Commit Graph

16566 Commits

Author SHA1 Message Date
Gilles Peskine
3f5c2232f0
Merge pull request #5235 from paul-elliott-arm/fix_test_suite_ssl_2.x
Backport 2.x: Fix test_suite_ssl compilation errors with GCC11
2021-11-25 22:02:46 +01:00
Gilles Peskine
9501bd7d6e Make PSA headers more self-contained
Several files among include/psa/crypto_*.h are not meant to be included
directly, and are not guaranteed to be valid if included directly. This
makes it harder to perform some static analyses. So make these files more
self-contained so that at least, if included on their own, there is no
missing macro or type definition (excluding the deliberate use of forward
declarations of structs and unions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 20:34:05 +01:00
Paul Elliott
14148c4fbe Fix Changelog
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-25 18:08:30 +00:00
Paul Elliott
954578644f Fix compilation errors.
Under gcc11(+) both message and received would cause errors for
potentially being used uninitialised. We fixed many of these issues in
another PR, but this one is only seen under certain configs.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-25 18:08:23 +00:00
Gilles Peskine
6fa5c1d20c Use the normal idiom to support MBEDTLS_CONFIG_FILE
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:12:44 +01:00
Gilles Peskine
8e8e96500a Fix dynamic library extension on macOS
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:02:17 +01:00
Gilles Peskine
eea9c74d81 More explicit output for the test program
Without that, the logs were a bit hard to understand if you didn't know what
to expect.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:02:17 +01:00
Gilles Peskine
3dbb3e7e07 Avoid undefined variable warning without MBEDTLS_MD_C
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:02:17 +01:00
Gilles Peskine
99d8486f8e Use CMake's knowledge of what system library has dlopen()
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:02:17 +01:00
Gilles Peskine
507c787b44 Don't build dlopen when building for Windows
Windows doesn't have dlopen, not even Linux emulation environments such as
MinGW.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:02:17 +01:00
Gilles Peskine
71fcb3c994 Only link with libdl on Linux
Requiring an extra library for dlopen is a Linux non-POSIX-compliance.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:00:53 +01:00
Gilles Peskine
27482f17f1 Run the dlopen test in shared library builds
Non-regression for the fix in https://github.com/ARMmbed/mbedtls/pull/5126:
libmbedtls and libmbedx509 did not declare their dependencies on libmbedx509
and libmbedcrypto when built with make.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:00:53 +01:00
Gilles Peskine
e94335399f New test app for dynamic loading of libmbed* with dlopen
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 18:00:53 +01:00
Ronald Cron
f8f425d95d psa: Remove psa_key_slot_is_external()
Remove psa_key_slot_is_external() that is not used anymore.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-25 17:40:58 +01:00
Ronald Cron
41e8006fa2 psa: Remove buggy report of RSA public exponent for opaque keys
The report of RSA public exponent for opaque keys is not
supported. Do not attempt to compute the RSA public
exponent of an RSA opaque key associated to a driver
implementing the new driver interface when
MBEDTLS_PSA_CRYPTO_SE_C is disabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-25 17:40:58 +01:00
Ronald Cron
0518f61e1a psa: Fix slot number key attribute
Slot number key attribute is specific of dynamically
registered drivers and should thus not be computed/
returned in case of keys associated to drivers
implementing the new unified driver interface.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-25 17:40:58 +01:00
Ronald Cron
8a0466a052 Clarify psa_get_and_lock_transparent_key_slot_with_policy() purpose
Clarify the purpose of
psa_get_and_lock_transparent_key_slot_with_policy() and
define it even when MBEDTLS_PSA_CRYPTO_SE_C is disabled
for the purpose of static drivers.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-25 17:40:58 +01:00
Gilles Peskine
c668de6f7f
Merge pull request #5200 from AndrzejKurek/fix-getting-started-2_x
Backport 2.x: Fix duplicate variable name in getting_started.md
2021-11-24 20:51:03 +01:00
Gilles Peskine
3107b337e1
Merge pull request #5154 from gabor-mezei-arm/3649_bp2x_move_constant_time_functions_into_separate_module
[Backport 2.x] Move constant-time functions into a separate module
2021-11-24 19:33:03 +01:00
Gilles Peskine
989a4e9388
Merge pull request #5132 from openluopworld/origin/development_2.x
Backport 2.x: Fix GCM calculation with very long IV
2021-11-22 22:22:47 +01:00
Gilles Peskine
b80aa7c609
Merge pull request #5214 from tom-cosgrove-arm/pr5105_2.x
Backport 2.x: doc improvements in aes and sha256 includes
2021-11-22 22:21:56 +01:00
Tom Cosgrove
8100bf5d67 further improvements to sha256 docs
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2021-11-22 15:35:58 +00:00
Tom Cosgrove
bcd2f67624 doc improvements in aes and sha256 includes
- Add return value description to the docs of mbedtls_sha256
- Remove description of non-existing "mode" parameter from the docs of mbedtls_aes_crypt_ctr

Backport of #5105

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2021-11-22 15:02:29 +00:00
Andrzej Kurek
f236bbb735 Fix duplicate variable name in getting_started.md
Rename the key id variables to not clash with the raw key data.
This was introduced in cf56a0a3.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-11-19 13:50:35 +01:00
Manuel Pégourié-Gonnard
1d7f7a7c6e
Merge pull request #5194 from bensze01/invalid_nonce_error_2.x
Backport 2.x: PSA: Indicate in the error returned when we know that an AEAD nonce length is invalid, not just unsupported
2021-11-18 09:41:15 +01:00
Gilles Peskine
23b4096ecf Fix several bugs with multiline comments
Empty the current line if it's entirely inside a comment.

Don't incorrectly end a block comment at the second line if it doesn't
contain `*/`.

Recognize `/*` to start a multiline comment even if it isn't at the start of
the line.

When stripping off comments, consistently strip off `/*` and `*/`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-17 20:45:39 +01:00
Gilles Peskine
44801627d2 Improve comment and string stripping
Make that part of the code more readable.

Add support for // line comments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-17 20:45:06 +01:00
Gilles Peskine
4f04d619b5 Fix terminology in comment
In computing, brackets are []. () are called parentheses.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-17 20:39:56 +01:00
Gilles Peskine
df30665a16 Move comment and string literal processing to a new function
No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-17 20:32:31 +01:00
Gilles Peskine
c8fc67f341 Simplify some regex definitions
Use '|'.join([comma-separated list]) rather than r'...|' r'...|'. This way
there's less risk of forgetting a '|'. Pylint will yell if we forget a comma
between list elements.

Use match rather than search + mandatory start anchor for EXCLUSION_LINES.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-17 20:23:18 +01:00
Gilles Peskine
e833998b58 Update comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-17 20:00:13 +01:00
Gilles Peskine
90321622e6
Merge pull request #5196 from bensze01/test_psa_compliance_2.x
Backport 2.x: Remove superfluous expected failure from test_psa_compliance
2021-11-17 17:14:22 +01:00
Bence Szépkúti
2be65d5134 Remove expected failure from test_psa_compliance
Issue #5143 was fixed in PR #5192.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-17 14:47:56 +01:00
Manuel Pégourié-Gonnard
394c65e0f0
Merge pull request #5169 from bensze01/test_psa_compliance_2.x
Backport 2.x: Run the PSA Compliance test suite in all.sh
2021-11-17 14:10:05 +01:00
Bence Szépkúti
358e0ea464 Indicate nonce sizes invalid for ChaCha20-Poly1305
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-17 14:03:08 +01:00
Manuel Pégourié-Gonnard
1a3201a7b9
Merge pull request #5192 from daverodgman/development_2.x
Backport 2.x: PSA error code fix
2021-11-17 13:09:43 +01:00
paul-elliott-arm
0372792415
Merge pull request #5165 from mprse/aps_mem_leak_2x
(Backport 2x) ssl_client2, ssl_server2: add check for psa memory leaks
2021-11-17 11:54:39 +00:00
Dave Rodgman
dc4e4b72c0 Fix derive_input test ignoring parameter
Fix derive_input test hardcoding key type instead of using test argument.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-11-17 10:02:52 +00:00
Dave Rodgman
bc92abed8c Update test to handle changed error code
Update test to handle changed error code from psa_key_derivation_output_key

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-11-17 10:02:51 +00:00
Dave Rodgman
021e724936 Improve PSA error return code
psa_key_derivation_output_key: prioritize BAD_STATE over NOT_PERMITTED

If psa_key_derivation_output_key() is called on an operation which hasn't been
set up or which has been aborted, return PSA_ERROR_BAD_STATE. Only return
PSA_ERROR_NOT_PERMITTED if the operation state is ok for
psa_key_derivation_input_bytes() or psa_key_derivation_output_bytes() but not
ok to output a key.

Ideally psa_key_derivation_output_key() would return PSA_ERROR_NOT_PERMITTED
only when psa_key_derivation_output_bytes() is possible, but this is clumsier
to implement.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-11-17 10:02:48 +00:00
Gilles Peskine
b3f4dd5c81 Lift some code out of parse_identifiers
Make parse_identifiers less complex. Pylint was complaining that it had too
many local variables, and it had a point.

* Lift the constants identifier_regex and exclusion_lines to class
  constants (renamed to uppercase because they're constants).
* Lift the per-file loop into a new function parse_identifiers_in_file.

No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 21:26:08 +01:00
Gilles Peskine
7493c4017a Fix comment parsing
Fix cases like
```
/*short comment*/ /*long
 comment */
int mbedtls_foo;
```
where the previous code thought that the second line started outside of a
comment and ended inside of a comment.

I believe that the new code strips comments correctly. It also strips string
literals, just in case.

Fixes #5191.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 21:25:14 +01:00
Gilles Peskine
c0656b43f1 Note the reordered fields in SSL structures
This is technically an API break according to the unwritten rules of API
compatibility for Mbed TLS 2.x. However, it is very unlikely to affect any
realistic application, with the possible exception of applications that
define a global constant of type mbedtls_ssl_config.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 19:00:04 +01:00
Gilles Peskine
7f03d9ecc6 mbedtls_ssl_config: Replace bit-fields by separate bytes
This slightly increases the RAM consumption per context, but saves code
size on architectures with an instruction for direct byte access (which is
most of them).

Although this is technically an API break, in practice, a realistic
application won't break: it would have had to bypass API functions and rely
on the field size (e.g. relying on -1 == 1 in a 1-bit field).

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 19952 -> 19900 (diff: 52)
library/ssl_msg.o: 25810 -> 25798 (diff: 12)
library/ssl_srv.o: 22371 -> 22299 (diff: 72)
library/ssl_tls.o: 23274 -> 23038 (diff: 236)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2868 -> 2848 (diff: 20)
library/ssl_msg.o: 2916 -> 2924 (diff: -8)
library/ssl_srv.o: 3204 -> 3184 (diff: 20)
library/ssl_tls.o: 5860 -> 5756 (diff: 104)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 18:56:49 +01:00
Lukasz Gniadzik
9a0e0affef mbedtls_ssl_config, mbedtls_ssl_session: reorder fields
Move small fields first so that more fields can be within the Arm Thumb
128-element direct access window.

The ordering in this commit is not based on field access frequency.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 20104 -> 19952 (diff: 152)
library/ssl_msg.o: 25942 -> 25810 (diff: 132)
library/ssl_srv.o: 22467 -> 22371 (diff: 96)
library/ssl_tls.o: 23390 -> 23274 (diff: 116)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 2928 -> 2868 (diff: 60)
library/ssl_msg.o: 2924 -> 2916 (diff: 8)
library/ssl_srv.o: 3232 -> 3204 (diff: 28)
library/ssl_tls.o: 5904 -> 5860 (diff: 44)

Signed-off-by: Lukasz Gniadzik <lukasz.gniadzik@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 18:05:27 +01:00
Gilles Peskine
baccfef741 mbedtls_ssl_handshake_params: reorder fields to save code size
Reorder fields mbedtls_ssl_handshake_params in order to save code on Arm
Thumb builds. The general idea is to put often-used fields in the direct
access window of 128 elements from the beginning of the structure.

The reordering is a human selection based on a report of field offset and
use counts, and informed by measuring the code size with various
arrangements. Some notes:
* I moved most byte-sized fields at the beginning where they're sure to be
  in the direct access window.
* I moved buffering earlier because it can be around the threshold depending
  on the configuration, and it's accessed in a lot of places.
* I moved several fields, including update_checksum and friends, early so
  that they're guaranteed to be in the early access window.
* I tried moving randbytes or premaster to the early access window, but
  I couldn't find a placement which would save code size, presumably because
  they're bumping too many other fields, and they're mostly accessed through
  memcpy and friends which translates to instructions that don't have an
  offset for free anyway.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_cli.o: 20200 -> 20104 (diff: 96)
library/ssl_msg.o: 25978 -> 25942 (diff: 36)
library/ssl_srv.o: 22691 -> 22467 (diff: 224)
library/ssl_tls.o: 23570 -> 23390 (diff: 180)

Results (same architecture, config-suite-b.h + MBEDTLS_ECDH_LEGACY_CONTEXT +
MBEDTLS_ECP_RESTARTABLE):
library/ssl_cli.o: 3012 -> 2928 (diff: 84)
library/ssl_msg.o: 2932 -> 2924 (diff: 8)
library/ssl_srv.o: 3288 -> 3232 (diff: 56)
library/ssl_tls.o: 6032 -> 5904 (diff: 128)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 17:44:31 +01:00
Gilles Peskine
51070849fa mbedtls_ssl_handshake_params: use bytes for some small values
Replace bitfields mbedtls_ssl_handshake_params by bytes. This saves some
code size, and since the bitfields weren't group, this doesn't increase the
RAM usage.

Replace several ints that only store values in the range 0..255 by uint8_t.
This can increase or decrease the code size depending on the architecture
and on how the field is used. I chose changes that save code size on Arm
Thumb builds and may potentially save more after field reordering.

Leave the bitfields in struct mbedtls_ssl_hs_buffer alone: replacing them by
uint8_t slightly increases the code size.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/ssl_srv.o: 22735 -> 22691 (diff: 44)
library/ssl_tls.o: 23566 -> 23570 (diff: -4)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 16:44:00 +01:00
Gilles Peskine
4a13ebff39 Tweak whitespace for readability
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 15:21:44 +01:00
Gilles Peskine
b8006a66f2 PSA global data: move fields around to save code size
Move fields around to have fewer accesses outside the 128-element Thumb
direct access window.

In psa_crypto.c's global_data, put the state fields first (-20).

In psa_crypto_slot_management.c's global_data, keep the key slots first
(otherwise it's +24).

In mbedtls_psa_random_context_t, swapping entropy and drbg makes no
difference (at least when the DRBG is mbedtls_ctr_drbg_context).

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/psa_crypto.o: 16166 -> 16146 (diff: 20)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 15:00:45 +01:00
Gilles Peskine
f5d7eef11f PSA operation structures: move less-used fields to the end
Move fields around to have fewer accesses outside the 128-element Thumb
direct access window.

In psa_hkdf_key_derivation_t, move the large fields (output_block, prk,
hmac) after the state bit-fields. Experimentally, it's slightly better
to put hmac last.

In aead_operation_t, tag_length was outside the window. The details depend
on the sizes of contexts included in ctx. Make the large ctx be the last
field.

In mbedtls_psa_hmac_operation_t, the opad field is outside the window when
SHA-512 is enabled. Moving opad before hash_ctx only saves 4 bytes and made
the structure clumsy, so I left it alone.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/psa_crypto.o: 16246 -> 16166 (diff: 80)
library/psa_crypto_aead.o: 952 -> 928 (diff: 24)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 15:00:17 +01:00