Commit Graph

4900 Commits

Author SHA1 Message Date
k-stachowiak
1a9df6bcb7 Improve style in the Cipher module 2018-12-19 17:34:58 +01:00
k-stachowiak
95070a8286 Make some cipher parameter validation unconditional 2018-12-19 17:34:58 +01:00
k-stachowiak
c29d94c7bf Account for optional NULL buffer arguments in the Cipher module 2018-12-19 17:34:13 +01:00
k-stachowiak
a539070f82 Make all parameter validation tests optional 2018-12-19 17:34:13 +01:00
Krzysztof Stachowiak
e0215d7869 Add Cipher module parameter validation 2018-12-19 17:34:13 +01:00
k-stachowiak
21298a20c4 Improve parameter validation in mbedtls_gcm_free() 2018-12-19 17:32:19 +01:00
k-stachowiak
8ffc92a1e8 Add parameter validation for the GCM module 2018-12-19 17:30:38 +01:00
Hanno Becker
8ce11a323e Minor improvements to bignum module 2018-12-19 16:18:52 +00:00
Gilles Peskine
ee3cfec3cc PK sign/verify: hash=NULL is ok if md_alg=0 and hash_len=0 2018-12-19 17:11:44 +01:00
Gilles Peskine
159171b72a PK parse/write: support keylen=0 correctly
A 0-length buffer for the key is a legitimate edge case. Ensure that
it works, even with buf=NULL. Document the key and keylen parameters.

There are already test cases for parsing an empty buffer. A subsequent
commit will add tests for writing to an empty buffer.
2018-12-19 17:03:28 +01:00
Hanno Becker
70ded3602c Minor improvements to Camellia module and documentation 2018-12-19 13:42:05 +00:00
Gilles Peskine
1f19fa6f62 PK: Fix free(NULL) in library and tests
free() functions are documented as no-ops on NULL. Implement and test
this correctly.
2018-12-19 14:18:39 +01:00
Hanno Becker
541aa69de4 Implement parameter validation for Blowfish module 2018-12-19 12:52:59 +00:00
Hanno Becker
b54ae0bc0d Implement parameter validation for ARIA module 2018-12-19 12:51:00 +00:00
Hanno Becker
ff62f44ad7 Remove duplicated parameter check in CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker
b4b7fb7504 Implement parameter validation for CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker
9994e0d7cf Regenerate errors.c 2018-12-19 09:55:40 +00:00
Hanno Becker
d8e4f4a764 Regenerate errors.c 2018-12-19 09:54:55 +00:00
Hanno Becker
859522a31c Regenerate errors.c 2018-12-19 09:54:14 +00:00
Hanno Becker
185e516309 Minor fixes to ECJPAKE parameter validation 2018-12-19 09:48:50 +00:00
Hanno Becker
b7a04a7851 Fix mbedtls_ecp_curve_info_from_name() for NULL input 2018-12-19 08:52:05 +00:00
Hanno Becker
80f71689ee Add parameter validation to mbedtls_ecp_restart_init() 2018-12-19 08:51:52 +00:00
Simon Butcher
54b789aa74 Merge remote-tracking branch 'public/pr/2298' into development 2018-12-19 08:08:14 +00:00
Gilles Peskine
e97dc60b42 Implement parameter validation in pk, pkparse and pkwrite
Add checks for null pointers under MBEDTLS_CHECK_PARAMS.

In functions that perform operations with a context, only check if the
context pointer is non-null under MBEDTLS_CHECK_PARAMS. In the default
configuration, unconditionally dereference the context pointer.

In functions that query a context, support NULL as a
pointer-to-context argument, and return the same value as for a
context which has been initialized but not set up.
2018-12-19 00:55:36 +01:00
Hanno Becker
c81cfece8f Minor fixes to parameter validation in ECDH module 2018-12-18 23:32:42 +00:00
Hanno Becker
a7634e8347 Fix wrong invocation of parameter validation macro in ECDH module 2018-12-18 18:45:00 +00:00
Hanno Becker
54c91dd235 Remove double semicolon from bignum.c 2018-12-18 18:12:13 +00:00
Hanno Becker
73d7d79bc1 Implement parameter validation for MPI module 2018-12-18 18:12:13 +00:00
Hanno Becker
38e15d49f3 Don't declare MBEDTLS-namespace identifiers in sha512.c 2018-12-18 17:54:00 +00:00
Hanno Becker
8d215e7130 Don't define MBEDTLS-namespace macros in sha256.c 2018-12-18 17:53:21 +00:00
Hanno Becker
039ccab243 Don't declare MBEDTLS-namespace macros in sha1.c 2018-12-18 17:52:14 +00:00
Hanno Becker
2f660d047d Forbid passing NULL input buffers to RSA encryption routines 2018-12-18 17:07:30 +00:00
Hanno Becker
adc9b178ca Minor improvements to DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker
5c14ed6f86 Implement parameter validation for DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker
ca6f4585c7 Fix parameter validation in SHA-512 module 2018-12-18 16:36:26 +00:00
Hanno Becker
596e014a06 Add validation is is224 argument in mbedtls_sha256_starts_ret() 2018-12-18 16:31:06 +00:00
Hanno Becker
230b4f4159 Fix definition of MBEDTLS_SHA256_VALIDATE[_RET] in sha256.c 2018-12-18 16:31:06 +00:00
Hanno Becker
236ea16c01 Fix wrong conditional in free() functions 2018-12-18 15:30:30 +00:00
Hanno Becker
e463c42902 Minor improvements 2018-12-18 15:30:30 +00:00
Hanno Becker
305e4e4f32 Implement parameter validation for ChaCha/Poly modules 2018-12-18 15:30:30 +00:00
Andres Amaya Garcia
863d483965 Add MBEDTLS_ERR_SHA512_BAD_INPUT_DATA to error.{h,c} 2018-12-18 15:06:39 +00:00
Andres Amaya Garcia
ba519b94a5 Add parameter validation to SHA-512 module 2018-12-18 15:06:39 +00:00
Hanno Becker
b86e684ed4 Move/remove param validation in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
- The validity of the input and output parameters is checked by
  parameter validation.
- A PRNG is required in public mode only (even though it's also
  recommended in private mode), so move the check to the
  corresponding branch.
2018-12-18 14:46:04 +00:00
Hanno Becker
319ae11ab3 Implement parameter validation in ECDSA module 2018-12-18 14:31:50 +00:00
Hanno Becker
71c8e1b8d8 Implement parameter validation in ECJPAKE module 2018-12-18 14:31:18 +00:00
Hanno Becker
91796d7471 Implement parameter validation in ECDH module 2018-12-18 14:30:39 +00:00
Hanno Becker
ddeeed7d1b Implement parameter validation for RSA module 2018-12-18 13:38:05 +00:00
Hanno Becker
4f8e8e5805 Implement parameter validation for ECP module 2018-12-18 13:00:48 +00:00
Andres Amaya Garcia
9e76c0e77f Add MBEDTLS_ERR_SHA256_BAD_INPUT_DATA to error.{h,c} 2018-12-18 11:41:20 +00:00
Andres Amaya Garcia
79e593f617 Add parameter validation to SHA-256 module 2018-12-18 11:41:20 +00:00
Hanno Becker
b3906d8829 Minor fixes to implementation of SHA1 parameter validation 2018-12-18 11:37:28 +00:00
Andres Amaya Garcia
a685d4f28d Add MBEDTLS_ERR_SHA1_BAD_INPUT_DATA to error.{h,c} 2018-12-18 11:37:28 +00:00
Andres Amaya Garcia
f7c43b3145 Add parameter validation to SHA-1 2018-12-18 11:37:28 +00:00
Manuel Pégourié-Gonnard
e55e103bfe Fix off-by-one in iv_off check and add tests 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
5b89c09273 Add check for iv_off in AES-CFB128 and AES-OFB
The check is mandatory as skipping it results in buffer overread of arbitrary
size.
2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
998a358529 Make a check more explicit in aes.c
The check was already done later when calling ECB, (as evidenced by the tests
passing, which have a call with data_unit set to NULL), but it's more readable
to have it here too, and more helpful when debugging.
2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
eb6d3968b1 Fix some whitespace issues in aes.c 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
2bc535be86 Add parameter validation for AES-CTR 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
8e41eb7187 Add parameter validation for AES-OFB 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
1677cca54b Add parameter validation for AES-CFB functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
191af1313a Add param validation for mbedtls_aes_crypt_xts() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
3178d1a997 Add param validation for mbedtls_aes_crypt_cbc() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
1aca260571 Add parameter validation for mbedtls_aes_crypt_ecb() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
68e3dff3f1 Add parameter validation XTS setkey functions 2018-12-18 12:22:40 +01:00
Hanno Becker
6640b0d9a3 Undo deprecation of MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH 2018-12-18 09:53:14 +00:00
Hanno Becker
a034369eca Undo deprecation of MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH 2018-12-18 09:53:11 +00:00
Hanno Becker
938f9e9bdb Undo deprecation of MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
Merging MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH and
MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH is an API break.
2018-12-18 09:50:57 +00:00
Hanno Becker
3214215b1e Update errors.c 2018-12-17 13:26:42 +00:00
Hanno Becker
d2f3a00062 Introduce single BLOWFISH error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
* MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
2018-12-17 13:26:37 +00:00
Hanno Becker
4c029d09be Introduce single CAMELLIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:33 +00:00
Hanno Becker
2f47550018 Introduce single ARIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:28 +00:00
Gilles Peskine
1a76f3971c Merge remote-tracking branch 'psa/pr/230' into feature-psa
Implement a key handle mechanism
2018-12-12 16:15:34 +01:00
Gilles Peskine
2e14bd3aaf Add missing static on file-scope variable 2018-12-12 14:05:18 +01:00
Gilles Peskine
23fd2bdb94 Update some documentation related to key slots
Some of the documentation is obsolete in its reference to key slots
when it should discuss key handles. This may require a further pass,
possibly with some reorganization of error codes.

Update the documentation of functions that modify key slots (key
material creation and psa_set_key_policy()) to discuss how they affect
storage.
2018-12-11 16:48:14 +01:00
Gilles Peskine
09829036ab Document some functions in internal headers 2018-12-11 16:48:14 +01:00
Gilles Peskine
fa4135b135 Move more slot management functions to the proper module
Move psa_load_persistent_key_into_slot,
psa_internal_make_key_persistent and psa_internal_release_key_slot to
the slot management module.

Expose psa_import_key_into_slot from the core.

After this commit, there are no longer any functions declared in
psa_crypto_slot_management.h and defined in psa_crypto.c. There are
still function calls in both directions between psa_crypto.c and
psa_crypto_slot_management.c.
2018-12-11 16:48:14 +01:00
Gilles Peskine
66fb126e87 Move the key slot array to the slot management module
Move the key slot array and its initialization and wiping to the slot
management module.

Also move the lowest-level key slot access function psa_get_key_slot
and the auxiliary function for slot allocation
psa_internal_allocate_key_slot to the slot management module.
2018-12-11 16:48:14 +01:00
Gilles Peskine
408319be3a Remove redundant check for slot->allocated
This check became redundant when support for direct access to key
slots was removed.
2018-12-11 16:48:14 +01:00
Gilles Peskine
48868129cd Document the maximum key identifier
Give it a name and explain why it was chosen.
2018-12-11 16:48:14 +01:00
Gilles Peskine
039b90cf5b Expose the PSA key slot structure to internal modules
Move psa_key_slot_t to a new header psa_crypto_core.h, to prepare for
moving the responsibility for some fields to
psa_crypto_slot_management.c.
2018-12-11 16:48:14 +01:00
Gilles Peskine
3f10812ff9 Use the library-wide zeroize function
Since Mbed TLS 2.10, there is a single copy of
mbedtls_platform_zeroize for the whole library instead of one per
module. Update the PSA crypto module accordingly.
2018-12-11 16:48:14 +01:00
Gilles Peskine
fe9756b1f5 Remove a comment that is no longer applicable 2018-12-11 16:48:14 +01:00
Gilles Peskine
2f060a8ea5 Rename key_slot_t to psa_key_slot_t in psa_crypto.c
That way it'll be ok to add it to an internal header so as to use it
in multiple source modules.
2018-12-11 16:48:14 +01:00
Gilles Peskine
4a044739a8 Fix the build without persistent storage
Add missing guards on MBEDTLS_PSA_CRYPTO_STORAGE_C.

Add test cases to test that psa_create_key and psa_open_key return
NOT_SUPPORTED.
2018-12-11 16:48:14 +01:00
Gilles Peskine
c5487a8892 Drop support for psa_key_slot_t in psa_crypto.c
This commit finishes the removal of support for direct access to key
slots in psa_crypto.c.

This marks the end of the necessary phase of the transition to key
handles. The code should subsequently be refactored to move key slot
management from psa_crypto.c to psa_crypto_slot_management.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine
b77a6b25c0 Remove psa_set_key_lifetime
This function is no longer relevant. Use psa_create_key instead.
2018-12-11 16:48:13 +01:00
Gilles Peskine
f6cc435a8a Remove psa_key_slot_t from public headers
This commit marks the beginning of the removal of support for direct
access to key slots. From this commit on, programs that use
psa_key_slot_t will no longer compile.

Subsequent commits will remove the now-unused legacy support in
psa_crypto.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine
a23eafce3a Fix snprintf call to assume less about integral type sizes
The code only worked if psa_key_id_t (formerly psa_key_slot_t)
promoted to int and every value fit in int. Now the code only assumes
that psa_key_id_t is less wide than unsigned long, which is the case
since psa_key_id_t is a 32-bit type in our implementation.
2018-12-11 16:48:13 +01:00
Gilles Peskine
8d4919bc6a Persistent storage implementation: psa_key_slot_t -> psa_key_id_t
Move the persistent storage implementation from psa_key_slot_t to
psa_key_id_t. For the most part, this just means changing the types of
function arguments.

Update the documentation of some functions to reflect the fact that
the slot identifier is purely a storage identifier and is not related
to how the slot is designated in memory.
2018-12-11 16:48:13 +01:00
Gilles Peskine
f77ed1f20b Factor the common idiom psa_wipe_key_slot into a function
Many places in the code called psa_remove_key_data_from_memory (which
preserves metadata for the sake of failues in psa_import_key) followed
by clearing the slot data. Use an auxiliary function for this.
2018-12-11 16:48:13 +01:00
Gilles Peskine
d7c75707b8 mbedtls_psa_crypto_free: free allocated slots as well
Access the slot directly rather than going through psa_get_key_slot.
Unlike other places where key slots are accessed through
psa_get_key_slot, here, we know where all the slots are and there are
no policy or permission considerations.

This resolves a memory leak: allocated slots were not getting freed
because psa_get_key_slot rejected the attempt of accessing them
directly rather than via a handle.
2018-12-11 16:48:13 +01:00
Gilles Peskine
961849f6d1 Implement slot allocation
Implement psa_allocate_key, psa_open_key, psa_create_key,
psa_close_key.

Add support for keys designated to handles to psa_get_key_slot, and
thereby to the whole API.

Allocated and non-allocated keys can coexist. This is a temporary
stage in order to transition from the use of direct slot numbers to
allocated handles only. Once all the tests and sample programs have
been migrated to use handles, the implementation will be simplified
and made more robust with support for handles only.
2018-12-11 16:48:13 +01:00
Gilles Peskine
69f976b1d6 Distinguish in-memory slot number from in-storage slot identifier
At the moment, the in-storage slot identifier is the in-memory slot
number. But track them separately, to prepare for API changes that
will let them be different (psa_open_key, psa_create_key).
2018-12-11 16:48:12 +01:00
Manuel Pégourié-Gonnard
e451be5d04 Update version_features.c 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
44c5d58d05 Document AES functions and fix free() functions 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
0e9cddbf1a Introduce generic validation macros
Avoid duplicating source code for each module.
2018-12-11 12:28:56 +01:00
Simon Butcher
4c37db6d87 Remove the library provided function of MBEDTLS_PARAM_FAILED
The function called through the macro MBEDTLS_PARAM_FAILED() must be supplied by
users and makes no sense as a library function, apart from debug and test.
2018-12-11 12:28:56 +01:00
Simon Butcher
5201e414aa Add optional parameter validation to the AES module
This adds additional and optional parameter validation to the AES module that
can be used by enabling the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Simon Butcher
b4868034dd Add initial options and support for parameter validation
This function adds the additional config.h option of MBEDTLS_CHECK_PARAMS which
allows additional validation of parameters passed to the library.
2018-12-11 12:28:56 +01:00
Jaeden Amero
01b34fb316 Merge remote-tracking branch 'upstream-public/pr/2267' into development 2018-12-07 16:17:12 +00:00
Jaeden Amero
52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Janos Follath
683c582530 Clarify alternative ECP calling conventions
Function calls to alternative implementations have to follow certain
rules in order to preserve correct functionality. To avoid accidentally
breaking these rules we state them explicitly in the ECP module for
ourselves and every contributor to see.
2018-12-07 13:13:30 +00:00
Janos Follath
af6f2694a4 Fix ECC hardware double initialization
We initialized the ECC hardware before calling
mbedtls_ecp_mul_shortcuts(). This in turn calls
mbedtls_ecp_mul_restartable(), which initializes and frees the hardware
too. This issue has been introduced by recent changes and caused some
accelerators to hang.

We move the initialization after the mbedtle_ecp_mul_shortcuts() calls
to avoid double initialization.
2018-12-07 11:03:47 +00:00
Jaeden Amero
e1b1a2c979 Merge remote-tracking branch 'upstream-public/pr/2181' into development 2018-12-06 16:11:49 +00:00
Jaeden Amero
5b46fe774b Merge remote-tracking branch 'upstream-public/pr/2157' into development 2018-12-06 16:06:57 +00:00
Jaeden Amero
bc1cf5cd36 Merge remote-tracking branch 'upstream-public/pr/2131' into development 2018-12-06 16:04:55 +00:00
Jaeden Amero
a04617ec18 Merge remote-tracking branch 'upstream-public/pr/2125' into development 2018-12-06 16:02:31 +00:00
Jaeden Amero
c27e3420b9 Merge remote-tracking branch 'upstream-public/pr/2117' into development 2018-12-06 15:59:32 +00:00
Jaeden Amero
41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Janos Follath
3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Janos Follath
948f4bedcc Debug: Add functions for ECDH contexts
The SSL module accesses ECDH context members directly to print debug
information. This can't work with the new context, where we can't make
assumptions about the implementation of the context. This commit adds
new debug functions to complete the encapsulation of the ECDH context
and work around the problem.
2018-12-06 12:22:46 +00:00
Janos Follath
5a3e1bfda0 ECDH: Make the implementation use the new context
The functionality from public API functions are moved to
`xxx_internal()` functions. The public API functions are modified to do
basic parameter validation and dispatch the call to the right
implementation.

There is no intended change in behaviour when
`MBEDTLS_ECDH_LEGACY_CONTEXT` is enabled.
2018-12-06 12:22:18 +00:00
Jaeden Amero
750a049a15
Merge pull request #229 from ARMmbed/dev/Patater/fix-its-typo
storage: Correct typo of PSA_PS_ERROR_OFFSET
2018-12-05 13:19:31 +00:00
Gilles Peskine
5a3c50e890 Don't use an enum in a bit-field
This isn't standard C. GCC and Clang accept it but not every
compiler (e.g. Armcc 5).
2018-12-04 12:27:09 +01:00
Jaeden Amero
5dfca1e1bd Update library version to 2.15.1 2018-12-01 18:44:29 +00:00
Janos Follath
f61e486179 ECDH: Add mbedtls_ecdh_setup()
In the future we want to support alternative ECDH implementations. We
can't make assumptions about the structure of the context they might
use, and therefore shouldn't access the members of
`mbedtls_ecdh_context`.

Currently the lifecycle of the context can't be done without direct
manipulation. This commit adds `mbedtls_ecdh_setup()` to complete
covering the context lifecycle with functions.
2018-11-30 14:09:57 +00:00
Janos Follath
89ac8c9266 ECP: Add mbedtls_ecp_tls_read_group_id()
`mbedtls_ecp_tls_read_group()` both parses the group ID and loads the
group into the structure provided. We want to support alternative
implementations of ECDH in the future and for that we need to parse the
group ID without populating an `mbedtls_ecp_group` structure (because
alternative implementations might not use that).

This commit moves the part that parses the group ID to a new function.
There is no need to test the new function directly, because the tests
for `mbedtls_ecp_tls_read_group()` are already implicitly testing it.

There is no intended change in behaviour in this commit.
2018-11-30 14:09:57 +00:00
Gilles Peskine
9edc146237
Merge pull request #209 from ARMmbed/psa-init_tests
Test psa_crypto_init and make it more robust
2018-11-30 13:28:47 +01:00
Jaeden Amero
58600557bb storage: Correct typo of PSA_PS_ERROR_OFFSET
Correct typo of PSA_PS_ERROR_OFFSET to PSA_ITS_ERROR_OFFSET.
2018-11-30 12:10:29 +00:00
Simon Butcher
51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher
b9eb7866eb Merge remote-tracking branch 'restricted/pr/535' into development 2018-11-29 16:54:51 +00:00
Simon Butcher
658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Gilles Peskine
b0b189f31f Add missing compilation guards for GCM and CCM
Add missing compilation guards that broke the build if either GCM or
CCM was not defined.

Add missing guards on test cases that require GCM or CBC.

The build and tests now pass for any subset of {MBEDTLS_CCM_C,
MBEDTLS_GCM_C}. There are still unused variables warnings if neither
is defined.
2018-11-28 17:30:58 +01:00
Ron Eldor
a16fa297f7 Refactor mpi_write_hlp to not be recursive
Refactor `mpi_write_hlp()` to not be recursive, to fix stack overflows.
Iterate over the `mbedtls_mpi` division of the radix requested,
until it is zero. Each iteration, put the residue in the next LSB
of the output buffer. Fixes #2190
2018-11-27 10:34:36 +02:00
Gilles Peskine
8220466297 Streamline mbedtls_xxx_drbg_update_seed_file
Refactor mbedtls_ctr_drbg_update_seed_file and
mbedtls_hmac_drbg_update_seed_file to make the error logic clearer.

The new code does not use fseek, so it works with non-seekable files.
2018-11-26 19:26:22 +01:00
Gilles Peskine
b7f71c8bc1 HMAC_DRBG: report all errors from HMAC functions
Make sure that any error from mbedtls_md_hmac_xxx is propagated.
2018-11-26 19:26:22 +01:00
Gilles Peskine
e0e9c573ad HMAC_DRBG: deprecate mbedtls_hmac_drbg_update because it ignores errors
Deprecate mbedtls_hmac_drbg_update (which returns void) in favor of a
new function mbedtls_hmac_drbg_update_ret which reports error.
2018-11-26 19:26:21 +01:00
Gilles Peskine
d919993b76 CTR_DRBG: deprecate mbedtls_ctr_drbg_update because it ignores errors
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error.
2018-11-26 19:26:00 +01:00
Gilles Peskine
afa803775a HMAC_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine
d9aa84dc0d CTR_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine
5e76952235 Add a facility to configure entropy sources
Add a function to configure entropy sources. For testing only.

Use it to test that the library initialization fails properly if there is no
entropy source.
2018-11-23 22:58:38 +01:00
Simon Butcher
60ee838a8a Merge remote-tracking branch 'public/pr/2224' into development-psa-proposed 2018-11-23 21:18:32 +00:00
Hanno Becker
9edcc3e8fb Merge branch 'iotssl-2597-psa-hashing-x509_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 16:00:34 +00:00
Hanno Becker
8295695aca Merge branch 'iotssl-2578-psa-sig-verification_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 16:00:32 +00:00
Hanno Becker
02f20216bd Merge branch 'psa_cipher_integration_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 15:59:26 +00:00
Hanno Becker
6b01a9fa7c Merge branch 'psa_cipher_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 15:53:27 +00:00
Hanno Becker
e322d3edd5 Merge branch 'opaque_psk_implementation_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 15:53:24 +00:00
Hanno Becker
a96cc8a9fd Merge branch 'iotssl-2596-opaque-csr-creation_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 15:47:22 +00:00
Hanno Becker
7fde035ddc Merge branch 'iotssl-2580-pk-opaque-psa_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 15:47:20 +00:00
Jaeden Amero
82df32e3fd psa: Unused key_bits is OK
When MD or CMAC are disabled, let the compiler know that it is OK that
`key_bits` is set but not used by casting `key_bits` to `(void)`.
2018-11-23 15:20:56 +00:00
Simon Butcher
ebeb6cb446 Update library version to 2.15.0 2018-11-23 14:18:15 +00:00
Hanno Becker
3441d2e4a4 Merge branch 'iotssl-2597-psa-hashing-x509' into development-psa-proposed 2018-11-23 11:42:07 +00:00
Hanno Becker
4ae8b497c0 Merge branch 'iotssl-2578-psa-sig-verification' into development-psa-proposed 2018-11-23 11:37:00 +00:00
Hanno Becker
a0a96a0c56 Merge branch 'psa_cipher_integration' into development-psa-proposed 2018-11-23 11:26:57 +00:00
Hanno Becker
f8b5f27bce Merge branch 'psa_cipher' into development-psa-proposed 2018-11-23 11:18:02 +00:00
Hanno Becker
485529952f Merge branch 'opaque_psk_implementation' into development-psa-proposed 2018-11-23 11:12:38 +00:00
Andrzej Kurek
266d907c87 pk_wrap.c: fix length mismatch check placement 2018-11-22 13:37:14 -05:00
Andrzej Kurek
96cc1b3def pk_wrap.c: tidy up signature extraction
Add a sanity check for signature length, remove superfluous bounds check.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
e30ad542a1 Cosmetic changes
Move memset to a more relevant spot, fix one whitespace error
2018-11-22 13:37:14 -05:00
Andrzej Kurek
73bf6b9e00 pk_wrap: rework and tidy up signature extraction
Improve comments, use a normal buffer instead of mbedtls_asn1_buf,
remove unneeded variables and use shared utilities where possible.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
688ea8d10d pk_wrap: reuse a static buffer for signature extraction
Use a buffer left over after importing a key to hold an extracted signature.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
3016de3eeb pk_wrap: rework signature extraction to work with small r and s values
There is a probability that r will be encoded as 31 or less bytes in DER,
so additional padding is added in such case.
Added a signature-part extraction function to tidy up the code further.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
45fc464156 pk_wrap: improve error codes returned from ecdsa_verify_wrap
Use the shared PSA utilities to translate errors.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
ca6330992e pk_wrap: switch to helper functions defined in psa_util.h
Remove duplicated helper functions.
Remove an unnecessary call to psa_crypto_init().
2018-11-22 13:37:14 -05:00
Andrzej Kurek
510ee70501 pk_wrap: test if a valid md_alg is passed to ecdsa_verify_wrap
Adjust tests to pass a valid algorithm
2018-11-22 13:37:14 -05:00
Andrzej Kurek
2f69b1a059 pk_wrap: destroy key slot on errors with policy or key importing 2018-11-22 13:37:14 -05:00
Andrzej Kurek
c097b0fded pk_wrap: add a check for equal signature parts 2018-11-22 13:37:14 -05:00
Andrzej Kurek
f8c94a811a pk_wrap: check if curve conversion is successful 2018-11-22 13:37:14 -05:00
Andrzej Kurek
6d49ae9223 pk_wrap: nullify the signature pointer on error in extract_ecdsa_sig
Fix a double free error in ecdsa_verify_wrap
2018-11-22 13:37:14 -05:00
Andrzej Kurek
1e3b6865d7 pk_wrap: cosmetic changes
Adjust whitespaces and variable names
2018-11-22 13:37:14 -05:00
Andrzej Kurek
39d1f4b29f pk_wrap.c: add support for ecdsa signature verification using PSA
Use PSA internally to verify signatures.
Add a conversion to a raw signature format.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
60ea0fc185 Remove trailing whitespace 2018-11-22 13:02:29 -05:00
Andrzej Kurek
593fccdf97 x509: remove unnecessary calls to psa_hash_abort
According to the documentation, it does not need to be called after a failed
psa_hash call.
2018-11-22 12:53:32 -05:00
Andrzej Kurek
78276b1c73 x509: use the PSA API to perform hashing operations
So far limited only to certificate verification withour CRL and CSR generation.
2018-11-22 12:53:32 -05:00
Andrzej Kurek
3bd69dda1a pkwrite: add an explicit cast to size_t 2018-11-22 12:43:53 -05:00
Andrzej Kurek
16d6000577 pkwrite: add a safety check before calculating the buffer size 2018-11-22 12:43:53 -05:00
Andrzej Kurek
2f31122585 Cosmetic changes
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
6f249de706 pkwrite: add opaque key handling for public key exporting
Return early from mbedtls_pk_write_pubkey_der - public opaque key
exporting is expected to contain all of the needed data, therefore it shouldn't
be written again.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
b7f3ac6504 pkwrite: add an explicit cast to size_t 2018-11-22 12:05:08 -05:00
Andrzej Kurek
158c3d10d0 pkwrite: add a safety check before calculating the buffer size 2018-11-22 12:05:08 -05:00
Andrzej Kurek
4b11407258 Cosmetic changes
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:05:08 -05:00
Andrzej Kurek
5fec0860f9 pkwrite: add opaque key handling for public key exporting
Return early from mbedtls_pk_write_pubkey_der - public opaque key
exporting is expected to contain all of the needed data, therefore it shouldn't
be written again.
2018-11-22 12:05:08 -05:00
Andrzej Kurek
8b38ff57ab Remove trailing whitespace 2018-11-22 11:53:04 -05:00
Andrzej Kurek
a609337ca0 x509: remove unnecessary calls to psa_hash_abort
According to the documentation, it does not need to be called after a failed
psa_hash call.
2018-11-22 11:53:04 -05:00
Andrzej Kurek
d4a6553191 x509: use the PSA API to perform hashing operations
So far limited only to certificate verification withour CRL and CSR generation.
2018-11-22 11:53:04 -05:00
Manuel Pégourié-Gonnard
2614562212 Add test utility function: wrap_as_opaque()
The new function is not tested here, but will be in a subsequent PR.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
29a1325b0d Guard against PSA generating invalid signature
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
f4427678ae Use shared function for error translation 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
1e48ebd306 Fix a compliance issue in signature encoding
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
615530728f Improve documentation of an internal function 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
f127e6080e Get rid of large stack buffers in PSA sign wrapper 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
276cb64e6c Align names to use "opaque" only everywhere
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
7d51255ca7 Implement pk_sign() for opaque ECDSA keys 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
07b103fe07 Implement can_do for opaque ECC keypairs
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
683632b78e Add support for get_(bit)len on opaque keys 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
274f521b9a Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
3bc2029a33 Clarify return value of pk_check_pair() 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
1ecf92c364 Skeleton for PK_OPAQUE_PSA 2018-11-22 16:39:39 +00:00
Hanno Becker
fc20c14e76 Use PSA-based ciphers for record protections in TLS-1.2 only
Reasons:
- For the first release, we attempt to support TLS-1.2 only,
- At least TLS-1.0 is known to not work at the moment, as
  for CBC ciphersuites the code in mbedtls_ssl_decrypt_buf()
  and mbedtls_ssl_encrypt_buf() assumes that mbedtls_cipher_crypt()
  updates the structure field for the IV in the cipher context,
  which the PSA-based implementation currently doesn't.
2018-11-22 16:38:06 +00:00
Hanno Becker
329919eadf Use PSA-based ciphers for SSL ticket protection
This commit modifies the default SSL ticket implementation
from `library/ssl_ticket.c` to use PSA-based cipher context
for ticket creation and parsing.

As in mbedtls_ssl_derive_keys() adapted in an earlier commit,
we allow fallback to the ordinary mbedtls_cipher_setup()
if the provided cipher is not known. We do this even though
we always call mbedtls_ssl_ticket_setup() with AES-GCM
in our own code since this function is public and might
be used with other ciphers by users.
2018-11-22 16:38:06 +00:00
Hanno Becker
4724645e28 Introduce macros for constants in SSL ticket implementation 2018-11-22 16:38:06 +00:00
Hanno Becker
be3ffba33d Setup PSA-based cipher context in mbedtls_ssl_derive_keys()
This commit changes the code path in mbedtls_ssl_derive_keys()
responsible for setting up record protection cipher contexts
to attempt to use the new API mbedtls_cipher_setup_psa() in
case MBEDTLS_USE_PSA_CRYPTO is set.

For that, the AEAD tag length must be provided, which is already
computed earlier in mbedtls_ssl_derive_keys() and only needs to be
stored a function scope to be available for mbedtls_cipher_setup_psa().

If mbedtls_cipher_setup_psa() fails cleanly indicating that the
requested cipher is not supported in PSA, we fall through to
the default setup using mbedtls_cipher_setup(). However, we print
a debug message in this case, to allow catching the fallthrough in
tests where we know we're using a cipher which should be supported
by PSA.
2018-11-22 16:38:06 +00:00
Hanno Becker
7b05629641 Return 'Feature unavailable' error for ciphers unsupported by PSA 2018-11-22 16:33:01 +00:00
Hanno Becker
1908655231 Use enum for slot state in PSA-based cipher context 2018-11-22 16:33:01 +00:00
Hanno Becker
4ee7e76378 Check support for cipher in mbedtls_cipher_setup_psa()
mbedtls_cipher_setup_psa() should return
MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE when the requested
cipher is not supported by PSA, so that the caller can
try the original mbedtls_cipher_setup() instead.

The previous version of mbedtls_cipher_setup_psa(), however,
only attempted to translate the cipher mode (GCM, CCM, CBC,
ChaChaPoly, Stream), but didn't consider the underlying
cipher primitive. Hence, it wouldn't fail when attempting
to setup a cipher context for, say, 3DES-CBC, where CBC
is currently supported by PSA but 3DES isn't.

This commit adds a check to mbedtls_cipher_setup_psa()
for whether the requested cipher primitive is available
in the underlying PSA Crypto implementation, and fails
cleanly with MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if
it is isn't.
2018-11-22 16:33:01 +00:00
Hanno Becker
fe73adee5a Implement PSA-based AEAD enc/dec cipher operations 2018-11-22 16:33:01 +00:00
Hanno Becker
20120b373e Add AEAD tag length to new mbedtls_cipher_setup_psa()
For AEAD ciphers, the information contained in mbedtls_cipher_info
is not enough to deduce a PSA algorithm value of type psa_algorithm_t.
This is because mbedtls_cipher_info doesn't contain the AEAD tag
length, while values of type psa_algorithm_t do.

This commit adds the AEAD tag length as a separate parameter
to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value
must be 0.

This approach is preferred over passing psa_algorithm_t directly
in order to keep the changes in existing code using the cipher layer
small.
2018-11-22 16:33:01 +00:00
Hanno Becker
a395d8f1e9 Always configure PSA-based keys for encryption and decryption
Mbed TLS cipher layer allows usage of keys for other purposes
than indicated in the `operation` parameter of `mbedtls_cipher_setkey()`.
The semantics of the PSA Crypto API, in contrast, checks key
usage against the key policy.

As a remedy, this commit modifies the PSA key slot setup to
always allow both encryption and decryption.
2018-11-22 16:33:01 +00:00
Hanno Becker
55e2e3d5cc Implement PSA-based version of mbedtls_cipher_crypt() 2018-11-22 16:33:01 +00:00
Hanno Becker
edda8b8830 Implement mbedtls_cipher_setkey() for PSA-based cipher contexts
This commit implements the internal key slot management performed
by PSA-based cipher contexts. Specifically, `mbedtls_cipher_setkey()`
wraps the provided raw key material into a key slot, and
`mbedtls_cipher_free()` destroys that key slot.
2018-11-22 16:33:01 +00:00
Hanno Becker
6118e43d15 Add PSA-specific cipher context 2018-11-22 16:33:01 +00:00
Hanno Becker
ce1ddee13a Add psa_enabled field to cipher ctx and add dummy implementations
This field determines whether a cipher context should
use an external implementation of the PSA Crypto API for
cryptographic operations, or Mbed TLS' own crypto library.

The commit also adds dummy implementations for the cipher API.
2018-11-22 16:33:01 +00:00
Hanno Becker
4ccfc40aef Add declaration and dummy-definition of mbedtls_cipher_setup_psa() 2018-11-22 16:33:01 +00:00
Hanno Becker
18597cd3c4 Fix style in cipher.c 2018-11-22 16:33:01 +00:00
Hanno Becker
0953ba1899 Fix style in NUM_CIPHERS definition in cipher_wrap.c
Use brackets around `sizeof()` arguments as well as the entire macro.
2018-11-22 16:33:01 +00:00
Hanno Becker
e9bf0f4c32 Share code for PSK identity configuration
This commit shares the code for setting the PSK identity hint between
the functions mbedtls_ssl_conf_psk() and mbedtls_ssl_conf_psk_opaque().
2018-11-22 16:30:20 +00:00
Hanno Becker
bffefae305 Safe-guard ssl_conf_remove_psk() for simultaneous raw-opaque PSKs
The code maintains the invariant that raw and opaque PSKs are never
configured simultaneously, so strictly speaking `ssl_conf_remove_psk()`
need not consider clearing the raw PSK if it has already cleared an
opaque one - and previously, it didn't. However, it doesn't come at
any cost to keep this check as a safe-guard to future unforeseen
situations where opaque and raw PSKs _are_ both present.
2018-11-22 16:30:20 +00:00
Hanno Becker
4d057f61a7 Don't use 48 as a magic number in ssl_derive_keys()
In multiple places, it occurrs as the fixed length of
the master secret, so use a constant with a descriptive
name instead. This is reinforced by the fact the some
further occurrences of '48' are semantically different.
2018-11-22 16:30:20 +00:00
Hanno Becker
5916c99cc3 Don't use idiom if( func() ) but always add explicit value check 2018-11-22 16:30:20 +00:00
Hanno Becker
4855c2d4c2 Add server-support for opaque PSKs 2018-11-22 16:30:20 +00:00
Hanno Becker
8bb28b9470 Rename ssl_conf_has_[raw_]_psk to ssl_conf_has_static_[raw_]psk
This is to differentiate the function from the functions relevant
on the server-side, which also need to take into the PSK callback.
2018-11-22 16:30:20 +00:00
Hanno Becker
21e98b4114 Skip PMS generation on client if opaque PSK is used
For opaque PSKs, the PSK-to-MS expansion is performed atomatically
on the PSA-side.
2018-11-22 16:30:20 +00:00
Hanno Becker
b7aaf1e641 Implement PSA-based PSK-to-MS derivation in mbedtls_ssl_derive_keys 2018-11-22 16:30:20 +00:00
Hanno Becker
1e414e5d1d Simplify master secret derivation in mbedtls_ssl_derive_keys() 2018-11-22 16:30:20 +00:00
Hanno Becker
a32400bc6b Allow opaque PSKs in pure-PSK ciphersuites only
In contrast, RSA-PSK, ECDHE-PSK and DHE-PSK are explicitly excluded
for the moment.
2018-11-22 16:30:20 +00:00
Hanno Becker
a5ce0fd77f Don't suggest the use of a PSK suite if no PSK configured on client 2018-11-22 16:30:20 +00:00
Hanno Becker
c6b8d400a0 Implement API for configuration of opaque PSKs
This commit adds implementations of the two new API functions

mbedtls_ssl_conf_psk_opaque()
mbedtls_ssl_set_hs_psk_opaque().
2018-11-22 16:30:20 +00:00
Manuel Pégourié-Gonnard
26fd730876 Add config option for X.509/TLS to use PSA 2018-11-22 16:25:36 +00:00
Andrzej Kurek
ad5d58124a pk_wrap.c: fix length mismatch check placement 2018-11-22 11:17:37 -05:00
Andrzej Kurek
eeac03b354 pk_wrap.c: tidy up signature extraction
Add a sanity check for signature length, remove superfluous bounds check.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
6cb63aa010 Cosmetic changes
Move memset to a more relevant spot, fix one whitespace error
2018-11-22 11:17:37 -05:00
Andrzej Kurek
9241d18773 pk_wrap: rework and tidy up signature extraction
Improve comments, use a normal buffer instead of mbedtls_asn1_buf,
remove unneeded variables and use shared utilities where possible.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
b6016c52c5 pk_wrap: reuse a static buffer for signature extraction
Use a buffer left over after importing a key to hold an extracted signature.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
b7b0478f76 pk_wrap: rework signature extraction to work with small r and s values
There is a probability that r will be encoded as 31 or less bytes in DER,
so additional padding is added in such case.
Added a signature-part extraction function to tidy up the code further.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
4f0253962e pk_wrap: improve error codes returned from ecdsa_verify_wrap
Use the shared PSA utilities to translate errors.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
2122774d72 pk_wrap: switch to helper functions defined in psa_util.h
Remove duplicated helper functions.
Remove an unnecessary call to psa_crypto_init().
2018-11-22 11:17:37 -05:00
Andrzej Kurek
c05ec9f39c pk_wrap: test if a valid md_alg is passed to ecdsa_verify_wrap
Adjust tests to pass a valid algorithm
2018-11-22 11:17:37 -05:00
Andrzej Kurek
cef91afab6 pk_wrap: destroy key slot on errors with policy or key importing 2018-11-22 11:17:37 -05:00
Andrzej Kurek
3f864c2457 pk_wrap: add a check for equal signature parts 2018-11-22 11:17:37 -05:00
Andrzej Kurek
b3d1b12177 pk_wrap: check if curve conversion is successful 2018-11-22 11:17:37 -05:00
Andrzej Kurek
ea84233e02 pk_wrap: nullify the signature pointer on error in extract_ecdsa_sig
Fix a double free error in ecdsa_verify_wrap
2018-11-22 11:17:37 -05:00
Andrzej Kurek
6376d638b8 pk_wrap: cosmetic changes
Adjust whitespaces and variable names
2018-11-22 11:17:37 -05:00
Andrzej Kurek
8b036a6082 pk_wrap.c: add support for ecdsa signature verification using PSA
Use PSA internally to verify signatures.
Add a conversion to a raw signature format.
2018-11-22 11:17:37 -05:00
Hanno Becker
cb1cc80cf5 Use PSA-based ciphers for record protections in TLS-1.2 only
Reasons:
- For the first release, we attempt to support TLS-1.2 only,
- At least TLS-1.0 is known to not work at the moment, as
  for CBC ciphersuites the code in mbedtls_ssl_decrypt_buf()
  and mbedtls_ssl_encrypt_buf() assumes that mbedtls_cipher_crypt()
  updates the structure field for the IV in the cipher context,
  which the PSA-based implementation currently doesn't.
2018-11-22 14:05:54 +00:00
Hanno Becker
679d8ceb13 Use PSA-based ciphers for SSL ticket protection
This commit modifies the default SSL ticket implementation
from `library/ssl_ticket.c` to use PSA-based cipher context
for ticket creation and parsing.

As in mbedtls_ssl_derive_keys() adapted in an earlier commit,
we allow fallback to the ordinary mbedtls_cipher_setup()
if the provided cipher is not known. We do this even though
we always call mbedtls_ssl_ticket_setup() with AES-GCM
in our own code since this function is public and might
be used with other ciphers by users.
2018-11-22 14:05:54 +00:00
Hanno Becker
d140d0828e Introduce macros for constants in SSL ticket implementation 2018-11-22 14:05:54 +00:00
Hanno Becker
f704befee8 Setup PSA-based cipher context in mbedtls_ssl_derive_keys()
This commit changes the code path in mbedtls_ssl_derive_keys()
responsible for setting up record protection cipher contexts
to attempt to use the new API mbedtls_cipher_setup_psa() in
case MBEDTLS_USE_PSA_CRYPTO is set.

For that, the AEAD tag length must be provided, which is already
computed earlier in mbedtls_ssl_derive_keys() and only needs to be
stored a function scope to be available for mbedtls_cipher_setup_psa().

If mbedtls_cipher_setup_psa() fails cleanly indicating that the
requested cipher is not supported in PSA, we fall through to
the default setup using mbedtls_cipher_setup(). However, we print
a debug message in this case, to allow catching the fallthrough in
tests where we know we're using a cipher which should be supported
by PSA.
2018-11-22 14:05:54 +00:00
Hanno Becker
a654c3e38a Return 'Feature unavailable' error for ciphers unsupported by PSA 2018-11-22 14:03:39 +00:00
Hanno Becker
ce61a32e6a Use enum for slot state in PSA-based cipher context 2018-11-22 14:03:39 +00:00
Hanno Becker
8d88a6e20d Check support for cipher in mbedtls_cipher_setup_psa()
mbedtls_cipher_setup_psa() should return
MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE when the requested
cipher is not supported by PSA, so that the caller can
try the original mbedtls_cipher_setup() instead.

The previous version of mbedtls_cipher_setup_psa(), however,
only attempted to translate the cipher mode (GCM, CCM, CBC,
ChaChaPoly, Stream), but didn't consider the underlying
cipher primitive. Hence, it wouldn't fail when attempting
to setup a cipher context for, say, 3DES-CBC, where CBC
is currently supported by PSA but 3DES isn't.

This commit adds a check to mbedtls_cipher_setup_psa()
for whether the requested cipher primitive is available
in the underlying PSA Crypto implementation, and fails
cleanly with MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if
it is isn't.
2018-11-22 14:03:39 +00:00
Hanno Becker
56150afd1a Implement PSA-based AEAD enc/dec cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
f133640475 Add AEAD tag length to new mbedtls_cipher_setup_psa()
For AEAD ciphers, the information contained in mbedtls_cipher_info
is not enough to deduce a PSA algorithm value of type psa_algorithm_t.
This is because mbedtls_cipher_info doesn't contain the AEAD tag
length, while values of type psa_algorithm_t do.

This commit adds the AEAD tag length as a separate parameter
to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value
must be 0.

This approach is preferred over passing psa_algorithm_t directly
in order to keep the changes in existing code using the cipher layer
small.
2018-11-22 14:03:39 +00:00
Hanno Becker
884f6af590 Always configure PSA-based keys for encryption and decryption
Mbed TLS cipher layer allows usage of keys for other purposes
than indicated in the `operation` parameter of `mbedtls_cipher_setkey()`.
The semantics of the PSA Crypto API, in contrast, checks key
usage against the key policy.

As a remedy, this commit modifies the PSA key slot setup to
always allow both encryption and decryption.
2018-11-22 14:03:39 +00:00
Hanno Becker
3c852a9c35 Implement PSA-based version of mbedtls_cipher_crypt() 2018-11-22 14:03:39 +00:00
Hanno Becker
d9ca5cfd60 Implement mbedtls_cipher_setkey() for PSA-based cipher contexts
This commit implements the internal key slot management performed
by PSA-based cipher contexts. Specifically, `mbedtls_cipher_setkey()`
wraps the provided raw key material into a key slot, and
`mbedtls_cipher_free()` destroys that key slot.
2018-11-22 14:03:39 +00:00
Hanno Becker
73f59fc3e9 Add PSA-specific cipher context 2018-11-22 14:03:39 +00:00
Hanno Becker
1cb36530be Add psa_enabled field to cipher ctx and add dummy implementations
This field determines whether a cipher context should
use an external implementation of the PSA Crypto API for
cryptographic operations, or Mbed TLS' own crypto library.

The commit also adds dummy implementations for the cipher API.
2018-11-22 14:03:39 +00:00
Hanno Becker
098c9de2af Add declaration and dummy-definition of mbedtls_cipher_setup_psa() 2018-11-22 14:03:39 +00:00
Hanno Becker
21967c5bff Fix style in cipher.c 2018-11-22 14:03:39 +00:00
Hanno Becker
c3d25b31ab Fix style in NUM_CIPHERS definition in cipher_wrap.c
Use brackets around `sizeof()` arguments as well as the entire macro.
2018-11-22 14:03:39 +00:00
Gilles Peskine
c6b6907066 Make library init and deinit more robust to errors
Allow mbedtls_psa_crypto_free to be called twice, or without a prior
call to psa_crypto_init. Keep track of the initialization state more
precisely in psa_crypto_init so that mbedtls_psa_crypto_free knows
what to do.
2018-11-22 13:46:51 +01:00
Manuel Pégourié-Gonnard
347a00e07e Add test utility function: wrap_as_opaque()
The new function is not tested here, but will be in a subsequent PR.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
59eecb0e9e Guard against PSA generating invalid signature
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
9a5a77ba7c Use shared function for error translation 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
45013a1d54 Fix a compliance issue in signature encoding
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
509aff111f Improve documentation of an internal function 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
d8454bc515 Get rid of large stack buffers in PSA sign wrapper 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
69baf70984 Align names to use "opaque" only everywhere
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
3686771dfa Implement pk_sign() for opaque ECDSA keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
920c063bad Implement can_do for opaque ECC keypairs
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
0184b3c69b Add support for get_(bit)len on opaque keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
7b5fe041f1 Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
eaeb7b23ff Clarify return value of pk_check_pair() 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
20678b2ae2 Skeleton for PK_OPAQUE_PSA 2018-11-22 09:59:34 +01:00
Hanno Becker
7390c71609 Share code for PSK identity configuration
This commit shares the code for setting the PSK identity hint between
the functions mbedtls_ssl_conf_psk() and mbedtls_ssl_conf_psk_opaque().
2018-11-21 21:12:58 +00:00
Hanno Becker
a63ac3f149 Safe-guard ssl_conf_remove_psk() for simultaneous raw-opaque PSKs
The code maintains the invariant that raw and opaque PSKs are never
configured simultaneously, so strictly speaking `ssl_conf_remove_psk()`
need not consider clearing the raw PSK if it has already cleared an
opaque one - and previously, it didn't. However, it doesn't come at
any cost to keep this check as a safe-guard to future unforeseen
situations where opaque and raw PSKs _are_ both present.
2018-11-21 21:12:58 +00:00
Hanno Becker
f9ed7d5f76 Don't use 48 as a magic number in ssl_derive_keys()
In multiple places, it occurrs as the fixed length of
the master secret, so use a constant with a descriptive
name instead. This is reinforced by the fact the some
further occurrences of '48' are semantically different.
2018-11-21 21:12:58 +00:00
Hanno Becker
c1385c104f Don't use idiom if( func() ) but always add explicit value check 2018-11-21 21:12:58 +00:00
Hanno Becker
845b946d92 Add server-support for opaque PSKs 2018-11-21 21:12:58 +00:00
Hanno Becker
520224e577 Rename ssl_conf_has_[raw_]_psk to ssl_conf_has_static_[raw_]psk
This is to differentiate the function from the functions relevant
on the server-side, which also need to take into the PSK callback.
2018-11-21 21:12:58 +00:00
Hanno Becker
afd311ee12 Skip PMS generation on client if opaque PSK is used
For opaque PSKs, the PSK-to-MS expansion is performed atomatically
on the PSA-side.
2018-11-21 21:12:58 +00:00
Hanno Becker
7d0a569d38 Implement PSA-based PSK-to-MS derivation in mbedtls_ssl_derive_keys 2018-11-21 21:12:58 +00:00
Hanno Becker
35b23c7484 Simplify master secret derivation in mbedtls_ssl_derive_keys() 2018-11-21 21:12:58 +00:00
Hanno Becker
dfab8e221a Allow opaque PSKs in pure-PSK ciphersuites only
In contrast, RSA-PSK, ECDHE-PSK and DHE-PSK are explicitly excluded
for the moment.
2018-11-21 21:12:58 +00:00
Hanno Becker
2e4f616708 Don't suggest the use of a PSK suite if no PSK configured on client 2018-11-21 21:12:58 +00:00
Hanno Becker
d20a8ca733 Implement API for configuration of opaque PSKs
This commit adds implementations of the two new API functions

mbedtls_ssl_conf_psk_opaque()
mbedtls_ssl_set_hs_psk_opaque().
2018-11-21 21:12:58 +00:00
Manuel Pégourié-Gonnard
aeefa49edd Add config option for X.509/TLS to use PSA 2018-11-21 21:03:14 +00:00
Gilles Peskine
a678f233a7
Merge pull request #197 from netanelgonen/entropy-inject
Add entropy inject API (#197)
2018-11-21 19:21:05 +01:00
avolinski
0d2c266c06 change MBEDTLS_RANDOM_SEED_ITS define to be PSA_CRYPTO_ITS_RANDOM_SEED_UID 2018-11-21 17:31:07 +02:00
avolinski
1c66205df6 Remove trailing space in psa_crypto.c 2018-11-21 16:54:09 +02:00
Gilles Peskine
83146e10bb
Merge pull request #211 from ARMmbed/bug_fix_210
Fix memory allocation check in psa_save_generated_persistent_key (#211)
2018-11-21 15:51:07 +01:00
avolinski
13beb100c2 Adjust psa entropy inject tests to take as minimum seed size
the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE
2018-11-21 16:24:53 +02:00
avolinski
7cc8229d80 Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID
Update mbedtls_psa_inject_entropy function documentation
2018-11-21 16:24:53 +02:00
Netanel Gonen
21f37cbbec Add Tests for psa crypto entropy incjection
Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option
2018-11-21 16:24:52 +02:00
Netanel Gonen
2bcd312cda Add entropy injection function to psa cripto APIs 2018-11-21 16:15:14 +02:00
itayzafrir
910c76b3d1 Check that memory allocation was successful in psa_save_generated_persistent_key 2018-11-21 16:10:33 +02:00
Gilles Peskine
3d5d8372a5
Merge pull request #198 from ARMmbed/psa_crypto_its
PSA Crypto Storage backend implementation over PSA ITS APIs (#198)
2018-11-21 15:04:03 +01:00
Jaeden Amero
484ee33c35 psa: Add PSA Crypto configuration
Add an option that can enable the exposure of PSA Crypto APIs from
libmbedcrypto.
2018-11-21 12:54:57 +00:00
Jaeden Amero
30b340a760 crypto: Add mbedtls-psa as a submodule
mbedtls-psa contains an implementation of libmbedcrypto, including the PSA
Crypto API.
2018-11-21 12:54:57 +00:00
Jaeden Amero
c6e4ab00a8 Use parent module includes when used as a submodule
For Makefiles, enable overriding where includes can come from in order to
enable the parent module to set the include path. This allows the parent
module to specify that its config.h should be used, even when the submodule
when built standalone would use a different config.h.

For CMake, always look in the parent's include folder and our own. List the
parent's include folder first, so that preference is given to parent
include files.
2018-11-21 12:17:31 +00:00
Jaeden Amero
5ae1fb6f69 CMake: Don't build non-crypto when a subproject
When building Mbed Crypto as a subproject, don't add targets for
libmbedx509 or libmbedtls, as the parent project should build these. The
parent project will define USE_CRYPTO_SUBMODULE variable when using Mbed
Crypto as a submodule, so we can depend on that variable to control whether
or not we build non-crypto libraries.
2018-11-21 12:16:40 +00:00
Moran Peker
a26d764bae Add new PSA Crypto Storage backend implementation using ITS APIs
The new file is conditionally compiled with the new mbedtls
configuration option that  Mbed OS would set by default -
`MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C`.

-
2018-11-21 13:28:10 +02:00
Moran Peker
a90abf13b6 add MBEDTLS_PSA_HAS_ITS_IO
update config.h,config-psa-crypto.h, version_features.c and config.pl
2018-11-21 13:28:09 +02:00
Moran Peker
4611956560 Add new MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C configuration option
- update configuration requires
- update check_config.h to include MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
- update con and config.h
2018-11-21 13:28:09 +02:00
Jaeden Amero
4cb814e3a7 cmake: Use finer grained include directory
Using finer grained control over include directories will allow differnt
targets to use different include files. This will be useful when the
`crypto` subcomponent wants to use its own include files instead of or in
addition to the top level ones.
2018-11-20 18:46:43 +00:00
Gilles Peskine
11cdb0559e mbedtls_mpi_write_binary: don't leak the exact size of the number
In mbedtls_mpi_write_binary, avoid leaking the size of the number
through timing or branches, if possible. More precisely, if the number
fits in the output buffer based on its allocated size, the new code's
trace doesn't depend on the value of the number.
2018-11-20 17:09:27 +01:00
Darryl Green
0c6575a84d psa: Extend psa_generate_key to support persistent lifetimes 2018-11-20 15:40:32 +00:00
Darryl Green
dd8fb777ce psa: Refactor psa_internal_export_key to use slot, rather than key
When generating keys that have persistent lifetime, we will need
the keys to be in the exported format to save to persistent storage.
This refactoring to separate checking the slots usage from the
exporting of the key data will be necessary for using
psa_internal_export_key in psa_generate_key.
2018-11-20 15:40:32 +00:00
Darryl Green
d49a499d03 psa: Implement persistent keys
Allow use of persistent keys, including configuring them, importing and
exporting them, and destroying them.

When getting a slot using psa_get_key_slot, there are 3 scenarios that
can occur if the keys lifetime is persistent:

1. Key type is PSA_KEY_TYPE_NONE, no persistent storage entry:
   -  The key slot is treated as a standard empty key slot
2. Key type is PSA_KEY_TYPE_NONE, persistent storage entry exists:
   -  Attempt to load the key from persistent storage
3. Key type is not PSA_KEY_TYPE_NONE:
   -  As checking persistent storage on every use of the key could
      be expensive, the persistent key is assumed to be saved in
      persistent storage, the in-memory key is continued to be used.
2018-11-20 15:40:25 +00:00
Darryl Green
40225ba709 psa: Refactor psa_destroy_key()
Create a new function psa_remove_key_from_memory() from psa_destroy_key().
This is needed as psa_destroy_key() will remove all key data, including
persistent storage. mbedtls_psa_crypto_free() will now only free in-memory
data and not persistent data.
2018-11-20 15:21:22 +00:00
Darryl Green
06fd18de37 psa: Move get_key_slot functions
Move the psa_get_key_slot and related static functions as they will need
to call psa_import_key_into_slot() for persistent keys.
2018-11-20 15:21:22 +00:00
Darryl Green
940d72c3e8 psa: Refactor psa_import_key()
Create a new function psa_import_key_into_slot() from psa_import_key().
This is common functionality that will be used both when importing a
key and loading a key from persistent storage.
2018-11-20 15:21:22 +00:00
Moran Peker
96ebf9efcf psa: Add magic header to storage backend
Add a magic header to the storage format used with files. The
header is used as an initial check that the data is what we expect,
rather than garbage data.
2018-11-20 15:21:22 +00:00
Darryl Green
db2b8db715 psa: Add storage implementation for files
Add new functions, psa_load_persistent_key(),
psa_free_persistent_key_data(), and psa_save_persistent_key(), for
managing persistent keys. These functions load to or save from our
internal representation of key slots. Serialization is a concern of the
storage backend implementation and doesn't abstraction-leak into the
lifetime management code.

An initial implementation for files is provided. Additional storage
backends can implement this interface for other storage types.
2018-11-20 15:21:22 +00:00
Jaeden Amero
818eab2e76 Merge tag 'mbedtls-2.14.0' into feature-psa
Mbed TLS version 2.14.0

Resolved conflicts in include/mbedtls/config.h,
tests/scripts/check-files.py, and yotta/create-module.sh by removing yotta.

Resolved conflicts in tests/.jenkins/Jenkinsfile by continuing to run
mbedtls-psa job.
2018-11-19 19:25:56 +00:00
Simon Butcher
c1b9892177 Update library version number to 2.14.0 2018-11-19 18:31:40 +00:00
Hanno Becker
1aaedc03d4 Add implementation of TLS-1.2 PSK-to-MS key derivation 2018-11-19 11:24:25 +00:00
Gilles Peskine
93f8500e2e Fix unused variables warning if MBEDTLS_ECDH_C is off
depends-pkalgs.pl passes.
2018-11-16 16:43:31 +01:00
Gilles Peskine
346797d7b9 Add missing cleanup on failure in psa_key_agreement
If psa_key_derivation_internal() fails, it's up to the caller to clean
up. Do this, and add a note at the top of
psa_key_derivation_internal() and its auxiliary functions.

There is no non-regression test because at the moment the only way to
trigger an error is a borderline low-memory condition and we don't
have the means to trigger this.
2018-11-16 16:09:27 +01:00
Gilles Peskine
a05219c70b Add some missing compilation guards
Add missing checks for defined(MBEDTLS_MD_C) around types and
functions that require it (HMAC, HKDF, TLS12_PRF).

Add missing checks for defined(MBEDTLS_ECDSA_DETERMINISTIC) around
code that calls mbedtls_ecdsa_sign_det().

Add missing checks for defined(MBEDTLS_ECDH_C) around ECDH-specific
functions.
2018-11-16 16:09:24 +01:00
Hanno Becker
353e45361d Don't call memcpy() with 0-length arguments
The standard prohibits calling memcpy() with NULL pointer
arguments, even if the size argument is 0.

The TLS-1.2 PRF generator setup function previously called
memcpy() with the label and salt as the source, even if
they were of length 0, as exercised by the derive_key_policy
test case in the PSA crypto test suite.

This commit adds guards around the memcpy() calls so that they
are only executed of salt or label have positive length, respectively.
2018-11-16 11:24:59 +00:00
Hanno Becker
3b339e2342 Simplify psa_generator_tls12_prf_generate_next_block() 2018-11-16 11:24:59 +00:00
Hanno Becker
580fba1431 Dynamically allocate A(i) + seed buffer for TLS-1.2 PRF 2018-11-16 11:24:59 +00:00
Hanno Becker
c8a41d71cb Add implementation of TLS-1.2 PRF 2018-11-16 11:24:55 +00:00
Gilles Peskine
b408661be9 ECDH: check that the keys are on the same curve
In psa_key_agreement_ecdh, check that the public key is on the same
curve as the private key. The underlying mbedtls API doesn't check.

If the curves don't match, psa_key_agreement_ecdh is practically
guaranteed to return INVALID_ARGUMENT anyway, because way the code is
written, the public point is interpreted on the curve of the private
point, and it is rejected because the point is not on the curve. This
is why the test case "PSA key agreement setup: ECDH, raw: public key
on different curve" passed even before adding this check.
2018-11-14 21:17:16 +01:00
Gilles Peskine
88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine
211a436f2e Document that key agreement produces a maximum-capacity generator 2018-11-14 21:15:37 +01:00
Gilles Peskine
b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine
01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
8feb3a886d Support key derivation with non-predefined capacity
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
751d965dfc Implement PSA_ALG_SELECT_RAW 2018-11-14 21:15:37 +01:00
Gilles Peskine
cce18aec4c Split off psa_key_derivation_internal
Refactor psa_key_derivation to prepare for key agreement algorithms
which need to plug into key derivation after argument validation.
2018-11-14 21:15:37 +01:00
Gilles Peskine
e19b7d54d0 Revert "New function mbedtls_rsa_get_bitlen"
This reverts commit 1d26709dbd.
2018-11-12 19:14:34 +01:00
Gilles Peskine
86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine
aac64a2839 Remove support for non-byte-aligned RSA keys
Remove the need for an extra function mbedtls_rsa_get_bitlen. Use
mbedtls_rsa_get_len, which is only correct for keys whose size is a
multiple of 8. Key sizes that aren't a multiple of 8 are extremely
rarely used, so in practice this is not a problematic limitation.
2018-11-12 18:37:42 +01:00
Simon Butcher
de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Simon Butcher
cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Junhwan Park
39bdab791d x509.c: Fix potential memory leak in X.509 self test
Found and fixed by Junhwan Park in #2106.

Signed-off-by: Junhwan Park <semoking@naver.com>
2018-11-10 20:22:54 +09:00
Simon Butcher
e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor
9924bdc792 Deprecate hardware acceleration errors
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
2018-11-09 15:01:07 +00:00
Ron Eldor
bcca58c6cd Add common feature unavailable error
Add a common error for the feature unavailable, in the
platform module.
2018-11-09 13:57:37 +00:00
Simon Butcher
d83448b736 Merge remote-tracking branch 'public/pr/2052' into development-restricted-proposed 2018-11-07 12:59:14 +00:00
Simon Butcher
53b45ec881 Merge remote-tracking branch 'public/pr/2079' into development-restricted-proposed 2018-11-07 12:58:44 +00:00
Simon Butcher
bbc31b4827 Merge remote-tracking branch 'public/pr/2085' into development-restricted-proposed 2018-11-07 12:57:38 +00:00
Simon Butcher
93a9b497e0 Merge remote-tracking branch 'public/pr/2077' into development-restricted-proposed 2018-11-07 12:57:24 +00:00
Simon Butcher
241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Simon Butcher
42ab4ae033 Merge remote-tracking branch 'public/pr/2167' into development-restricted-proposed 2018-11-07 12:54:45 +00:00
Hanno Becker
f6d6e30820 Fix incomplete assertion in ssl_write_handshake_msg()
ssl_write_handshake_msg() includes the assertion that
`ssl->handshake != NULL` when handling a record which is
(a) a handshake message, and NOT
(b) a HelloRequest.
However, it later calls `ssl_append_flight()` for any
record different from a HelloRequest handshake record,
that is, records satisfying !(a) || !(b), instead of
(a) && !(b) as covered by the assertion (specifically,
CCS or Alert records).

Since `ssl_append_flight()` assumes that `ssl->handshake != NULL`,
this rightfully triggers static analyzer warnings.

This commit expands the scope of the assertion to check
that `ssl->handshake != NULL` for any record which is not
a HelloRequest.
2018-11-07 11:57:51 +00:00
Simon Butcher
51b6abbbf2 Merge remote-tracking branch 'public/pr/2165' into development-proposed 2018-11-06 22:55:14 +00:00
Hanno Becker
9772da8792 Add missing bracket
Wasn't spotted earlier because it's guarded by `! HAVE_GETRANDOM`.
2018-11-06 13:12:47 +00:00
Ron Eldor
2981d8f161 Change to positive flow for all cases
Use the `rs_ctx` only when `MBEDTLS_ECP_RESTARTABLE` is defined.
2018-11-05 18:08:46 +02:00
Ron Eldor
93ace0199b Revert positive flow check
Revert changes for checking whether `MBEDTLS_ECP_RESTARTABLE`
is defined, since it broke the CI. The context is used whether the
restartable feature is defined or not.
2018-11-05 17:50:07 +02:00
Ron Eldor
b430d9f262 Change to positive checks
1. Checge to check for `MBEDTLS_ECP_RESTARTABLE` for all definitions
of `rs_ctx`.
2. Remove checks for `_ALT` when using `rs_ctx` as they cannot coexist
with the Restartable configuration.
2018-11-05 17:18:29 +02:00
Ron Eldor
19779c4739 Some style and documentation fixes
1. Change description of of hte `MBEDTLS_ECP_RESTARTABLE`
in the configuration file.
2. Change check for compilation of `rs_ctx` to positive flow.
2018-11-05 16:58:13 +02:00
Ron Eldor
5ed8c1eded Avoid using restartable and alternative ECP imp.
1. Add a check that MBEDTLS_ECP_RESTARTABLE is not defined
   along any EC* alternative implementation.
2. Add a closing comment foran `#endif`.
2018-11-05 14:04:26 +02:00
Hanno Becker
b75ffb5061 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-05 11:54:06 +00:00
Hanno Becker
1f8527f1cf Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-05 11:54:06 +00:00
Simon Butcher
06f88e9c42 Merge remote-tracking branch 'public/pr/2007' into development-proposed 2018-11-04 19:12:57 +00:00
Simon Butcher
76646a4bac Merge remote-tracking branch 'public/pr/1777' into development-proposed 2018-11-04 18:51:36 +00:00
Simon Butcher
2705beaeef Merge remote-tracking branch 'public/pr/2095' into development-proposed 2018-11-04 18:48:04 +00:00
Hanno Becker
710f203541 Merge branch 'iotssl-1770' into development_thomas_dee 2018-11-02 10:52:49 +00:00
Hanno Becker
cec1c2685f Break overly long line in library/x509_create.c 2018-11-02 10:52:38 +00:00
Hanno Becker
ee334a3a5c Remove Doxygen tags from documentation of private structure 2018-11-02 10:52:38 +00:00
Hanno Becker
beffcd8d4a Update hardcoded certificates in library/certs.c
library/certs.c provides some hardcoded certificates that
are used e.g. by the test applications ssl_server2, ssl_client2
in case no certificates are provided on the command line.

The certificates used are from the tests/data_files folder
and have been updated in the latest commits. This commit
updates their copies in certs.c. It also adds comments
indicating the files from which the data is taken, in
order to ease update in the future.
2018-11-02 10:52:38 +00:00
Hanno Becker
6e1adee42b Regenerate test files
Previous commits have added or modified build instructions for
server1*, server2*, server5*, test-ca*, cli-rsa* in the Makefile
tests/data_files/Makefile, or the apps they invoke have been changed.

This commit regenerates those files to make sure they are in match with
the build instructions.
2018-11-02 10:52:38 +00:00
Hanno Becker
cb93813e04 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-02 10:49:09 +00:00
Hanno Becker
0f6903d84c Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-02 10:49:08 +00:00
Ron Eldor
2b161c33be Fix compilation issue
Fix compilation error when both `MBEDTLS_ECP_RESTARTABLE` and the
alternative definition of ECDH function are defined.
2018-11-01 16:18:20 +02:00
Ron Eldor
936d284f4d Minor fixes
1. Fix unused symbols compilation warnings.
2. Add comments for the closing `endif`.
2018-11-01 13:05:52 +02:00
Ron Eldor
8493f80e65 conditionaly compile ECDH and ECDSA alt functions
Return the condition compilation flags surrounding
`mbedtls_ecdh_compute_shared()`, `mbedtls_ecdh_gen_public()`,
`mbedtls_ecdsa_sign()` and `mbedtls_ecdsa_verify()` that were accidentally
removed in a previous merge.
Resolves #2163
2018-11-01 11:32:15 +02:00
Krzysztof Stachowiak
c388a8c394 Fix typo in a test condition code 2018-10-31 16:49:20 +01:00
Gilles Peskine
52b9018cf7 psa_export_key: for raw-byte keys, zero the end of the output buffer
Skip all writing to the target buffer if its size is 0, since in this
case the pointer might be invalid and this would cause the calls to
memcpy and memset to have undefined behavior.
2018-10-31 14:10:06 +01:00
Gilles Peskine
188c71e382 Private EC key format: change to raw secret value (export)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine
f76aa7789b Private EC key format: change to raw secret value (doc, import)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the format
specification and the import code, but not the export code.
2018-10-31 14:10:06 +01:00
Simon Butcher
7904f94550 Merge remote-tracking branch 'public/pr/1099' into development-proposed 2018-10-28 18:10:37 +00:00
Simon Butcher
17a0fab345 Merge remote-tracking branch 'public/pr/2111' into development-proposed 2018-10-28 16:22:18 +00:00
Simon Butcher
a07d86e8af Merge remote-tracking branch 'public/pr/1902' into development 2018-10-27 18:36:55 +01:00
Simon Butcher
ef263ebcd7 Merge remote-tracking branch 'public/pr/1993' into development 2018-10-27 18:36:28 +01:00
Hanno Becker
b10c66073f Detect unsigned integer overflow in mbedtls_ecp_check_budget()
This commit modifies a bounds check in `mbedtls_ecp_check_budget()` to
be correct even if the requested number of ECC operations would overflow
the operation counter.
2018-10-26 15:09:35 +01:00
Hanno Becker
6934e9b288 Indentation fix 2018-10-25 16:07:16 +01:00
Hanno Becker
137015c1b1 Fix unsafe bounds checks in ssl_load_session()
Fixes #659 reported by Guido Vranken.
2018-10-25 16:07:08 +01:00
Simon Butcher
169712e15a Merge remote-tracking branch 'restricted/pr/390' into development 2018-10-24 18:34:30 +01:00
Hanno Becker
9543373668 Use brackets around shift operations
Use `( x >> y ) & z` instead of `x >> y & z`. Both are equivalent
by operator precedence, but the former is more readable and the
commonly used idiom in the library.
2018-10-24 13:31:49 +01:00
Jaeden Amero
a74faba27a aes: xts: Correct NIST 80-38E to 800-38E
Correct a typo in an AES XTS implementation comment where the relevant
NIST standard was incorrectly referred to as NIST 80-38E instead of NIST
800-38E.
2018-10-23 12:07:18 +01:00
Jaeden Amero
8381fcb3f9 aes: xts: Update inaccurate comments
It is inaccurate to call a data unit a "sector". A disk sector is a
common use case for the data unit, but there exist other types of data
units that are not sectors.
2018-10-23 12:07:18 +01:00
Darryl Green
6c0f94cbd0 Add better handling when deleting files on Windows
Windows complains if you try to delete a file that doesn't exist.
Makefiles now check if the files exist before trying to delete them.
2018-10-23 12:03:31 +01:00
Manuel Pégourié-Gonnard
a966fdea72 Fix some documentation typos and improve a comment 2018-10-23 10:41:11 +02:00
Brian J Murray
f343de12dc typo fix 2018-10-22 16:41:35 -07:00
Krzysztof Stachowiak
2cdb6b46be Include MinGW in the non-conforming (v)snprintf scope
It turns out that in some environments MinGW esposes a non-conforming
(v)snprintf behavior despite the tests against the MSVC runtime pass.
Therefore it has been included in the "non-conforming" scope alongide
older MSVC rungime environments.
2018-10-22 10:43:56 +02:00
Manuel Pégourié-Gonnard
ca29fdf569 Fix some typos in documentation and comments 2018-10-22 09:56:53 +02:00
Hanno Becker
27516979c1 Entropy: Fall through to /dev/random if getrandom() syscall unknown
This commit fixes issue #1212 related to platform-specific entropy
polling in an syscall-emulated environment.

Previously, the implementation of the entropy gathering function
`mbedtls_platform_entropy_poll()` for linux machines used the
following logic to determine how to obtain entropy from the kernel:

1. If the getrandom() system call identifier SYS_getrandom is present and
   the kernel version is 3.17 or higher, use syscall( SYS_getrandom, ... )
2. Otherwise, fall back to reading from /dev/random.

There are two issues with this:

1. Portability:
   When cross-compiling the code for a different
   architecture and running it through system call
   emulation in qemu, qemu reports the host kernel
   version through uname but, as of v.2.5.0,
   doesn't support emulating the getrandom() syscall.
   This leads to `mbedtls_platform_entropy_poll()`
   failing even though reading from /dev/random would
   have worked.

2. Style:
   Extracting the linux kernel version from
   the output of `uname` is slightly tedious.

This commit fixes both by implementing the suggestion in #1212:
- It removes the kernel-version detection through uname().
- Instead, it checks whether `syscall( SYS_getrandom, ... )`
  fails with errno set to ENOSYS indicating an unknown system call.
  If so, it falls through to trying to read from /dev/random.

Fixes #1212.
2018-10-18 12:12:04 +01:00
Gilles Peskine
e0e9c7c417 New macro PSA_ALG_FULL_LENGTH_MAC
Provide a documented way of constructing the full-length MAC algorithm
from a truncated version.
2018-10-17 18:30:47 +02:00
Gilles Peskine
57fbdb1939 Use a public macro for AEAD tag length variations
Avoid depending on the encoding of algorithms inside psa_crypto.c.
2018-10-17 18:30:47 +02:00
Hanno Becker
dd3ab13da3 Fail when encountering invalid CBC padding in EtM records
This commit changes the behavior of the record decryption routine
`ssl_decrypt_buf()` in the following situation:
1. A CBC ciphersuite with Encrypt-then-MAC is used.
2. A record with valid MAC but invalid CBC padding is received.
In this situation, the previous code would not raise and error but
instead forward the decrypted packet, including the wrong padding,
to the user.

This commit changes this behavior to return the error
MBEDTLS_ERR_SSL_INVALID_MAC instead.

While erroneous, the previous behavior does not constitute a
security flaw since it can only happen for properly authenticated
records, that is, if the peer makes a mistake while preparing the
padded plaintext.
2018-10-17 14:43:14 +01:00
Gilles Peskine
f8a8fe60f8 Fix memory leak with AEAD with non-default tag lengths
When freeing the key context, choose the context format based on the
base algorithm value stored in the operation object.
2018-10-17 13:54:48 +02:00
Gilles Peskine
8cac2e628e Translate GCM_BAD_INPUT to INVALID_ARGUMENT, not NOT_SUPPORTED 2018-10-17 13:54:48 +02:00
Gilles Peskine
99b7d6b700 Wipe sensitive data in psa_mac_verify_finish
Wipe the whole MAC intermediate buffer, not just the requested MAC
size. With truncated MAC algorithms, the requested MAC size may be
smaller than what is written to the intermediate buffer.
2018-10-17 13:54:47 +02:00
Gilles Peskine
87b0ac49f8 Fix possible buffer overread in psa_mac_finish_internal (CMAC) 2018-10-17 13:54:47 +02:00
Gilles Peskine
6d72ff9e79 Document that the minimum truncated MAC length is implementation-defined 2018-10-17 13:54:47 +02:00
Hanno Becker
44da18a294 Duplicate mbedtls_asn1_find_named_data in asn1write.c to avoid dep.
This commit duplicates the public function mbedtls_asn1_find_named_data()
defined in library/asn1parse.c within library/asn1write.c in order to
avoid a dependency of the ASN.1 writing module on the ASN.1 parsing module.

The duplication is unproblematic from a semantic and an efficiency
perspective becasue it is just a short list traversal that doesn't
actually do any ASN.1 parsing.
2018-10-16 13:44:06 +01:00
Hanno Becker
1ea604d3ee Guard mbedtls_pkcs5_pbes2() by MBEDTLS_ASN1_PARSE_C
Previously, mbedtls_pkcs5_pbes2() was unconditionally declared
in `pkcs5.h` but defined as a stub returning
`MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE` in case
MBEDTLS_ASN1_PARSE_C was not defined.

In line with the previous commits, this commit removes declaration
and definition from both `pkcs5.h` and `pkcs5.c` in case
MBEDTLS_ASN1_PARSE_C is not defined.
2018-10-16 13:39:40 +01:00
Hanno Becker
8a89f9fcd2 Make PBE-related parts of PKCS12 depend on MBEDTLS_ASN1_PARSE_C 2018-10-16 13:39:40 +01:00
Manuel Pégourié-Gonnard
b25cb603bb Add a comment to clarify code flow 2018-10-16 11:48:09 +02:00
Manuel Pégourié-Gonnard
a5a3e40c4e Fix missing dereference.
Went unnoticed because it was only on a defensive code path, in an internal
function, so not exercised.
2018-10-16 11:27:23 +02:00
Manuel Pégourié-Gonnard
90f31b71a8 Improve readability by moving counter decrement
Avoid the slightly awkward rs_ctx-> i = i + 1
2018-10-16 10:45:24 +02:00
Manuel Pégourié-Gonnard
a58e011ac0 Fix alignment in a macro definition 2018-10-16 10:42:47 +02:00
Manuel Pégourié-Gonnard
b843b15a02 Fix function name to fit conventions 2018-10-16 10:41:31 +02:00
Manuel Pégourié-Gonnard
c0edc96704 Add comment on internal function API 2018-10-16 10:38:19 +02:00
Manuel Pégourié-Gonnard
d8b73f2312 Remove unnecessary calls to init() from free()
Our API makes no guarantee that you can use a context after free()ing it
without re-init()ing it first, so better not give the wrong impression that we
do, while it's not policy and the rest of the code might not allow it.
2018-10-16 10:34:13 +02:00
Manuel Pégourié-Gonnard
c37423fa76 Fix misleading sub-state name and comments
The enum constant had 'ske' in its name while this was a sub-state of the
"write client key exchange" state; corresponding issue in the comment.
2018-10-16 10:28:17 +02:00
Ron Eldor
5267b62248 Change error description
1. Change error description to a clearer one.
2. Change value in the error codes ranges description.
2018-10-15 18:44:42 +03:00
Ron Eldor
a27190b774 Rename platform error code and value
Rename the PLATFORM HW error, to avoid ABI breakage with Mbed OS.
The value changed as well, as previous value was not in the range of
Mbed TLS low level error codes.
2018-10-15 16:33:43 +03:00
Manuel Pégourié-Gonnard
ee68cff813 Fix or improve some comments (and whitespace) 2018-10-15 15:27:49 +02:00
Manuel Pégourié-Gonnard
f0bbd7e3fd Misc documentation fixes/improvements. 2018-10-15 13:22:41 +02:00
Manuel Pégourié-Gonnard
6346a75dfb Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development:
  ssl-opt.sh: change expected output for large srv packet test with SSLv3
  Adapt ChangeLog
  Fix bug in SSL ticket implementation removing keys of age < 1s
  ssl-opt.sh: Add DTLS session resumption tests
  Add ChangeLog entry
  Fix typo
  Fix hmac_drbg failure in benchmark, with threading
  Remove trailing whitespace
  Remove trailing whitespace
  ssl_server2: add buffer overhead for a termination character
  Add missing large and small packet tests for ssl_server2
  Added buffer_size and response_size options for ssl-server2. Added appropriate tests.

Solving a conflict in tests/ssl-opt.sh: two set of tests were added at the
same place (just after large packets):
- restartable ECC tests (in this branch)
- server-side large packets (in development)

Resolution was to move the ECC tests after the newly added server large packet
ones.
2018-10-15 11:26:17 +02:00
Gilles Peskine
4899247bf2 Fix undefined behavior in unsigned-to-signed conversion
The code assumed that `int x = - (unsigned) u` with 0 <= u < INT_MAX
sets `x` to the negative of u, but actually this calculates
(UINT_MAX - u) and then converts this value to int, which overflows.
Cast to int before applying the unary minus operator to guarantee the
desired behavior.
2018-10-12 20:32:55 +02:00
Gilles Peskine
9b430704d1 Fix likely-harmless undefined behavior surrounding volatile
The code was making two unsequenced reads from volatile locations.
This is undefined behavior. It was probably harmless because we didn't
care in what order the reads happened and the reads were from ordinary
memory, but UB is UB and IAR8 complained.
2018-10-12 20:32:52 +02:00
Hanno Becker
805f2e11bd Add missing zeroization of buffered handshake messages
This commit ensures that buffers holding fragmented or
future handshake messages get zeroized before they are
freed when the respective handshake message is no longer
needed. Previously, the handshake message content would
leak on the heap.
2018-10-12 16:50:37 +01:00
Andrzej Kurek
748face36f ssl_tls: fix maximum output length
set maximum output length to MBEDTLS_SSL_OUT_CONTENT_LEN instead of
MBEDTLS_SSL_MAX_CONTENT_LEN.
2018-10-11 07:20:19 -04:00
Hanno Becker
780f0a4cc1 Reinitialize PK ctx in mbedtls_pk_parse_key before reuse are free
Context: This commit makes a change to mbedtls_pk_parse_key() which
is responsible for parsing of private keys. The function doesn't know
the key format in advance (PEM vs. DER, encrypted vs. unencrypted) and
tries them one by one, resetting the PK context in between.

Issue: The previous code resets the PK context through a call to
mbedtls_pk_free() along, lacking the accompanying mbedtls_pk_init()
call. Practically, this is not an issue because functionally
mbedtls_pk_free() + mbedtls_pk_init() is equivalent to mbedtls_pk_free()
with the current implementation of these functions, but strictly
speaking it's nonetheless a violation of the API semantics according
to which xxx_free() functions leave a context in uninitialized state.
(yet not entirely random, because xxx_free() functions must be idempotent,
so they cannot just fill the context they operate on with garbage).

Change: The commit adds calls to mbedtls_pk_init() after those calls
to mbedtls_pk_free() within mbedtls_pk_parse_key() after which the
PK context might still be used.
2018-10-11 11:31:15 +01:00
Hanno Becker
cfa2e33fd2 Omit runtime configuration of calloc/free if macro config enabled
This commit removes the definition of the API function

`mbedtls_platform_set_calloc_free()`

from `library/platform.c` in case the macros

`MBEDTLS_PLATFORM_CALLOC_MACRO`
`MBEDTLS_PLATFORM_FREE_MACRO`

for compile time configuration of calloc/free are set.

This is in line with the corresponding header `mbedtls/platform.h`
which declares `mbedtls_platform_set_calloc_free()` only if
`MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO` are not defined.

Fixes #1642.
2018-10-11 11:04:20 +01:00
Hanno Becker
8df10232cf Add explicit unsigned-to-signed integer conversion
The previous code triggered a compiler warning because of a comparison
of a signed and an unsigned integer.

The conversion is safe because `len` is representable by 16-bits,
hence smaller than the maximum integer.
2018-10-10 15:48:39 +01:00
Darryl Green
e3f95ed25b Fix bias in random number generation in Miller-Rabin test
When a random number is generated for the Miller-Rabin primality test,
if the bit length of the random number is larger than the number being
tested, the random number is shifted right to have the same bit length.
This introduces bias, as the random number is now guaranteed to be
larger than 2^(bit length-1).

Changing this to instead zero all bits higher than the tested numbers
bit length will remove this bias and keep the random number being
uniformly generated.
2018-10-09 16:36:53 +01:00
Janos Follath
a0b67c2f3e Bignum: Deprecate mbedtls_mpi_is_prime()
When using a primality testing function the tolerable error rate depends
on the scheme in question, the required security strength and wether it
is used for key generation or parameter validation. To support all use
cases we need more flexibility than what the old API provides.
2018-10-09 16:36:53 +01:00
Janos Follath
da31fa137a Bignum: Fix prime validation vulnerability
The input distribution to primality testing functions is completely
different when used for generating primes and when for validating
primes. The constants used in the library are geared towards the prime
generation use case and are weak when used for validation. (Maliciously
constructed composite numbers can pass the test with high probability)

The mbedtls_mpi_is_prime() function is in the public API and although it
is not documented, it is reasonable to assume that the primary use case
is validating primes. The RSA module too uses it for validating key
material.
2018-10-09 16:36:53 +01:00
Janos Follath
b728c29114 Bignum: Remove dead code
Both variables affected by the code are overwritten before their next
read.
2018-10-09 16:33:27 +01:00
Janos Follath
b8fc1b02ee RSA: Use MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR 2018-10-09 16:33:27 +01:00
Janos Follath
f301d23ceb Bignum: Improve primality test for FIPS primes
The FIPS 186-4 RSA key generation prescribes lower failure probability
in primality testing and this makes key generation slower. We enable the
caller to decide between compliance/security and performance.

This python script calculates the base two logarithm of the formulas in
HAC Fact 4.48 and was used to determine the breakpoints and number of
rounds:

def mrpkt_log_2(k, t):
    if t <= k/9.0:
        return 3*math.log(k,2)/2+t-math.log(t,2)/2+4-2*math.sqrt(t*k)
    elif t <= k/4.0:
        c1 = math.log(7.0*k/20,2)-5*t
        c2 = math.log(1/7.0,2)+15*math.log(k,2)/4.0-k/2.0-2*t
        c3 = math.log(12*k,2)-k/4.0-3*t
        return max(c1, c2, c3)
    else:
        return math.log(1/7.0)+15*math.log(k,2)/4.0-k/2.0-2*t
2018-10-09 16:33:27 +01:00
Andrzej Kurek
ef43ce6e25 Dtls: change the way unlimited mtu is set for client hello messages 2018-10-09 08:24:12 -04:00
Hanno Becker
1624e2e8bb Avoid overly long lines X.509 DN attr array def in x509_create.c 2018-10-08 14:52:20 +01:00
Hanno Becker
35b6854e54 Replace reference to RFC 3280 by reference to newer RFC 5280 2018-10-08 14:47:38 +01:00
Hanno Becker
cfc47bab69 Correct some indentation and line lengths in x509_create.c 2018-10-08 14:45:42 +01:00
Hanno Becker
d355e69aed Rename tag to default_tag in x509_attr_descriptor_t 2018-10-08 14:44:32 +01:00
Hanno Becker
d2c9009e5a Improve documentation of x509_attr_descriptor_t 2018-10-08 14:42:34 +01:00
Gilles Peskine
23cc2ff9a8 Add support for non-default-tag-size AEAD (CCM and GCM) 2018-10-08 14:42:11 +02:00
Gilles Peskine
edf9a6576d Refactor AEAD setup into a common function
There was a lot of repetition between psa_aead_encrypt and
psa_aead_decrypt. Refactor the code into a new function psa_aead_setup.
The new code should behave identically except that in some cases where
multiple error conditions apply, the code may now return a different
error code.

Internally, I rearranged some of the code:

* I removed a check that the key type was in CATEGORY_SYMMETRIC because
  it's redundant with mbedtls_cipher_info_from_psa which enumerates
  supported key types explicitly.
* The order of some validations is different to allow the split between
  setup and data processing. The code now calls a more robust function
  psa_aead_abort in case of any error after the early stage of the setup.
2018-10-08 14:42:11 +02:00
Gilles Peskine
d911eb7915 Add support for truncated MAC algorithms 2018-10-08 14:42:11 +02:00
Hanno Becker
0c161d1956 Fix bounds check in ssl_parse_server_psk_hint()
In the previous bounds check `(*p) > end - len`, the computation
of `end - len` might underflow if `end` is within the first 64KB
of the address space (note that the length `len` is controlled by
the peer). In this case, the bounds check will be bypassed, leading
to `*p` exceed the message bounds by up to 64KB when leaving
`ssl_parse_server_psk_hint()`. In a pure PSK-based handshake,
this doesn't seem to have any consequences, as `*p*` is not accessed
afterwards. In a PSK-(EC)DHE handshake, however, `*p` is read from
in `ssl_parse_server_ecdh_params()` and `ssl_parse_server_dh_params()`
which might lead to an application crash of information leakage.
2018-10-08 13:40:50 +01:00
Simon Butcher
e1660af2e2 Fix CSR parsing header call
Change the secondary X509 CSR parsing call for the alternative MS header to only
occur if the first call fails due to the header being unfound, instead of any
call.
2018-10-07 17:48:37 +01:00
Simon Butcher
0488ce653a Add support for alternative CSR headers
Add support for RFC7468, and the alternative Microsoft footer/headers for CSR's
that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of
'BEGIN CERTIFICATE REQUEST'.
2018-10-06 17:17:54 +01:00
Gilles Peskine
ec2a5fdee1 PKCS#1 v1.5 decoding: fix empty payload case 2018-10-05 20:48:20 +02:00
Gilles Peskine
40b57f4acd Remove a remaining sensitive memory access in PKCS#1 v1.5 decryption 2018-10-05 15:35:03 +02:00
Gilles Peskine
85a7442753 mbedtls_rsa_rsaes_pkcs1_v15_decrypt: remove the variable p
Get rid of the variable p. This makes it more apparent where the code
accesses the buffer at an offset whose value is sensitive.

No intended behavior change in this commit.
2018-10-05 14:50:21 +02:00
Andrzej Kurek
6290dae909 Disable dtls fragmentation for ClientHello messages
Set the handshake mtu to unlimited when encountering a ClienHello message and
reset it to its previous value after writing the record.
2018-10-05 08:06:01 -04:00
Hanno Becker
a08651f484 Remove lines above 80 characters in library/ctr_drbg.c 2018-10-05 09:38:59 +01:00
Gilles Peskine
eeedabe25e Minor optimization in the PKCS#1v1.5 unpadding step
Rather than doing the quadratic-time constant-memory-trace on the
whole working buffer, do it on the section of the buffer where the
data to copy has to lie, which can be significantly smaller if the
output buffer is significantly smaller than the working buffer, e.g.
for TLS RSA ciphersuites (48 bytes vs MBEDTLS_MPI_MAX_SIZE).
2018-10-04 22:45:13 +02:00
Gilles Peskine
8c9440a2cb Use branch-free size comparison for the padding size
In mbedtls_rsa_rsaes_pkcs1_v15_decrypt, use size_greater_than (which
is based on bitwise operations) instead of the < operator to compare
sizes when the values being compared must not leak. Some compilers
compile < to a branch at least under some circumstances (observed with
gcc 5.4 for arm-gnueabi -O9 on a toy program).
2018-10-04 21:44:40 +02:00
Gilles Peskine
a1af5c8ea2 Bleichenbacher fix: don't leak the plaintext length (step 2)
Replace memmove(to, to + offset, length) by a functionally equivalent
function that strives to make the same memory access patterns
regardless of the value of length. This fixes an information leak
through timing (especially timing of memory accesses via cache probes)
that leads to a Bleichenbacher-style attack on PKCS#1 v1.5 decryption
using the plaintext length as the observable.
2018-10-04 21:44:29 +02:00
Gilles Peskine
9265ff4ee6 Bleichenbacher fix: don't leak the plaintext length (step 1)
mbedtls_rsa_rsaes_pkcs1_v15_decrypt takes care not to reveal whether
the padding is valid or not, even through timing or memory access
patterns. This is a defense against an attack published by
Bleichenbacher. The attacker can also obtain the same information by
observing the length of the plaintext. The current implementation
leaks the length of the plaintext through timing and memory access
patterns.

This commit is a first step towards fixing this leak. It reduces the
leak to a single memmove call inside the working buffer.
2018-10-04 21:38:22 +02:00
Gilles Peskine
331d80e162 Evolve choose_int_from_mask to if_int
Make the function more robust by taking an arbitrary zero/nonzero
argument instead of insisting on zero/all-bits-one. Update and fix its
documentation.
2018-10-04 21:36:34 +02:00
Simon Butcher
d2642584cb Make inclusion of stdio.h conditional in x509_crt.c
stdio.h was being included both conditionally if MBEDTLS_FS_IO was
defined, and also unconditionally, which made at least one of them
redundant.

This change removes the unconditional inclusion of stdio.h and makes it
conditional on MBEDTLS_PLATFORM_C.
2018-10-03 15:11:19 +01:00
Gilles Peskine
e2a10de275 Fix a timing-based Bleichenbacher attack on PKCS#1v1.5 decryption
mbedtls_rsa_rsaes_pkcs1_v15_decrypt took care of calculating the
padding length without leaking the amount of padding or the validity
of the padding. However it then skipped the copying of the data if the
padding was invalid, which could allow an adversary to find out
whether the padding was valid through precise timing measurements,
especially if for a local attacker who could observe memory access via
cache timings.

Avoid this leak by always copying from the decryption buffer to the
output buffer, even when the padding is invalid. With invalid padding,
copy the same amount of data as what is expected on valid padding: the
minimum valid padding size if this fits in the output buffer,
otherwise the output buffer size. To avoid leaking payload data from
an unsuccessful decryption, zero the decryption buffer before copying
if the padding was invalid.
2018-10-03 01:03:05 +02:00
Gilles Peskine
5908dd4455 Minor readability improvement
Polish the beginning of mbedtls_rsa_rsaes_pkcs1_v15_decrypt a little,
to prepare for some behavior changes.
2018-10-02 22:43:06 +02:00
Jaeden Amero
3725bb2d6d rsa: pss: Enable use of big hashes with small keys
It should be valid to RSASSA-PSS sign a SHA-512 hash with a 1024-bit or
1032-bit RSA key, but with the salt size being always equal to the hash
size, this isn't possible: the key is too small.

To enable use of hashes that are relatively large compared to the key
size, allow reducing the salt size to no less than the hash size minus 2
bytes. We don't allow salt sizes smaller than the hash size minus 2
bytes because that too significantly changes the security guarantees the
library provides compared to the previous implementation which always
used a salt size equal to the hash size. The new calculated salt size
remains compliant with FIPS 186-4.

We also need to update the "hash too large" test, since we now reduce
the salt size when certain key sizes are used. We used to not support
1024-bit keys with SHA-512, but now we support this by reducing the salt
size to 62. Update the "hash too large" test to use a 1016-bit RSA key
with SHA-512, which still has too large of a hash because we will not
reduce the salt size further than 2 bytes shorter than the hash size.

The RSA private key used for the test was generated using "openssl
genrsa 1016" using OpenSSL 1.1.1-pre8.

    $ openssl genrsa 1016
    Generating RSA private key, 1016 bit long modulus (2 primes)
    ..............++++++
    ....++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICVwIBAAKBgACu54dKTbLxUQBEQF2ynxTfDze7z2H8vMmUo9McqvhYp0zI8qQK
    yanOeqmgaA9iz52NS4JxFFM/2/hvFvyd/ly/hX2GE1UZpGEf/FnLdHOGFhmnjj7D
    FHFegEz/gtbzLp9X3fOQVjYpiDvTT0Do20EyCbFRzul9gXpdZcfaVHNLAgMBAAEC
    gYAAiWht2ksmnP01B2nF8tGV1RQghhUL90Hd4D/AWFJdX1C4O1qc07jRBd1KLDH0
    fH19WocLCImeSZooGCZn+jveTuaEH14w6I0EfnpKDcpWVAoIP6I8eSdAttrnTyTn
    Y7VgPrcobyq4WkCVCD/jLUbn97CneF7EHNspXGMTvorMeQJADjy2hF5SginhnPsk
    YR5oWawc6n01mStuLnloI8Uq/6A0AOQoMPkGl/CESZw+NYfe/BnnSeckM917cMKL
    DIKAtwJADEj55Frjj9tKUUO+N9eaEM1PH5eC7yakhIpESccs/XEsaDUIGHNjhctK
    mrbbWu+OlsVRA5z8yJFYIa7gae1mDQJABjtQ8JOQreTDGkFbZR84MbgCWClCIq89
    5R3DFZUiAw4OdS1o4ja+Shc+8DFxkWDNm6+C63g/Amy5sVuWHX2p9QI/a69Cxmns
    TxHoXm1w9Azublk7N7DgB26yqxlTfWJo+ysOFmLEk47g0ekoCwLPxkwXlYIEoad2
    JqPh418DwYExAkACcqrd9+rfxtrbCbTXHEizW7aHR+fVOr9lpXXDEZTlDJ57sRkS
    SpjXbAmylqQuKLqH8h/72RbiP36kEm5ptmw2
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Simon Butcher
c86993e33c Merge remote-tracking branch 'public/pr/1970' into development 2018-09-27 09:48:54 +01:00
Krzysztof Stachowiak
edb868dcf9 Move MinGW specific define out of a header file 2018-09-24 12:41:18 +02:00
Gilles Peskine
159ebf3b8e
Merge pull request #142 from ARMmbed/psa-metadata_validation
Algorithm and key type encoding validation
2018-09-24 10:38:39 +02:00
Janos Follath
7c025a9f50 Generalize dh_flag in mbedtls_mpi_gen_prime
Setting the dh_flag to 1 used to indicate that the caller requests safe
primes from mbedtls_mpi_gen_prime. We generalize the functionality to
make room for more flags in that parameter.
2018-09-21 16:30:07 +01:00
Jaeden Amero
3bfe5f0388
Merge pull request #150 from ARMmbed/psa-rsa-verify-error
Don't return INVALID_PADDING on an invalid RSA signature
2018-09-21 16:15:10 +01:00
Jaeden Amero
40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00