account
for the new MBEDTLS_PSA_CRYPTO_CONFIG setting.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:06:35 -07:00
Cameron Nemo
e18d09de37 fix(programs/psa): commit python3 generated file
Python should not be required for the build when the no_test target is
used. This commit adds the generated file to the source tree and the
check-generated-files script, and removes the generation from (c)make.

Fixes #3524

Signed-off-by: Cameron Nemo <cnemo@tutanota.com>
2020-09-24 20:57:46 -07:00
Gilles Peskine
1803563572 Fix "make -C tests/data_files -f ..."
The toplevel directory is actually just ../..: the makefile commands
are executed in the subdirectory. $(PWD) earlier was wrong because it
comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is
wrong because it indicates where the makefile is (make -f), not which
directory to work in (make -C).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-24 16:36:04 +02:00
John Durkop
2dfaf9ca23 Update how MBEDTLS_PSA_CRYPTO_CONFIG is handled
Originally, MBEDTLS_PSA_CRYPTO_CONFIG was being used to allow
inclusion of mbedlts/config_psa.h, but that needed to be updated
so that mbedtls/config_psa.h is always included and the definitions
specific to PSA configuration are now guarded by
MBEDTLS_PSA_CRYPTO_CONFIG. This will allow for the standard setup
to continue working while new PSA configuration items to also work.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
John Durkop
d8959390c5 Add ECDSA support to PSA crypto configuration
Initial changes to PSA crypto core to support configuration
of ECDSA algorithm using PSA crypto configuration mechanism.
Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have
been changed to be based off PSA_WANT_ALG_ECDSA and
PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to
confirm new settings are working properly. Current code does not
pass the tests since built in signature verification is not in place.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
John Durkop
7758c858ae Update requires for MBEDTLS_PSA_CRYPTO_DRIVERS
In order to test various PSA crypto settings the Requires section
needed updating to require MBEDTLS_PSA_CRYPTO_C or
MBEDTLS_PSA_CRYPTO_CONFIG.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
John Durkop
6e33dbe9fd Created infrastructure for MBEDTLS_PSA_CRYPTO_CONFIG
In order to prepare for PSA cryptographic mechanism for conditional
inclusion of various modules, there needs to be some updates to
the mbedtls configuration to enable that feature to work. This initial
set of changes just lays the ground work and future changes will
implement the functional features.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 05:01:17 -07:00
Gilles Peskine
9b33eb3284
Merge pull request #3705 from ctron/feature/fix_return_code_1
Fix return code expression in pkparse
2020-09-22 18:51:49 +02:00
Jens Reimann
9ad4a33a54 fix return code
Signed-off-by: Jens Reimann <jreimann@redhat.com>
2020-09-22 11:57:16 +02:00
Gilles Peskine
5cb54f7b27
Merge pull request #3542 from gilles-peskine-arm/psa-unified-driver-specs-20200807
PSA unified driver specification: minor updates
2020-09-18 22:53:46 +02:00
Manuel Pégourié-Gonnard
822b3729e7 Remove last use of non-bit operations
According to https://www.bearssl.org/ctmul.html even single-precision
multiplication is not constant-time on some older platforms.

An added benefit of the new code is that it removes the somewhat mysterious
constant 0x1ff - which was selected because at that point the maximum value of
padlen was 256. The new code is perhaps a bit more readable for that reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:22 +02:00
Manuel Pégourié-Gonnard
2a59fb45b5 Add explicit cast when truncating values
MSVC complains about it otherwise.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:22 +02:00
Manuel Pégourié-Gonnard
6e2a9a7faa Factor repeated code in ssl_cf functions
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:11:21 +02:00
Manuel Pégourié-Gonnard
2ddec4306f Use bit operations for constant-flow padding check
The previous code used comparison operators >= and == that are quite likely to
be compiled to branches by some compilers on some architectures (with some
optimisation levels).

For example, take the following function:

void old_update( size_t data_len, size_t *padlen )
{
    *padlen  *= ( data_len >= *padlen + 1 );
}

With Clang 3.8, let's compile it for the Arm v6-M architecture:

% clang --target=arm-none-eabi -march=armv6-m -Os foo.c -S -o - |
    sed -n '/^old_update:$/,/\.size/p'

old_update:
        .fnstart
@ BB#0:
        .save   {r4, lr}
        push    {r4, lr}
        ldr     r2, [r1]
        adds    r4, r2, #1
        movs    r3, #0
        cmp     r4, r0
        bls     .LBB0_2
@ BB#1:
        mov     r2, r3
.LBB0_2:
        str     r2, [r1]
        pop     {r4, pc}
.Lfunc_end0:
        .size   old_update, .Lfunc_end0-old_update

We can see an unbalanced secret-dependant branch, resulting in a total
execution time depends on the value of the secret (here padlen) in a
straightforward way.

The new version, based on bit operations, doesn't have this issue:

new_update:
        .fnstart
@ BB#0:
        ldr     r2, [r1]
        subs    r0, r0, #1
        subs    r0, r0, r2
        asrs    r0, r0, #31
        bics    r2, r0
        str     r2, [r1]
        bx      lr
.Lfunc_end1:
        .size   new_update, .Lfunc_end1-new_update

(As a bonus, it's smaller and uses less stack.)

While there's no formal guarantee that the version based on bit operations in
C won't be translated using branches by the compiler, experiments tend to show
that's the case [1], and it is commonly accepted knowledge in the practical
crypto community that if we want to sick to C, bit operations are the safest
bet [2].

[1] https://github.com/mpg/ct/blob/master/results
[2] https://github.com/veorq/cryptocoding

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-09-18 12:10:33 +02:00
Gilles Peskine
1d9c11081a
Merge pull request #3667 from Jongy/fix-docs
Fix docs to desribe written-into buffer parameter as writable
2020-09-17 00:02:08 +02:00
Janos Follath
2a25904f45
Merge pull request #3568 from hanno-arm/tls13_experimental_key_schedule_1
TLS 1.3: Add HKDF-based key derivation functionality
2020-09-16 11:40:06 +01:00
Hanno Becker
531fe3054c Comment on hardcoding of maximum HKDF key expansion of 255 Bytes
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-16 09:50:17 +01:00
Hanno Becker
61baae7c9f Minor fixes and improvements in TLS 1.3 key schedule documentation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-16 09:47:47 +01:00
Gilles Peskine
dc57c25e30
Merge pull request #3527 from ronald-cron-arm/key-extended-id
PSA key identifiers rework
2020-09-15 16:06:06 +02:00
Gilles Peskine
7107e661b8
Merge pull request #3644 from stevew817/feature/transparent_multipart_driver
Add multipart cipher accelerator support and test driver
2020-09-15 09:51:24 +02:00
Ronald Cron
7424f0d998 psa: Move key identifier related macros and functions
Move key identifier related macros and functions from
crypto_types.h to crypto_values.h as the latter is
the intended file to put them in.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron
cb54610e97 Set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER in baremetal configuration
No obvious reason to not enable owner identifier encoding
in baremetal as multi-client support is expected to be needed
for some embedded platforms. Thus enable it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron
9a2511e78f Fix key owner identifier documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron
5eba579c6c Remove unnecessary inline definition
Define inline for some compiling environment only
in crypto_platform.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:48:15 +02:00
Steven Cooreman
6d81f7e119 Final feedback from @ronald-cron-arm
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman
ef8575e1bf Apply review feedback
* Reworked the cipher context once again to be more robustly defined
* Removed redundant memset
* Unified behaviour on failure between driver and software in cipher_finish
* Cipher test driver setup function now also returns early when its status
  is overridden, like the other test driver functions
* Removed redundant test cases
* Added bad-order checking to verify the driver doesn't get called where
  the spec says it won't.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman
89e54f2edc Add mock and negative testing to cipher driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00