Commit Graph

6870 Commits

Author SHA1 Message Date
Joe Subbiani
6350d3a0dd Remove trailing whitespaces
Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 14:02:47 +01:00
Joe Subbiani
1000037831 Replace 3 byte shift with appropriate macro
aria.c has a shift by 3 bytes, but does not use the 0xff masking.
aparently this is not a problem and it is tidier to use the maco.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 14:02:41 +01:00
Joe Subbiani
0a65d531c5 Improve common.h macro documentation
Imrpoved the descriptions of the macros and parameters and
changing the name of the MBEDTLS_PUT_UINT... macro parameters
to be more descriptive

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 14:02:31 +01:00
Joe Subbiani
6b897c930c Add Character byte reading macros
These cast to an unsigned char rather than a uint8_t
like with MBEDTLS_BYTE_x
These save alot of space and will improve maintence by
replacing the appropriate code with MBEDTLS_CHAR_x

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 14:01:51 +01:00
Joe Subbiani
9231d5f919 GET macros use a target variable
The GET macros used to write to a macro parameter, but now
they can be used to assign a value to the desired variable
rather than pass it in as an argument and have it modified
in the macro function.

Due to this MBEDTLS_BYTES_TO_U32_LE is the same as
MBEDTLS_GET_UINT32_LE and was there for replaced in the
appropriate files and removed from common.h

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:39:57 +01:00
Joe Subbiani
266476da00 Document common.h and remove changelog
Added documenttion comments to common.h and removed the changelog
as it is not really necessary for refactoring.

Also modified a comment in aria.c to be clearer

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:39:43 +01:00
Joe Subbiani
4530b27021 Move GET/PUT_UINT16_LE macros to common.h
Although these only appear in one file: psa_crypto_storage.c
it is tidy to give it the same prefix as the UINT32 macros
and to store them in the fame file

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:39:29 +01:00
Joe Subbiani
2bbafda1f8 Prefixed macros with MBEDTLS
As per tests/scripts/check-names.sh, macros in
library/ header files should be prefixed with
MBEDTLS_
The macro functions in common.h where also indented
to comply with the same test

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:38:53 +01:00
Joe Subbiani
888a141e70 Undo use of BYTE_x macro
The use of the BYTE_x macro in nist_kw did not seem appropriate
in hind sight as it is working with a character array not an int

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:19:48 +01:00
Joe Subbiani
61f7d73336 Remove trailing whitespace
Trailing white spaces causing check_files.py to fail

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:19:38 +01:00
Joe Subbiani
e4cc8c1ee0 Add do-while protection to macros
missed do-while around function-like macros (UINT32_BE and
UINT_LE macros) originally present in the indivdual files,
before being moved to common.h.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:19:28 +01:00
Joe Subbiani
4fb755592c Move UINT32_LE macros to common.h
32-bit integer manipulation macros (little edian):
GET_UINT32_LE and PUT_UINT32_LE appear in several
files in library/.
Removes duplicate code and save vertical
space the macro has been moved to common.h.
Improves maintainability.

Also provided brief comment in common.h for
BYTES_TO_U32_LE. comment/documentation will
probably need to be edited further for all
recent additions to library/common.h

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:18:28 +01:00
Joe Subbiani
aa5f6a6784 Move UINT32_BE macros to common.h
32-bit integer manipulation macros (big edian):
GET_UINT32_BE and PUT_UINT32_BE appear in several
files in library/.
Removes duplicate code and save vertical
space the macro has been moved to common.h.
Improves maintainability.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:18:13 +01:00
Joe Subbiani
927488e2d5 Move BYTES_TO_U32_LE to common.h
The macro BYTES_TO_U32_LE appears in poly1305.c and
chacha20.c.
Removes duplicate code and save vertical
space the macro has been moved to common.h.
Improves maintainability.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:18:02 +01:00
Joe Subbiani
ba486b0084 Implement byte reading macros into library/
To improve readability by saving horizontal and vertical space.
Removed unecessary & 0xFF.
Byte reading macros implemented in library/common.h, All files
containing "& 0xff" were modified.
Comments/Documentation not yet added to the macro definitions.

Fixes #4274

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-03 13:17:40 +01:00
Yuto Takano
284857ee55 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:30:34 +01:00
Yuto Takano
bc6eaf7976 Replace _B with B to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:29:53 +01:00
Paul Elliott
610a9cc43f Bump SO version for libmbedcrypto
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 14:59:26 +01:00
Paul Elliott
bece7374ce Bump Library Version Number
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:52:07 +01:00
Paul Elliott
4128c2032e Merge remote-tracking branch 'restricted/development_2.x-restricted' into mbedtls-2.27.0rc0-pr 2021-07-01 17:26:38 +01:00
Dave Rodgman
ba940cc695
Merge pull request #4182 from gabor-mezei-arm/3258_implement_one-shot_MAC_and_cipher
[Backport 2.x] Implement one-shot cipher
2021-06-30 17:04:11 +01:00
Dave Rodgman
af9b4841fb
Merge pull request #4605 from gabor-mezei-arm/3267_sign_verify_key_policies
[Backport 2.x] Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:51:03 +01:00
gabor-mezei-arm
e4be8a3bea
Remove obsolete comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:34:28 +02:00
Dave Rodgman
0a4046e9ca
Merge pull request #4736 from daverodgman/alert_bugfixes_2.x
Backport 2.x: Fix alert raised for invalid fragment length
2021-06-30 09:02:49 +01:00
gabor-mezei-arm
252304594b
Fix minor issues
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:06:30 +02:00
gabor-mezei-arm
809634d5d9
Check the return status of the functions first
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm
42373bdde7
Add buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm
6f8d43df20
Remove invalid buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:39:49 +02:00
Dave Rodgman
0dfb7dbe15 TLS UNSUPPORTED_EXTENSION error code changes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 15:21:44 +01:00
Nick Child
b6d5693be2 pk.c: Ensure hash_len equals hash in pk_hashlen_helper
The function `pk_hashlen_helper` exists to ensure a valid hash_len is
used in pk_verify and pk_sign functions. This function has been
used to adjust to the corrsponding hash_len if the user passes in 0
for the hash_len argument based on the md algorithm given. If the user
does not pass in 0 as the hash_len, then it is not adjusted. This is
problematic if the user gives a hash_len and hash buffer that is less than the
associated length of the md algorithm. This error would go unchecked
and eventually lead to buffer overread when given to specific pk_sign/verify
functions, since they both ignore the hash_len argument if md_alg is not MBEDTLS_MD_NONE.

This commit, adds a conditional to `pk_hashlen_helper` so that an
error is thrown if the user specifies a hash_length (not 0) and it is
not equal to the expected for the associated message digest algorithm.
This aligns better with the api documentation where it states "If
hash_len is 0, then the length associated with md_alg is used instead,
or an error returned if it is invalid"

Signed-off-by: Nick Child <nick.child@ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2021-06-29 09:31:06 -04:00
Dave Rodgman
dd5f624f32 Fix TLS alert codes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 09:45:08 +01:00
gabor-mezei-arm
6c18541a5e
Fix comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 16:41:31 +02:00
Dave Rodgman
78c601b529
Merge pull request #4717 from daverodgman/psa_cipher_and_mac_abort_on_error_2.x
Backport 2.x: Psa cipher and mac abort on error
2021-06-25 15:39:43 +01:00
Janos Follath
2667fb708e Fix unused parameter warning
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 15:36:55 +01:00
Janos Follath
bc58902a32 Add prefix to BYTES_TO_T_UINT_*
These macros were moved into a header and now check-names.sh is failing.
Add an MBEDTLS_ prefix to the macro names to make it pass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
7d4ebddbb6 Reject low-order points on Curve448 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources (RFC
7748 say we MAY reject 0 as a result) and recommended by some to reject
those points (either to ensure contributory behaviour, or to protect
against timing attack when the underlying field arithmetic is not
constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
1c6a439783 Use mbedtls_mpi_lset() more
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
bc96a79854 Move mpi constant macros to bn_mul.h
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:01 +01:00
gabor-mezei-arm
0e1d31bf06
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
d52c8dc783
Fix possible unreachable code
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
f4cc6c9064
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
3fd792d076
Add checks for buffer size
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
7fbea09847
Use local variable instead of an ouput parameter
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
52ae871b27
Initialize output buffer length to 0
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:21:11 +02:00
Janos Follath
b4c676e6b3 Prevent memory leak in ecp_check_pubkey_x25519()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard
520f0a0ea0 Avoid complaints about undeclared non-static symbols
Clang was complaining and check-names.sh too

This only duplicates macros, so no impact on code size. In 3.0 we can
probably avoid the duplication by using an internal header under
library/ but this won't work for 2.16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard
ae48111294 Use more compact encoding of Montgomery curve constants
Base 256 beats base 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard
10b8e5a5c9 Use a more compact encoding of bad points
Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:22 +01:00
Manuel Pégourié-Gonnard
f2268d1c17 Reject low-order points on Curve25519 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources
(RFC 7748 say we MAY reject 0 as a result) and recommended by some to
reject those points (either to ensure contributory behaviour, or to
protect against timing attack when the underlying field arithmetic is
not constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:06:45 +01:00
Dave Rodgman
478ab5443b Use more standard label name
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-25 09:09:30 +01:00