Commit Graph

4179 Commits

Author SHA1 Message Date
Jaeden Amero
65fb236799 psa: Make psa_set_key_lifetime() match declaration
Previously, the psa_set_key_lifetime() implementation did not match the
function declaration in psa/crypto.h. Value types don't need const,
since they are passed by value. Fix psa_set_key_lifetime()
implementation by making it match its declaration in the header.
2018-09-12 16:41:11 +03:00
Gilles Peskine
af3baabd05 Define max sizes for MAC and signatures
This requires defining a maximum RSA key size, since the RSA key size
is the signature size. Enforce the maximum RSA key size when importing
or generating a key.
2018-09-12 16:41:11 +03:00
Gilles Peskine
a26ff6a290 psa_asymmetric_sign: consistently fill unused output with '!'
Fill the unused part of the output buffer with '!', for consistency
with hash and mac.

On error, set the output length to the output buffer size and fill the
output buffer with '!', again for consistency with hash and mac. This
way an invalid output is more visible in a memory dump.

Restructure the error paths so that there is a single place where the
unused part of the output buffer is filled.

Also remove a redundant initialization of *signature_length to 0.
2018-09-12 16:41:11 +03:00
Gilles Peskine
2b450e3a01 Factor RSA sign/verify code into its own functions
This makes the functions smaller and makes error paths easier to read.
2018-09-12 16:41:11 +03:00
Gilles Peskine
eae6eee24c Change ECDSA signature representation to r||s
Change the representation of an ECDSA signature from the ASN.1 DER
encoding used in TLS and X.509, to the concatenation of r and s
in big-endian order with a fixed size. A fixed size helps memory and
buffer management and this representation is generally easier to use
for anything that doesn't require the ASN.1 representation. This is
the same representation as PKCS#11 (Cryptoki) except that PKCS#11
allows r and s to be truncated (both to the same length), which
complicates the implementation and negates the advantage of a
fixed-size representation.
2018-09-12 16:41:11 +03:00
Gilles Peskine
a81d85b732 Sort out ECDSA mechanisms
* Distinguish randomized ECDSA from deterministic ECDSA.
* Deterministic ECDSA needs to be parametrized by a hash.
* Randomized ECDSA only uses the hash for the initial hash step,
  but add ECDSA(hash) algorithms anyway so that all the signature
  algorithms encode the initial hashing step.
* Add brief documentation for the ECDSA signature mechanisms.
* Also define DSA signature mechanisms while I'm at it. There were
  already key types for DSA.
2018-09-12 16:24:51 +03:00
Gilles Peskine
526fab0066 Fix parameter name signature_size for psa_asymmetric_verify
It should have been signature_length, following our conventions.
2018-09-12 16:24:51 +03:00
Gilles Peskine
e9191ff90b Add missing const for signature parameter of psa_asymmetric_verify 2018-09-12 16:24:51 +03:00
Gilles Peskine
55bf3d1171 Sort out RSA mechanisms
* PSS needs to be parametrized by a hash.
* Don't use `_MGF1` in the names of macros for OAEP and PSS. No one
  ever uses anything else.
* Add brief documentation for the RSA signature mechanisms.
2018-09-12 16:24:51 +03:00
Gilles Peskine
7ed29c56f1 Rename PSA_ALG_RSA_GET_HASH to PSA_ALG_SIGN_GET_HASH
And don't use it for HMAC when there's a perfectly serviceable
PSA_ALG_HMAC_HASH. HMAC isn't hash-and-sign.
2018-09-12 16:24:50 +03:00
Gilles Peskine
c648d6949d psa_import_key: fix memory leak on error
Free the content of the pk object if an error occurs after the import.
2018-09-12 16:24:50 +03:00
Jaeden Amero
f24c7f80a0 psa_export_key: Always set a valid data length
Make psa_export_key() always set a valid data_length when exporting,
even when there are errors. This makes the API easier to use for buggy
programs (like our test code).

Our test code previously used exported_length uninitialized when
checking to see that the buffer returned was all zero in import_export()
in the case where an error was returned from psa_export_key().
Initialize exported_length to an invalid length, and check that it gets
set properly by psa_export_key(), to avoid this using export_length
uninitialized. Note that the mem_is_zero() check is still valid when
psa_export_key() returns an error, e.g. where exported_length is 0, as
we want to check that nothing was written to the buffer on error.

Out test code also previous passed NULL for the data_length parameter of
psa_export_key() when it expected a failure (in key_policy_fail()).
However, data_length is not allowed to be NULL, especially now that we
write to data_length from psa_export_key() even when there are errors.
Update the test code to not pass in a NULL data_length.
2018-09-12 16:24:50 +03:00
Gilles Peskine
8173631d7e psa_hash_abort: return PSA_SUCCESS if alg=0
Make psa_hash_abort consistent with psa_mac_abort and
psa_cipher_abort.

Add a comment explaining the reasoning.
2018-09-12 16:24:50 +03:00
Gilles Peskine
f9c2c09810 In abort functions, return BAD_STATE on obviously bad input
psa_hash_abort, psa_mac_abort and psa_cipher_abort now return
PSA_ERROR_BAD_STATE if operation->alg is obviously not valid, which
can only happen due to a programming error in the caller or in the
library. We can't detect all cases of calling abort on uninitialized
memory but this is dirt cheap and better than nothing.
2018-09-12 16:24:50 +03:00
Gilles Peskine
48c0ea14c6 Remove PSA_KEY_TYPE_IS_RAW_BYTES from crypto.h
It isn't used to define other macros and it doesn't seem that useful
for users. Remove it, we can reintroduce it if needed.

Define a similar function key_type_is_raw_bytes in the implementation
with a clear semantics: it's a key that's represented as a struct
raw_data.
2018-09-12 16:24:50 +03:00
Gilles Peskine
9ad29e2bee Add what little was missing to fully support DES
Also add what was missing in the test suite to support block ciphers
with a block size that isn't 16.

Fix some buggy test data that passed only due to problems with DES
support in the product.
2018-09-12 16:24:50 +03:00
Gilles Peskine
9a94480685 Convert ERR_ASN1 error codes to PSA
This fixes the error code when psa_export_key on an asymmetric key
reports that the output buffer is too small.
2018-09-12 16:24:50 +03:00
Gilles Peskine
b54979a297 Refuse non-byte-sized raw data keys
Since the key size is stored in bytes, we can't have a key whose size
isn't a whole number of bytes.
2018-09-12 16:24:50 +03:00
Gilles Peskine
c06e07128c Favor INVALID_ARGUMENT over NOT_SUPPORTED for bad algorithm types
In psa_hash_start, psa_mac_start and psa_cipher_setup, return
PSA_ERROR_INVALID_ARGUMENT rather than PSA_ERROR_NOT_SUPPORTED when
the algorithm parameter is not the right category.
2018-09-12 16:23:54 +03:00
Gilles Peskine
248051acb6 Add missing #ifdef guards around psa_hmac_start 2018-09-12 16:23:54 +03:00
Gilles Peskine
16c0f4f787 Fix potential memory corruption on MAC/cipher setup failure
When psa_mac_start(), psa_encrypt_setup() or psa_cipher_setup()
failed, depending on when the failure happened, it was possible that
psa_mac_abort() or psa_cipher_abort() would crash because it would try
to call a free() function uninitialized data in the operation
structure. Refactor the functions so that they initialize the
operation structure before doing anything else.

Add non-regression tests and a few more positive and negative unit
tests for psa_mac_start() and psa_cipher_setup() (the latter via
psa_encrypt_setip()).
2018-09-12 16:23:53 +03:00
Gilles Peskine
12313cd84c Implement psa_generate_key: AES, DES, RSA, ECP
In the test cases, try exporting the generated key and perform sanity
checks on it.
2018-09-12 16:22:51 +03:00
Gilles Peskine
e66ca3bbf3 psa_export_key: zero out potential garbage in the output buffer
In psa_export_key, ensure that each byte of the output buffer either
contains its original value, is zero, or is part of the actual output.
Specifically, don't risk having partial output on error, and don't
leave extra data at the end of the buffer when exporting an asymmetric
key.

Test that exporting to a previously zeroed buffer leaves the buffer
zeroed outside the actual output if any.
2018-09-12 16:22:51 +03:00
Gilles Peskine
0e2315859f psa_export_key: fix asymmetric key in larger buffer
Exporting an asymmetric key only worked if the target buffer had
exactly the right size, because psa_export_key uses
mbedtls_pk_write_key_der or mbedtls_pk_write_pubkey_der and these
functions write to the end of the buffer, which psa_export_key did not
correct for. Fix this by moving the data to the beginning of the
buffer if necessary.

Add non-regression tests.
2018-09-12 16:22:51 +03:00
Gilles Peskine
05d69890ee Implement psa_generate_random 2018-09-12 16:22:51 +03:00
Gilles Peskine
0ff4b0f7f9 psa_import_key: validate symmetric key size
When importing a symmetric key, validate that the key size is valid
for the given key type.

Non-supported key types may no longer be imported.
2018-09-12 16:22:51 +03:00
Gilles Peskine
e3b07d81d6 Fix build without CMAC
Add missing guard for MBEDTLS_CMAC_C.
2018-09-12 16:22:51 +03:00
Gilles Peskine
828ed149d5 Rename MBEDTLS_xxx macros in psa_crypto.c to placate check-names.sh 2018-09-12 16:22:51 +03:00
Gilles Peskine
34ef7f5a55 Check the curve of an elliptic curve key on import
psa_import_key must check that the imported key data matches the
expected key type. Implement the missing check for EC keys that the
curve is the expected one.
2018-09-12 16:19:04 +03:00
Gilles Peskine
b3e6e5deeb Rename hash max sizes for consistency
Use "hash" throughout the library, not "md" as in Mbed TLS.
2018-09-12 16:19:04 +03:00
Gilles Peskine
7bcfc0a9ae Be more consistent about blank lines 2018-09-12 16:18:04 +03:00
Gilles Peskine
803ce7402a Change sizeof(type) to sizeof(variable) 2018-09-12 16:18:04 +03:00
Gilles Peskine
c1bb6c8dcc Formatting improvements
Avoid lines longer than 80 columns.

Remove some redundant parentheses, e.g. change
    if( ( a == b ) && ( c == d ) )
to
    if( a == b && c == d )
which makes lines less long and makes the remaining parentheses more
relevant.

Add missing parentheses around return statements.

There should be no semantic change in this commit.
2018-09-12 16:18:02 +03:00
Gilles Peskine
2d2778650b Normalize whitespace
Normalize whitespace to Mbed TLS standards. There are only whitespace
changes in this commit.
2018-09-12 16:15:52 +03:00
Gilles Peskine
6de7a179c8 Fix file permissions
Some files were marked as executable but shouldn't have been.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
aa5aea0bac fix spaces and add braces 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
e9664c30f0 space and style fixes 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
9627241beb change macro PSA_HASH_BLOCK_SIZE to function psa_get_hash_block_size 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
5ca6547b77 Renamed hmac_ctx to opad and removed null check.
this array is now part of the struct and not dynamically allocated
so it can't be null.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
caec7f0c49 Fix rename issue missed by re-base 2018-09-12 16:13:49 +03:00
Gilles Peskine
d223b52a9a psa_hmac_start: reduce stack usage
Store the temporary key in the long-key case (where the key is first
hashed) directly into ipad. This reduces the stack usage a little, at
a slight cost in complexity.
2018-09-12 16:13:49 +03:00
Gilles Peskine
6a0a44e167 HMAC: clean up local variables containing key material
In psa_mac_start, the hash of the key and ipad contain material that
can be used to make HMAC calculations with the key, therefore they
must be wiped.

In psa_mac_finish_internal, tmp contains an intermediate value which
could reveal the HMAC. This is definitely sensitive in the verify case,
and marginally sensitive in the finish case (it isn't if the hash
function is ideal, but it could make things worse if the hash function
is partially broken).
2018-09-12 16:13:49 +03:00
Gilles Peskine
c102e3ce4b psa_hmac_start: simplify key_length logic in hash-the-key case 2018-09-12 16:13:49 +03:00
Gilles Peskine
e1bc6800cc psa_hmac_start: remove useless casts 2018-09-12 16:13:49 +03:00
Gilles Peskine
7e454bc19f Split out CMAC and HMAC code into auxiliary functions
Split algorithm-specific code out of psa_mac_start. This makes the
function easier to read.

The behavior is mostly unchanged. In a few cases, errors before
setting a key trigger a context wipe where they didn't. This is a
marginal performance loss but only cases that are an error in caller
code.
2018-09-12 16:13:49 +03:00
Gilles Peskine
99bc649760 Normalize whitespace to Mbed TLS standards
Only whitespace changes in this commit.
2018-09-12 16:13:49 +03:00
Gilles Peskine
ef057ac8ed Remove dead code
Remove an unused function and an unused variable. Now the code builds
with gcc -Wall -Wextra -Werror.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
084832d65f replace get_block_size_from_hash_algorithm with PSA_HASH_BLOCK_SIZE macro 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
35dfbf4601 change hmac context to use statically allocated memory
1. removed dynamic allocation of stack context
2. moved ipad to stack
3. added defines for maximal sizes
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
0c9ec53a10 remove reliance on md_info context for hash information
1. remove reliance on md_info context for hash information by decoding locally
2. remove block_size field in context as this is dynamically computed
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
eeace0bf7f Code style fix : changed keylen to key_length 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
7810be273a Code correction: remove unneeded sizeof 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
dcd636a73f Commit changes to hmac to not use MD abstraction
this PR is part of efforts to use "lower level" mbedTLS APIs vs "higher level" abstract APIs.
2018-09-12 16:13:49 +03:00
Ron Eldor
54a7c620bb Minor style changes
1. Rephrase error description.
2. fix alignment of error list.
2018-09-12 14:43:44 +03:00
Manuel Pégourié-Gonnard
1c1c20ed4d Fix some whitespace issues 2018-09-12 10:34:43 +02:00
Jaeden Amero
ff215726b4 rsa: pss: Use size_t when computing signatures
Functions like `mbedtls_md_get_size()` and `mgf_mask()` work with
`size_t`. Use local variables with `size_t` to match.
2018-09-11 14:36:03 +01:00
Manuel Pégourié-Gonnard
125af948c3 Merge branch 'development-restricted' into iotssl-1260-non-blocking-ecc-restricted
* development-restricted: (578 commits)
  Update library version number to 2.13.1
  Don't define _POSIX_C_SOURCE in header file
  Don't declare and define gmtime()-mutex on Windows platforms
  Correct preprocessor guards determining use of gmtime()
  Correct documentation of mbedtls_platform_gmtime_r()
  Correct typo in documentation of mbedtls_platform_gmtime_r()
  Correct POSIX version check to determine presence of gmtime_r()
  Improve documentation of mbedtls_platform_gmtime_r()
  platform_utils.{c/h} -> platform_util.{c/h}
  Don't include platform_time.h if !MBEDTLS_HAVE_TIME
  Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Replace 'thread safe' by 'thread-safe' in the documentation
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  ChangeLog: Add missing renamings gmtime -> gmtime_r
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  Minor documentation improvements
  Style: Add missing period in documentation in threading.h
  Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
  Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
  ...
2018-09-11 12:39:14 +02:00
Simon Butcher
53546ea099 Update library version number to 2.13.1 2018-09-06 19:10:26 +01:00
Simon Butcher
5d40f67138 Merge remote-tracking branch 'public/pr/1927' into development-restricted 2018-09-06 16:24:48 +01:00
Hanno Becker
f5106d54eb Don't declare and define gmtime()-mutex on Windows platforms 2018-09-06 12:09:56 +01:00
Hanno Becker
323d8019bf Correct preprocessor guards determining use of gmtime()
The previous code erroneously used gmtime_r() to implement
mbedtls_platform_gmtime() in case of a non-windows, non-unix system.
2018-09-06 11:30:57 +01:00
Hanno Becker
6f70581c4a Correct POSIX version check to determine presence of gmtime_r()
Recent versions of POSIX move gmtime_r to the base.
2018-09-06 09:06:33 +01:00
Hanno Becker
7dd82b4f51 platform_utils.{c/h} -> platform_util.{c/h} 2018-09-05 16:26:04 +01:00
Hanno Becker
48a816ff26 Minor documentation improvements 2018-09-05 15:22:22 +01:00
Hanno Becker
6a739789f3 Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
For consistency, also rename MBEDTLS_PLATFORM_GMTIME_ALT to
MBEDTLS_PLATFORM_GMTIME_R_ALT.
2018-09-05 15:06:19 +01:00
Hanno Becker
be2e4bddd5 Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT 2018-09-05 14:44:31 +01:00
Hanno Becker
cfeb70c6b9 gmtime: Remove special treatment for IAR
Previous commits attempted to use `gmtime_s()` for IAR systems; however,
this attempt depends on the use of C11 extensions which lead to incompatibility
with other pieces of the library, such as the use of `memset()` which is
being deprecated in favor of `memset_s()` in C11.
2018-09-05 13:52:46 +01:00
Andres Amaya Garcia
94b540ac63 Avoid redefining _POSIX_C_SOURCE 2018-09-05 12:27:32 +01:00
Andres Amaya Garcia
433f911e59 Check for IAR in gmtime macros 2018-09-05 12:01:57 +01:00
Andres Amaya Garcia
3c9733a0a3 Fix typo in comment for gmtime macro defines 2018-09-05 11:52:07 +01:00
Andres Amaya Garcia
ca04a01bb8 Document shorthand gmtime macros 2018-09-05 11:43:57 +01:00
Andres Amaya Garcia
209960611f Use gmtime_s() for IAR 2018-09-05 11:27:56 +01:00
Andres Amaya Garcia
e9b10b21f1 Define _POSIX_C_SOURCE in threading.c before POSIX detection 2018-09-05 11:25:30 +01:00
Gilles Peskine
8605428dcf Merge remote-tracking branch 'psa/pr/27' into feature-psa 2018-09-05 12:46:19 +03:00
Gilles Peskine
c4def2f228 Add input length check in psa_asymmetric_decrypt
Remove output size check which is not needed here and was copypasta.

Add non-regression tests.
2018-09-05 12:44:18 +03:00
Gilles Peskine
b75e4f1314 Remove ECC boilerplate in asymmetric encrypt/decrypt
We don't have any encryption algorithm using ECC keys at the moment.
2018-09-05 12:44:17 +03:00
Gilles Peskine
beb4948d10 Add RSA PSS verification (untested) 2018-09-05 12:44:17 +03:00
Gilles Peskine
625b01c9c3 Add OAEP placeholders in asymmetric encrypt/decrypt
Replace PSS placeholders by OAEP placeholders. PSS is a signature
algorithm, not an encryption algorithm.

Fix typo in PSA_ALG_IS_RSA_OAEP_MGF1.
2018-09-05 12:44:17 +03:00
Gilles Peskine
8b18a4fef3 Rename verify_RSA_hash_input_and_get_md_type
Give it a shorter name that's more in line with our naming conventions.
2018-09-05 12:44:17 +03:00
Gilles Peskine
61b91d4476 Normalize whitespace to Mbed TLS standards
Only whitespace changes in this commit.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein
1c2a7ea4e2 Allow psa_asymmetric_verify and psa_asymmetric_encrypt to use public key only. 2018-09-05 12:44:17 +03:00
Nir Sonnenschein
d708260de4 add key policy enforcement implementation
add checks that keys have been set for the correct usage for asymmetric
functions.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein
ca466c89b0 Set output length to safe value 2018-09-05 12:44:17 +03:00
Nir Sonnenschein
c460291714 Re-Add ECC verification code which was not properly merged in re-base. 2018-09-05 12:44:17 +03:00
Nir Sonnenschein
4db79eb36b Extract common code
Make code easier to maintain.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein
717a040df5 Remove duplicate / unneeded code
1. remove duplicate function introduced by re-base
2. remove unneeded code
2018-09-05 12:44:17 +03:00
Gilles Peskine
5b051bc608 Remove trailing whitespace
Only horizontal whitespace changes in this commit.
2018-09-05 12:44:12 +03:00
Gilles Peskine
6afe789d4c Finish renaming around PSA_ALG_IS_RSA_PKCS1V15
Now the code compiles. Some OAEP and PSS macros may still need to be fixed.
2018-09-05 12:41:53 +03:00
Gilles Peskine
d6125ca63b Merge remote-tracking branch 'psa/pr/24' into feature-psa 2018-09-05 12:41:53 +03:00
Nir Sonnenschein
4f594eca40 remove check for key pair (public key should be enough for verification) 2018-09-05 12:41:53 +03:00
Nir Sonnenschein
7f5a31915b code fixes for internal code review:
1. change to correct error code
2. removed unneeded comment
2018-09-05 12:41:53 +03:00
Nir Sonnenschein
39e59144f6 added support for PKCSv1.5 signature verification and encryption/decryption and very basic tests. 2018-09-05 12:41:53 +03:00
Gilles Peskine
bb1072f642 Fix use of mbedtls_cipher_info_from_psa
One branch added an extra argument, the other branch added a call of
this function. Pass the extra argument on the code from the other
branch.
2018-09-05 12:41:52 +03:00
Gilles Peskine
84861a95ca Merge remote-tracking branch 'psa/psa-wrapper-apis-aead' into feature-psa 2018-09-05 12:41:52 +03:00
Gilles Peskine
154bd95131 psa_destroy_key: return SUCCESS on an empty slot
Do wipe the slot even if it doesn't contain a key, to erase any metadata.
2018-09-05 12:41:52 +03:00
Gilles Peskine
71bb7b77f0 Switch PSA_HASH_FINAL_SIZE to PSA_HASH_SIZE
Make this macro work on derived algorithms as well (HMAC,
hash-and-sign, etc.).
2018-09-05 12:41:52 +03:00
mohammad1603
fc614b1e0e fix parentheses 2018-09-05 12:41:52 +03:00
mohammad1603
e109f21638 remove unnecessary check for block size 2018-09-05 12:41:52 +03:00
mohammad1603
a1d9801683 add slot validation 2018-09-05 12:41:52 +03:00
mohammad1603
e3cb8a8d8b return PSA_ERROR_BUFFER_TOO_SMALL intead of PSA_ERROR_INVALID_ARGUMENT 2018-09-05 12:41:52 +03:00
mohammad1603
6b4d98cf78 remove trailing spaces 2018-09-05 12:41:52 +03:00
mohammad1603
5ed0621dd4 aligned with coding standards - line length 2018-09-05 12:41:52 +03:00
mohammad1603
f14394b25f add policy checks 2018-09-05 12:41:52 +03:00
mohammad1603
96910d807e fix block size depending on algorithm 2018-09-05 12:41:51 +03:00
mohammad1603
60a64d079a remove unnecessary argument to the psa_aead_unpadded_locate_tag function 2018-09-05 12:41:51 +03:00
mohammad1603
15223a8b89 write the tag directly on the ciphertext buffer. 2018-09-05 12:41:51 +03:00
mohammad1603
4fc744f8af change the check of block size for all supported algorithms 2018-09-05 12:41:51 +03:00
mohammad1603
0f21465175 use mbedtls_cipher_info_from_psa to get cipher ID 2018-09-05 12:41:51 +03:00
mohammad1603
f58aa6ade6 use memset instead of mbedtils_zeroize 2018-09-05 12:41:51 +03:00
mohammad1603
554faad260 return NOT_SUPPORTED instead of INVLID_ARGUMENT 2018-09-05 12:41:51 +03:00
mohammad1603
95893f834d remove usless cast 2018-09-05 12:41:51 +03:00
mohammad1603
f08a550e68 set output length to zero to cover output length in error case 2018-09-05 12:41:51 +03:00
mohammad1603
f4f0d612ba change mbedtls_cipher_info_from_psa to provide cipher_id also 2018-09-05 12:41:51 +03:00
mohammad1603
9375f8403a fix code offsets after rebase 2018-09-05 12:41:51 +03:00
Gilles Peskine
ee652a344c Fix psa_aead_decrypt to read the tag at the end of the ciphertext 2018-09-05 12:41:51 +03:00
Gilles Peskine
a40d77477d Whitespace fixes
Changed indentation to match Mbed TLS style. Wrapped some lines to 80 columns.
2018-09-05 12:41:51 +03:00
mohammad1603
39574652ae add else for not supported algorithm 2018-09-05 12:38:18 +03:00
mohammad1603
5c8845f563 return invalid argument for unsupported algorithms 2018-09-05 12:38:18 +03:00
mohammad1603
e58e68458e fix condition over key type 2018-09-05 12:38:18 +03:00
mohammad1603
17638efc46 remove unused variable 2018-09-05 12:38:18 +03:00
mohammad1603
dad36fa855 add Key and Algorithm validation 2018-09-05 12:38:18 +03:00
mohammad1603
a7e6df76ea Validation fixes for key_type 2018-09-05 12:38:18 +03:00
mohammad1603
4f5eb7cb54 Fill the the output buffer with zero data in case of failure 2018-09-05 12:38:18 +03:00
mohammad1603
6bbd8c75dc Remove unnecessary cast
Remove unnecessary cast
2018-09-05 12:38:18 +03:00
mohammad1603
db6247315f Parameters validation fixes
Fix key_type validation test and no need to ask for place for tag in decryption
2018-09-05 12:38:18 +03:00
mohammad1603
ce5cba9a6a unify the concatenation of the tag and update output length 2018-09-05 12:38:18 +03:00
mohammad1603
9e5a515aa8 Fix parameter validation 2018-09-05 12:38:18 +03:00
mohammad1603
47ddf3d544 Concatenate the tag to the output buffer
Concatenate the tag to the output buffer.
2018-09-05 12:38:18 +03:00
mohammad1603
5955c98779 Initial implementation of the AEAD decrypt/encrypt APIs
Initial implementation for the AEAD APIs, missing the following:
* Concatenation of the tag to the output buffer.
* Updated documentation of the new functions.
* argument validations
* tests
2018-09-05 12:38:18 +03:00
Gilles Peskine
3aa8efb230 Merge remote-tracking branch 'psa/psa-wrapper-apis-march-12' into feature-psa 2018-09-05 12:38:17 +03:00
Gilles Peskine
2c5219a06d Whitespace normalization
No semantic change.
2018-09-05 12:14:29 +03:00
Gilles Peskine
5351420b3e Use block local variable for padding_mode for readability
No intended behavior change.
2018-09-05 12:14:29 +03:00
Moran Peker
7cb22b8327 abort operation before return + fix error checks 2018-09-05 12:14:29 +03:00
Gilles Peskine
89d789c9bc Refactor some argument checks for readability
No intended behavior change.
2018-09-05 12:14:29 +03:00
Gilles Peskine
7e9288520f Wrap lines to 80 columns 2018-09-05 12:14:29 +03:00
Gilles Peskine
e553c65cc3 Fix indentation and horizontal whitespace
Only whitespace changes in this commit.
2018-09-05 12:14:29 +03:00
Moran Peker
3520c2c4f7 unset iv_required to 0 (psa_encrypt_set_iv)and block_size (psa_cipher_setup) 2018-09-05 12:14:29 +03:00
Moran Peker
395db875e6 adjust indentation per Mbed TLS standards 2018-09-05 12:14:29 +03:00
Moran Peker
ae382791fb add missing psa_cipher_abort( operation ) 2018-09-05 12:14:28 +03:00
Moran Peker
70531163a9 fix compilation error - missing if 2018-09-05 12:14:28 +03:00
Moran Peker
a28258c594 adjust indentation per Mbed TLS standards 2018-09-05 12:14:28 +03:00
Moran Peker
2cab25aacf fix conditions in psa_cipher_finish function 2018-09-05 12:14:28 +03:00
Moran Peker
dc38ebc068 delete decrypt checks + fix memcpy& return value 2018-09-05 12:14:28 +03:00
Moran Peker
ad9d82cc0e add iv_required field to psa_cipher_operation_s and fix relevant functions 2018-09-05 12:14:28 +03:00
Moran Peker
71f19ae6f8 add missing call to psa_cipher_abort in cipher_setup func + iv_length check in cipher_set_iv func 2018-09-05 12:14:28 +03:00
Moran Peker
406008ab4c add missing check on output_size in psa_cipher_update func 2018-09-05 12:14:28 +03:00
Moran Peker
bed71a2b17 fix missing check on output_size in psa_cipher_finish func 2018-09-05 12:14:28 +03:00
Moran Peker
0071b873a3 add missing parameter output_size on psa_cipher_finish 2018-09-05 12:14:28 +03:00
Moran Peker
4c80d8331a adjust indentation per Mbed TLS standards 2018-09-05 12:14:28 +03:00
mohammad1603
b152d4d8b6 add test scenarios to decrypt and encrypt input and compare with given output 2018-09-05 12:14:28 +03:00
mohammad1603
89e0f468bf style 2018-09-05 12:14:28 +03:00
Moran Peker
41deec4494 partly pr fix 2018-09-05 12:14:28 +03:00
Moran Peker
e1210dcac3 remove unused parameter in psa_cipher_finish. 2018-09-05 12:14:28 +03:00
Moran Peker
3205a6592b tests fix 2018-09-05 12:14:28 +03:00
mohammad1603
16864af80b fix static function name 2018-09-05 12:14:28 +03:00
mohammad1603
8481e74ecc CR fixes
more fixes

Compilation fixes

Compilation fixes for PSA crypto code and tests
2018-09-05 12:14:28 +03:00
mohammad1603
efb0107fbe CR fix, remove exposing ECB 2018-09-05 12:14:27 +03:00
mohammad1603
990a18c2f0 add ecb to cipher algorithms 2018-09-05 12:14:27 +03:00
Gilles Peskine
5100318a92 Merge pull request #18 from ARMmbed/psa-wrapper-apis-export-publickey
Export public key implementation (#18)
2018-09-05 12:13:23 +03:00
mohammad1603
8275961178 warnings fixes 2018-09-05 12:13:23 +03:00
mohammad1603
503973bdf3 initial implementation for PSA symmetric APIs - missing tests and documentations 2018-09-05 12:13:23 +03:00
Moran Peker
8756763cf1 change error check on psa_internal_export_key func 2018-09-05 12:13:23 +03:00
Gilles Peskine
785fd55a39 Whitespace fixes; removed redundant parentheses
No semantic change.
2018-09-05 12:13:23 +03:00
Moran Peker
cceea98bfe adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker
d732659867 adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker
17e36e1bd9 fix conditions 2018-09-05 12:13:23 +03:00
Moran Peker
6036432617 adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker
a998bc6ac9 psa_internal_export_key function for common code.
create psa_internal_export_key function for common code in psa_export_key and psa_export_public_key.
2018-09-05 12:13:22 +03:00
Moran Peker
5010828fb6 adjust indentation per Mbed TLS standards 2018-09-05 12:13:22 +03:00
Moran Peker
b4d0ddd2d3 psa_export_public_key 2018-09-05 12:13:20 +03:00
Moran Peker
dd4ea38d58 export public key 2018-09-05 12:10:47 +03:00
itayzafrir
7b30f8b0c9 Added handling for MBEDTLS_ERR_ECP_XXX error codes
Added handling for MBEDTLS_ERR_ECP_XXX error codes
2018-09-05 12:10:47 +03:00
itayzafrir
5c7533923a ECDSA sign and verify implementation and tests
ECDSA sign and verify implementation and tests
2018-09-05 12:10:47 +03:00
Gilles Peskine
a0655c3501 Merge remote-tracking branch 'psa/pr/13' into feature-psa
Conflicts:
	library/psa_crypto.c
	tests/suites/test_suite_psa_crypto.data
	tests/suites/test_suite_psa_crypto.function

All the conflicts are concurrent additions where the order doesn't
matter. I put the code from feature-psa (key policy) before the code
from PR #13 (key lifetime).
2018-09-05 12:10:43 +03:00
mohammad1603
ea0500936e Change behavior of psa_get_key_lifetime()
psa_get_key_lifetime() behavior changed regarding empty slots, now
it return the lifetime of and empty slots. Documentation in header
file updated accordingly.
2018-09-05 12:01:37 +03:00
mohammad1603
5d7ec2033d fix key lifetime set implementation , tests accordingly 2018-09-05 12:01:37 +03:00
mohammad1603
ba178511f4 Remove unused and duplicated erros, fix documentation and tests
Remove unused and duplicated erros, fix documentation and tests
2018-09-05 12:01:37 +03:00
mohammad1603
060ad8ac34 Compilation and tests fixes 2018-09-05 12:01:37 +03:00
mohammad1603
804cd71bf8 initial key lifetime implementation and tests 2018-09-05 12:01:37 +03:00
Gilles Peskine
c63b6ba754 Merge remote-tracking branch 'psa/pr/14' into feature-psa
Conflict resolution:

* `tests/suites/test_suite_psa_crypto.data`: in the new tests from PR #14,
  rename `PSA_ALG_RSA_PKCS1V15_RAW` to `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` as
  was done in PR #15 in the other branch.
2018-09-05 12:01:34 +03:00
Gilles Peskine
47c1bc0458 Correct some return codes 2018-09-05 11:53:26 +03:00
mohammad1603
38a622b68b Function psa_get_key_policy() now return policy value for empty slots
Function psa_get_key_policy() now return policy value for empty slots
2018-09-05 11:53:26 +03:00
mohammad1603
5feda72d7a Remove usage of PSA_ERROR_INVALID_KEY_POLICY
use PSA_ERROR_INVALID_ARGUMENT instead of INVALID_KEY_POLICY error
2018-09-05 11:53:26 +03:00
mohammad1603
6df908f234 Add static internal MAC finish function
add new psa_mac_finish_internal() to be called by psa_mac_finish() and
psa_mac_verify() in order to be able to check key usage separatly.
2018-09-05 11:53:26 +03:00
Gilles Peskine
a59262338a Rename PKCS1V15 to PKCS1V15_SIGN
There's PKCS1V15_CRYPT as well (to be added soon).
2018-09-05 11:53:26 +03:00
mohammad1603
4eed757901 add new test scenarios 2018-09-05 11:53:26 +03:00
mohammad1603
06e7920be5 integrate policy key usage in export and asymmetric sign functions 2018-09-05 11:53:26 +03:00
mohammad1603
8cc1ceec3e Key Policy APIs implementation 2018-09-05 11:53:26 +03:00
Gilles Peskine
dc2fc8443f Rename xxx_of_psa functions to xxx_from_psa
Be consistent with how similar functions are named in Mbed TLS.
2018-09-05 11:53:25 +03:00
Gilles Peskine
3c6e970752 Fix memory leak in psa_destroy_key 2018-09-05 11:53:25 +03:00
Gilles Peskine
6d9121381a Add some comments to document some non-obvious coding choices 2018-09-05 11:53:25 +03:00
Gilles Peskine
e4ebc12fcd psa_crypto_init: set the global initialized flag 2018-09-05 11:53:25 +03:00
Gilles Peskine
8c9def3e7f PSA: Implement MAC functions
Implement psa_mac_start, psa_mac_update and psa_mac_final.

Implement HMAC anc CMAC.

Smoke tests.
2018-09-05 11:53:25 +03:00
Gilles Peskine
9ef733faa0 Implement hash functions
New header file crypto_struct.h. The main file crypto.sh declares
structures which are implementation-defined. These structures must be
defined in crypto_struct.h, which is included at the end so that the
structures can use types defined in crypto.h.

Implement psa_hash_start, psa_hash_update and psa_hash_final. This
should work for all hash algorithms supported by Mbed TLS, but has
only been smoke-tested for SHA-256, and only in the nominal case.
2018-09-05 11:53:25 +03:00
Gilles Peskine
a590529938 Greatly expanded mbedtls_to_psa_error
It now covers most cryptography algorithm modules (missing: bignum,
DHM, everything ECC, HMAC_DRBG).
2018-09-05 11:53:24 +03:00
Gilles Peskine
93aa0334d9 PSA asymmetric signature: set *signature_length = 0 on failure 2018-09-05 11:53:24 +03:00
Gilles Peskine
20035e3579 PSA crypto: asymmetric signature (RSA PKCS#1v1.5 only)
Define hash algorithms and RSA signature algorithms.

New function psa_asymmetric_sign.

Implement psa_asymmetric_sign for RSA PKCS#1 v1.5.
2018-09-05 11:53:24 +03:00
Gilles Peskine
c66ea6a921 PSA key import: support RSA public keys
Use different key types for private keys and public keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine
969ac726d9 PSA RSA key import: don't rely on pk so much
Don't use the pk module except as required for pkparse/pkwrite. The
PSA crypto layer is meant to work alongside pk, not on top of it.

Fix the compile-time dependencies on RSA/ECP handling in
psa_export_key, psa_destroy_key and psa_get_key_information.
2018-09-05 11:53:24 +03:00
Gilles Peskine
2f9c4dc5ad Add key management functions
Define psa_key_type_t and a first stab at a few values.

New functions psa_import_key, psa_export_key, psa_destroy_key,
psa_get_key_information. Implement them for raw data and RSA.

Under the hood, create an in-memory, fixed-size keystore with room
for MBEDTLS_PSA_KEY_SLOT_COUNT - 1 keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine
1d26709dbd New function mbedtls_rsa_get_bitlen
Add a new function mbedtls_rsa_get_bitlen which returns the RSA key
size, i.e. the bit size of the modulus. In the pk module, call
mbedtls_rsa_get_bitlen instead of mbedtls_rsa_get_len, which gave the
wrong result for key sizes that are not a multiple of 8.

This commit adds one non-regression test in the pk suite. More tests
are needed for RSA key sizes that are a multiple of 8.

This commit does not address RSA alternative implementations, which
only provide an interface that return the modulus size in bytes.
2018-09-05 11:53:24 +03:00
Gilles Peskine
e59236fc17 Add PSA crypto module
New module psa_crypto.c (MBEDTLS_PSA_CRYPTO_C):
Platform Security Architecture compatibility layer on top of
libmedcrypto.

Implement psa_crypto_init function which sets up a RNG.

Add a mbedtls_psa_crypto_free function which deinitializes the
library.

Define a first batch of error codes.
2018-09-05 10:59:00 +03:00
Simon Butcher
4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
irwir
da642d98c0
Implicit _endthread call: comment changed 2018-08-31 15:14:54 +03:00
irwir
e1b82ad25f
Added spaces after type casts
`(void) TimerContext;` seems more consistent with the current style than ((void) TimerContext);
No objections to changing this if necessary.
2018-08-30 11:57:09 +03:00
Simon Butcher
0bbb4fc132 Merge branch 'development' into development 2018-08-30 01:11:35 +01:00
Simon Butcher
552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher
68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Ron Eldor
b0ad581526 Remove the invalid input for platform module
Remove the invalid input for the platform module,
as it's not currently used in the Mbed OS platform setup \
termination code.
2018-08-29 19:06:14 +03:00
Ron Eldor
0ff4e0b824 Add platform error codes
Add error codes for the platform module, to be used by
the setup \ terminate API.
2018-08-29 18:53:20 +03:00
Hanno Becker
a591c48302 Correct typo in debug message 2018-08-28 17:52:53 +01:00
Hanno Becker
83ab41c665 Correct typo in comment 2018-08-28 17:52:53 +01:00
Hanno Becker
cd9dcda0a0 Add const qualifier to handshake header reading functions 2018-08-28 17:52:53 +01:00
Hanno Becker
39b8bc9aef Change wording of debug message 2018-08-28 17:52:49 +01:00
Hanno Becker
ef7afdfa5a Rename another_record_in_datagram to next_record_is_in_datagram 2018-08-28 17:16:31 +01:00
Hanno Becker
c573ac33dd Fix typos in debug message and comment in ssl-tls.c 2018-08-28 17:15:25 +01:00
Simon Butcher
3af567d4a7 Merge remote-tracking branch 'restricted/pr/437' into development-restricted 2018-08-28 15:33:59 +01:00
Simon Butcher
129fa82908 Merge remote-tracking branch 'restricted/pr/470' into development-restricted 2018-08-28 15:26:11 +01:00
Simon Butcher
7f85563f9b Merge remote-tracking branch 'restricted/pr/491' into development-restricted 2018-08-28 15:22:40 +01:00
Simon Butcher
9ce5160fea Merge remote-tracking branch 'public/pr/1965' into development 2018-08-28 12:34:14 +01:00
Simon Butcher
9d5a9e1213 Merge remote-tracking branch 'public/pr/1625' into development 2018-08-28 12:23:40 +01:00
Simon Butcher
14dac0953e Merge remote-tracking branch 'public/pr/1918' into development 2018-08-28 12:21:41 +01:00
Simon Butcher
1846e406c8 Merge remote-tracking branch 'public/pr/1939' into development 2018-08-28 12:19:56 +01:00
Simon Butcher
9598845d11 Merge remote-tracking branch 'public/pr/1955' into development 2018-08-28 12:00:18 +01:00
Simon Butcher
4613772dea Merge remote-tracking branch 'public/pr/1915' into development 2018-08-28 11:45:44 +01:00
Hanno Becker
0207e533b2 Style: Correct typo in ssl-tls.c 2018-08-28 10:28:28 +01:00
Hanno Becker
bc2498a9ff Style: Add numerous comments indicating condition guarded by #endif 2018-08-28 10:13:29 +01:00
Hanno Becker
d58477769d Style: Group buffering-related forward declarations in ssl_tls.c 2018-08-28 10:09:23 +01:00
Hanno Becker
360bef3fe3 Reordering: Document that only HS and CCS msgs are buffered 2018-08-28 10:04:33 +01:00
Hanno Becker
4f432ad44d Style: Don't use abbreviations in comments 2018-08-28 10:02:32 +01:00
Hanno Becker
b8f50147ee Add explicit MBEDTLS_DEBUG_C-guard around debugging code 2018-08-28 10:01:34 +01:00
Hanno Becker
f0da6670dc Style: Add braces around if-branch where else-branch has them 2018-08-28 09:55:10 +01:00
Hanno Becker
ecbdf1c048 Style: Correct indentation of debug msgs in mbedtls_ssl_write_record 2018-08-28 09:54:44 +01:00
Hanno Becker
3f7b973e32 Correct typo in mbedtls_ssl_flight_transmit() 2018-08-28 09:53:25 +01:00
Hanno Becker
6e12c1ea7d Enhance debugging output 2018-08-24 14:48:08 +01:00
Hanno Becker
0e96585bdd Merge branch 'datagram_packing' into message_reordering 2018-08-24 12:16:41 +01:00
Hanno Becker
1841b0a11c Rename ssl_conf_datagram_packing() to ssl_set_datagram_packing()
The naming convention is that functions of the form mbedtls_ssl_conf_xxx()
apply to the SSL configuration.
2018-08-24 11:13:57 +01:00
Hanno Becker
f4b010efc4 Limit MTU by maximum fragment length setting
By the standard (RFC 6066, Sect. 4), the Maximum Fragment Length (MFL)
extension limits the maximum record payload size, but not the maximum
datagram size. However, not inferring any limitations on the MTU when
setting the MFL means that a party has no means to dynamically inform
the peer about MTU limitations.

This commit changes the function ssl_get_remaining_payload_in_datagram()
to never return more than

MFL - { Total size of all records within the current datagram }

thereby limiting the MTU to MFL + { Maximum Record Expansion }.
2018-08-24 10:47:29 +01:00
Hanno Becker
283f5efe7d Buffering: Free future record epoch after each flight
The function ssl_free_buffered_record() frees a future epoch record, if
such is present. Previously, it was called in mbedtls_handshake_free(),
i.e. an unused buffered record would be cleared at the end of the handshake.
This commit moves the call to the function ssl_buffering_free() responsible
for freeing all buffering-related data, and which is called not only at
the end of the handshake, but at the end of every flight. In particular,
future record epochs won't be buffered across flight boundaries anymore,
and they shouldn't.
2018-08-24 09:34:47 +01:00
Hanno Becker
081bd81865 ssl_write_handshake_msg(): Always append CCS messages to flights
The previous code appended messages to flights only if their handshake type,
as derived from the first byte in the message, was different from
MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed
for handshake records, while CCS records should immediately be appended.
2018-08-23 19:22:26 +02:00
Hanno Becker
c83d2b3e09 ssl_write_handshake_msg(): Allow alert on client-side SSLv3
In SSLv3, the client sends a NoCertificate alert in response to
a CertificateRequest if it doesn't have a CRT. This previously
lead to failure in ssl_write_handshake_msg() which only accepted
handshake or CCS records.
2018-08-23 19:22:05 +02:00
Hanno Becker
b309b92ee8 ssl_buffering_free_slot(): Double-check validity of slot index 2018-08-23 13:18:05 +01:00
Hanno Becker
65dc885a3b Use size_t for msg_len argument in ssl_get_reassembly_buffer_size() 2018-08-23 09:40:49 +01:00
Hanno Becker
1b20e8e46e Merge branch 'datagram_packing' into message_reordering 2018-08-22 20:36:50 +01:00
Hanno Becker
554b0af195 Fix assertion in mbedtls_ssl_write_record() 2018-08-22 20:33:41 +01:00
Hanno Becker
7428d4fe87 Merge branch 'datagram_packing' into message_reordering 2018-08-22 16:16:59 +01:00
Hanno Becker
551835d5e7 ssl_write_handshake_msg(): Always append CCS messages to flights
The previous code appended messages to flights only if their handshake type,
as derived from the first byte in the message, was different from
MBEDTLS_SSL_HS_HELLO_REQUEST. This check should only be performed
for handshake records, while CCS records should immediately be appended.
2018-08-22 16:16:25 +01:00
Hanno Becker
2c98db2478 ssl_write_handshake_msg(): Allow alert on client-side SSLv3
In SSLv3, the client sends a NoCertificate alert in response to
a CertificateRequest if it doesn't have a CRT. This previously
lead to failure in ssl_write_handshake_msg() which only accepted
handshake or CCS records.
2018-08-22 16:05:47 +01:00
Hanno Becker
635313459f Merge branch 'datagram_packing' into message_reordering 2018-08-22 16:00:57 +01:00
Hanno Becker
11682ccc78 Uniformly treat MTU as size_t 2018-08-22 14:41:02 +01:00