Commit Graph

15700 Commits

Author SHA1 Message Date
Nick Child
b6d5693be2 pk.c: Ensure hash_len equals hash in pk_hashlen_helper
The function `pk_hashlen_helper` exists to ensure a valid hash_len is
used in pk_verify and pk_sign functions. This function has been
used to adjust to the corrsponding hash_len if the user passes in 0
for the hash_len argument based on the md algorithm given. If the user
does not pass in 0 as the hash_len, then it is not adjusted. This is
problematic if the user gives a hash_len and hash buffer that is less than the
associated length of the md algorithm. This error would go unchecked
and eventually lead to buffer overread when given to specific pk_sign/verify
functions, since they both ignore the hash_len argument if md_alg is not MBEDTLS_MD_NONE.

This commit, adds a conditional to `pk_hashlen_helper` so that an
error is thrown if the user specifies a hash_length (not 0) and it is
not equal to the expected for the associated message digest algorithm.
This aligns better with the api documentation where it states "If
hash_len is 0, then the length associated with md_alg is used instead,
or an error returned if it is invalid"

Signed-off-by: Nick Child <nick.child@ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
2021-06-29 09:31:06 -04:00
Dave Rodgman
78c601b529
Merge pull request #4717 from daverodgman/psa_cipher_and_mac_abort_on_error_2.x
Backport 2.x: Psa cipher and mac abort on error
2021-06-25 15:39:43 +01:00
Dave Rodgman
478ab5443b Use more standard label name
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-25 09:09:30 +01:00
Ronald Cron
132e8c3cab
Merge pull request #4715 from gilles-peskine-arm/psa_crypto_spm-from_platform_h-2.x
Backport 2.x: Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
Straightforward backport from development to developement_2.x plus one trivial commit, only one approval is enough.
2021-06-25 09:00:58 +02:00
Gilles Peskine
ee334d1b75 Update Visual Studio project
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-24 20:05:20 +02:00
Dave Rodgman
54f7351d12 Improve psa_hash_update negative test
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 18:14:52 +01:00
Dave Rodgman
d73e1b0ccd Tidy up logic in psa_mac_sign_finish
Simplify the logic in psa_mac_sign_finish.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:57 +01:00
Dave Rodgman
db861797c1 Correct coding style issues
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:53 +01:00
Dave Rodgman
cccb05def4 Call abort on error in psa_mac/cipher setup
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:47 +01:00
Dave Rodgman
4e0a82e274 Update multipart hash operations to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:23 +01:00
Dave Rodgman
ff8d52b398 Add negative tests for psa_abort in hash functions
Various functions for PSA hash operations call abort
on failure; test that this is done. The PSA spec does not require
this behaviour, but it makes our implementation more robust in
case the user does not abort the operation as required by the
PSA spec.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:40:08 +01:00
Dave Rodgman
c88b0a57da Update cipher and mac functions to abort on error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-23 19:05:35 +01:00
Dave Rodgman
34b147d1e6 Add negative tests for psa_abort in cipher and mac functions
Various functions for PSA cipher and mac operations call abort
on failure; test that this is done. The PSA spec does not require
this behaviour, but it makes our implementation more robust in
case the user does not abort the operation as required by the
PSA spec.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-23 19:05:32 +01:00
Dave Rodgman
33b58eeb36 Fix error in psa_crypto test suite
The cipher_bad_order test happened to pass, but was not testing the
failure case it intended to test.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-23 14:59:44 +01:00
Ronald Cron
eaacabf98d
Merge pull request #4392 from gilles-peskine-arm/psa-storage-format-test-lifetimes
Backport 2.x: PSA storage format: test lifetimes
2021-06-23 15:22:24 +02:00
Gilles Peskine
76dec15d54 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Gilles Peskine
99a3462785 In the SPM test build, fail if a symbol wasn't renamed
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Gilles Peskine
984c19f553 Do a test build with MBEDTLS_PSA_CRYPTO_SPM
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Gilles Peskine
d28f293bb0 Import crypto_spe.h from TF-M
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/plain/secure_fw/partitions/crypto/crypto_spe.h?h=refs/heads/master

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Janos Follath
53d1cf8e2b
Merge pull request #4644 from gilles-peskine-arm/mpi_montmul-null-2.x
Backport 2.x: Fix several bugs with the value 0 in bignum
2021-06-23 13:40:05 +01:00
Gilles Peskine
478ac0bcc1
Merge pull request #4704 from mpg/issue-3990-fix_psa_verify_with_alt-2.x
[Backport 2.x] Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:42 +02:00
Manuel Pégourié-Gonnard
727e1f17dd Mention that mbedtls_rsa_init can set hash_id too
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-23 10:35:55 +02:00
Gilles Peskine
df51a13c54
Merge pull request #4394 from gilles-peskine-arm/travis-windows-no-generate-2.x
2.2x only: No longer generate psa_constant_names_generated.c on Windows on Travis
2021-06-22 18:53:58 +02:00
Gilles Peskine
11bd2ac3da
Merge pull request #4705 from ronald-cron-arm/3258_implement_one-shot_MAC_2.x
Backport 2.x: Implement one-shot mac in PSA
2021-06-22 18:53:34 +02:00
Ronald Cron
f38646151e Add change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
54488c4abc psa: mac: Add driver dispatch tests for psa_mac_verify
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
4ed836883e psa: mac: Add driver delegation support for psa_mac_verify()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
ef0d8f17f8 psa: mac: Introduce psa_mac_compute_internal
Introduce psa_mac_compute_internal with an
additional `is_sign` parameter compared to
the psa_mac_compute API. The intent is to
call psa_mac_compute_internal() from
psa_mac_verify() as well to compute the
message MAC.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
93dcd5963f psa: mac: Add driver dispatch tests for psa_mac_compute
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
882eb780fb psa: mac: Improve MAC finalization code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
dbb8646c2c psa: mac: Add driver delegation support for psa_mac_compute()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
bfdfaa676c psa: mac: Add MAC compute builtin implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
def68e722a psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
1c650a1a37 psa: mac: Split psa_mac_setup()
Split out of psa_mac_setup() the final checks on
the requested algorithm and the key attributes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
48f875e809 psa: mac: Re-organize psa_mac_setup() internal function
Re-organize psa_mac_setup() to prepare the move
to a dedicated function of the additional checks
on the algorithm and the key attributes done by
this function. We want to move those checks in
a dedicated function to be able to do them
without duplicating them in psa_mac_compute().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
gabor-mezei-arm
a93e423739 Add test for one-shot MAC functions
Tests for psa_mac_compute and psa_mac_verify functions.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
gabor-mezei-arm
a00616fc6b Implement one-shot MAC functions
Implement one-shot MAC APIs, psa_mac_compute and psa_mac_verify, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-22 13:43:13 +02:00
Janos Follath
03daae6894 Improve psa_rsa_decode_md_type()
Remove a case that cannot be triggered as PSA_ALG_SIGN_GET_HASH always
returns 0 for raw algorithms.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:05 +02:00
Janos Follath
0e89dafbab Add ChangeLog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:05 +02:00
Janos Follath
02becd90a6 Fix exercise key test
Hash and sign algorithms require the alignment of the input length with
the hash length at verification as well not just when signing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:04 +02:00
Janos Follath
3af7e8fe3a Fix verify_hash tests for PSA RSA PSS
The psa_verify_hash() is the pre-hashed version of the API and supposed
to work on hashes generated by the user. There were tests passing that
were getting "hashes" of sizes different from the expected.

Transform these into properly failing tests.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:04 +02:00
Janos Follath
b23b5745b5 PSA RSA PSS: pass pre-hash algorithm to Mbed TLS
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well
as Mbed TLS does not use this parameter for anything beyond determining
the input lengths.

Some alternative implementations however check the consistency of the
algorithm used for pre-hash and for other uses in verification (verify
operation and mask generation) and fail if they don't match. This makes
all such verifications fail.

Furthermore, the PSA Crypto API mandates that the pre-hash and internal
uses are aligned as well.

Fixes #3990.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:00 +02:00
Janos Follath
456d7e055f mbedtls_rsa_rsassa_pss_*: improve documentation
Hashes used in RSA-PSS encoding (EMSA-PSS-ENCODE, see §9.1.1 in RFC
8017):

- H1: Hashing the message (step 2)
- H2: Hashing in the salt (step 6)
- H3: Mask generation function (step 9)

According to the standard:

- H1 and H2 MUST be done by the same hash function
- H3 is RECOMMENDED to be the same as the hash used for H1 and H2.

According to the implementation:

- H1 happens outside of the function call. It might or might not happen
and the implementation might or might not be aware of the hash used.
- H2 happens inside the function call, consistency with H1 is not
enforced and might not even be possible to detect.
- H3 is done with the same hash as H2 (with the exception of
mbedtls_rsassa_pss_verify_ext(), which takes a dedicated parameter for
the hash used in the MGF).

Issues with the documentation:

- The comments weren't always clear about the three hashes involved and
often only mentioned two of them (which two varied from function to
function).
- The documentation was giving the impression that the standard
recommends aligning H2 and H1 (which is not a recommendation but a
must).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:50:26 +02:00
Gilles Peskine
37d690c45b Correct some statements about the ordering of A and B
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine
b798b35374 Clarification in a comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine
38a384d2cc Simplify is-zero check
The loop exits early iff there is a nonzero limb, so i==0 means that
all limbs are 0, whether the number of limbs is 0 or not.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine
8802b127b5 Fix copypasta in test data
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine
ea9aa14b3a Write a proof of correctness for mbedtls_mpi_gcd
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine
6537bdb5e0 Explain how the code relates to the description in HAC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00
Gilles Peskine
ae7f75c908 Fix copypasta in test cases
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 12:39:17 +02:00