Commit Graph

12489 Commits

Author SHA1 Message Date
Gilles Peskine
85f47c9d69 pk tests: USE_PSA_CRYPTO: test attributes of the PSA key 2020-01-31 10:15:32 +01:00
Gilles Peskine
45c29ce4c0 Move size-specific curve/group constants to crypto_compat.h 2020-01-31 10:15:32 +01:00
Gilles Peskine
228abc5773 Define EC curve family constants
Define constants for ECC curve families and DH group families. These
constants have 0x0000 in the lower 16 bits of the key type.

Support these constants in the implementation and in the PSA metadata
tests.

Switch the slot management and secure element driver HAL tests to the
new curve encodings. This requires SE driver code to become slightly
more clever when figuring out the bit-size of an imported EC key since
it now needs to take the data size into account.

Switch some documentation to the new encodings.

Remove the macro PSA_ECC_CURVE_BITS which can no longer be implemented.
2020-01-31 10:15:32 +01:00
Gilles Peskine
025fccdc32 Change the encoding of EC curves and DH groups to include the size
Change the representation of psa_ecc_curve_t and psa_dh_group_t from
the IETF 16-bit encoding to a custom 24-bit encoding where the upper 8
bits represent a curve family and the lower 16 bits are the key size
in bits. Families are based on naming and mathematical similarity,
with sufficiently precise families that no two curves in a family have
the same bit size (for example SECP-R1 and SECP-R2 are two different
families).

As a consequence, the lower 16 bits of a key type value are always
either the key size or 0.
2020-01-31 10:15:32 +01:00
Gilles Peskine
d8197cb902 mbedtls_psa_parse_tls_ecc_group: make no assumption on PSA encodings
Don't assume that the PSA encoding of elliptic curves is identical to
the TLS encoding. This is currently true but about to change.

The new implementation only works when MBEDTLS_ECP_C is defined. This
is ok because the function is only used with MBEDTLS_ECP_C defined.
2020-01-31 10:15:32 +01:00
Gilles Peskine
fc2459db13 Remove mbedtls_psa_translate_ecc_group
Internally, use the corresponding function from psa_crypto.c instead.
Externally, this function is not used in Mbed TLS and is documented as
"may change at any time".
2020-01-31 10:15:32 +01:00
Gilles Peskine
5055b239bf Expose mbedtls/psa curve identifier conversions from psa_crypto.c 2020-01-31 10:15:32 +01:00
Gilles Peskine
4295e8b9c5 Rework PSA curve to mbedlts group id conversion
Don't rely on the bit size encoded in the PSA curve identifier, in
preparation for removing that.

For some inputs, the error code on EC key creation changes from
PSA_ERROR_INVALID_ARGUMENT to PSA_ERROR_NOT_SUPPORTED or vice versa.
There will be further such changes in subsequent commits.
2020-01-31 10:15:32 +01:00
Gilles Peskine
c7ef5b3f45 Rework mbedlts group id to PSA curve conversion
Don't rely on the PSA curve identifier determining the key size, in
preparation for removing that.
2020-01-31 10:15:32 +01:00
Gilles Peskine
2eea95cb5d Extract the block size from the key type encoding 2020-01-31 10:15:32 +01:00
Gilles Peskine
7bfcfac164 Change key type encodings to avoid bit 16
Key types are now encoded through a category in the upper 4 bits (bits
28-31) and a type-within-category in the next 11 bits (bits 17-27),
with bit 16 unused and bits 0-15 only used for the EC curve or DH
group.

For symmetric keys, bits 20-22 encode the block size (0x0=stream,
0x3=8B, 0x4=16B).
2020-01-31 10:15:32 +01:00
Gilles Peskine
8fe6e0de3a Symmetric key types only use the upper 16 bits of psa_key_type_t
Change the numerical encoding of values for symmetric key types to
have 0000 as the lower 16 bits. Now the lower 16 bits are only used
for key types that have a subtype (EC curve or DH group).
2020-01-31 10:15:32 +01:00
Manuel Pégourié-Gonnard
350d4c3630
Merge pull request #327 from gilles-peskine-arm/psa-hash_compute
Implement psa_hash_compute and psa_hash_compare
2020-01-31 09:31:41 +01:00
Gilles Peskine
13faa2d920 Don't declare a parameter as const
An earlier commit fixed this for psa_hash_compare. psa_mac_verify had
the same flaw.
2020-01-30 16:32:21 +01:00
Gilles Peskine
88e08464f5 Add dedicated test cases for psa_hash_compare
psa_hash_compare is tested for good cases and invalid-signature cases
in hash_compute_compare. Also test invalid-argument cases. Also run a
few autonomous test cases with valid arguments.
2020-01-30 12:27:14 +01:00
Gilles Peskine
29eb80d26c Remove some spurious dependencies on MBEDTLS_SHA256_C 2020-01-30 12:27:14 +01:00
Gilles Peskine
fa710f5c6a Don't declare a parameter as const
Whether a parameter should be const is an implementation detail of the
function, so don't declare a parameter of psa_hash_compare as
const. (This only applies to parameters themselves, not to objects
that pointer parameters points to.)
2020-01-30 12:27:14 +01:00
Gilles Peskine
1fb7aea9b3 Add command line option to hide warnings 2020-01-30 12:27:14 +01:00
Gilles Peskine
84b8fc8213 Use psa_hash_compute in psa_hmac_setup_internal 2020-01-30 12:27:14 +01:00
Gilles Peskine
7b8efaffaa Add missing dependencies on MBEDTLS_MD_C
The PSA implementations of deterministic ECDSA, of all RSA signatures
and of RSA OAEP use the MD module.
2020-01-30 12:27:14 +01:00
Gilles Peskine
aead02cce9 Remove obsolete dependencies on MBEDTLS_MD_C
The PSA implementation of hash algorithms, HMAC algorithms and KDF
algorithms using HMAC no longer use the MD module.
2020-01-30 12:27:14 +01:00
Gilles Peskine
0a749c8fa3 Implement and test psa_hash_compute, psa_hash_compare 2020-01-30 12:27:12 +01:00
Manuel Pégourié-Gonnard
f712e163b0
Merge pull request #179 from mpg/sha512-no-sha384
Add option to build SHA-512 without SHA-384
2020-01-30 10:32:20 +01:00
Janos Follath
8b38978b85
Merge pull request #349 from gilles-peskine-arm/coverity-20200115-crypto
Fix minor defects found by Coverity
2020-01-29 15:05:11 +00:00
Manuel Pégourié-Gonnard
74ca84a7a9 Fix some whitespace issues 2020-01-29 09:46:49 +01:00
Manuel Pégourié-Gonnard
358462df85
Merge pull request #354 from mpg/fix-ecdsa-pointer-inc
Fix incrementing pointer instead of value
2020-01-28 09:26:28 +01:00
Janos Follath
1146b4e060
Merge pull request #348 from yanesca/bump-version-to-mbed-tls-2.20.0
Bump version to Mbed TLS 2.20.0 and crypto SO version to 4
2020-01-27 15:56:45 +00:00
Manuel Pégourié-Gonnard
ee4ba54d8d Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-01-24 12:11:56 +01:00
Manuel Pégourié-Gonnard
2b9b780ac0 Rename internal macro for consistency
Other modules have similar internal macros using _LENGTH in the name.
2020-01-24 11:01:02 +01:00
Manuel Pégourié-Gonnard
b7f7092f57 Remove preprocessor directive for consistency
Other cases in this switch statement aren't guarded either.
2020-01-24 10:59:08 +01:00
Manuel Pégourié-Gonnard
3a3b5c7827 Improve doxygen formatting 2020-01-24 10:57:25 +01:00
Gilles Peskine
84984ae220 Add missing return code check on calls to mbedtls_md() 2020-01-21 16:52:08 +01:00
Gilles Peskine
9018b11302 Check that mbedtls_mpi_grow succeeds 2020-01-21 16:30:53 +01:00
Gilles Peskine
292672eb12 If ASSERT_ALLOC_WEAK fails, mark the test as skipped, not passed
This was the intended behavior of ASSERT_ALLOC_WEAK all along, but
skipping was not implemented yet when ASSERT_ALLOC_WEAK was
introduced.
2020-01-21 16:20:04 +01:00
Gilles Peskine
42a1acfd0e get_len_step: Fix end-of-buffer calculation when buffer_size==0
Fix get_len_step when buffer_size==0. The intent of this test is to
ensure (via static or runtime buffer overflow analysis) that
mbedtls_asn1_get_len does not attempt to access beyond the end of the
buffer. When buffer_size is 0 (reached from get_len when parsing a
1-byte buffer), the buffer is buf[1..1] because allocating a 0-byte
buffer might yield a null pointer rather than a valid pointer. In this
case the end of the buffer is p==buf+1, not buf+buffer_size which is
buf+0.

The test passed because calling mbedtls_asn1_get_len(&p,end,...) with
end < p happens to work, but this is not guaranteed.
2020-01-21 16:12:07 +01:00
Janos Follath
2e9f108fbd Bump version to Mbed TLS 2.20.0 2020-01-21 14:08:26 +00:00
Gilles Peskine
a2bdcb9e3a Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-01-21 15:02:14 +01:00
Janos Follath
d27a88438f Merge branch 'development' into development-restricted 2020-01-15 15:55:11 +00:00
Jaeden Amero
a337167543
Merge pull request #342 from Patater/reseed-counter-value-comment
ctr_drbg: Clarify reseed_counter values before seeding
2020-01-10 13:49:33 +00:00
Jaeden Amero
a15c71374b ctr_drbg: Clarify reseed_counter values before seeding
Before the initial seeding, reseed_counter used to always be 0. Now, the
value depends on whether or not the user has explicitly set the amount
of data to get from the nonce (via e.g.
mbedtls_ctr_drbg_set_nonce_len()). Add comments to clarify the possible
values reseed_counter can have before the initial seeding.
2020-01-09 13:48:52 +00:00
Manuel Pégourié-Gonnard
1e6fb01448 Make SHA512_NO_SHA384 depend on SHA512_C 2020-01-07 11:00:34 +01:00
Manuel Pégourié-Gonnard
86a39bdbc5 Improve readability of test dependencies
- Always put MBEDTLS_SHA512_NO_SHA384 immediately after MBEDTLS_SHA512_C
- Remove duplicate occurrences of MBEDTLS_SHA512_NO_SHA384 on the same line
2020-01-07 10:24:17 +01:00
Manuel Pégourié-Gonnard
2d88549c6b Improve readability of macro in selftest 2020-01-07 10:17:35 +01:00
Manuel Pégourié-Gonnard
0b9db441c8 Make optional parameter validation more precise 2020-01-07 10:14:54 +01:00
Manuel Pégourié-Gonnard
792b16d83b Make more code paths conditional in psa_crypto.c 2020-01-07 10:13:18 +01:00
Manuel Pégourié-Gonnard
663ee2019a Clarify documentation on is384. 2020-01-07 10:11:22 +01:00
Manuel Pégourié-Gonnard
20f236de37 Adjust depends-hashes.pl to test NO_SHA384 as well 2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
d602084cde Implement NO_SHA384 in MD layer and PSA 2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
6ba5a3fc57 Declare test dependencies on !SHA512_NO_SHA384 2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
39ea19a35c Adapt sha512 selftest to NO_SHA384 option 2020-01-06 11:40:23 +01:00