Commit Graph

10332 Commits

Author SHA1 Message Date
Jaeden Amero
892cd6df70 psa: Use new generic error codes
Mbed TLS has deprecated a few module specific error codes in favor of
more general-purpose or cross-module error codes. Use these new error
codes instead of the deprecated error codes.
2019-02-14 16:01:14 +00:00
Jaeden Amero
1fe81d4985 psa_utils: Make fallthrough clear for compilers
Silence a compiler warning about implicit fallthrough by using a comment
format the compiler understand to mean that the fallthrough is
intentional.

  In file included from library/cipher.c:63:0:
  include/mbedtls/psa_util.h: In function ‘mbedtls_psa_translate_cipher_mode’:
  include/mbedtls/psa_util.h:91:15: error: this statement may fall through [-Werror=implicit-fallthrough=]
               if( taglen == 0 )
                 ^
  include/mbedtls/psa_util.h:94:9: note: here
           default:
           ^~~~~~~
  cc1: all warnings being treated as errors

  $ gcc --version
  gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0
  Copyright (C) 2017 Free Software Foundation, Inc.
  This is free software; see the source for copying conditions.  There is NO
  warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2019-02-14 16:01:14 +00:00
Jaeden Amero
06b161a39c psa: Add latest PSA Crypto config.h
Copy our include/mbedtls/config.h file, which is our default
configuration, to configs/config-psa-crypto.h, updating what was
previously there to the latest defaults.
2019-02-14 16:01:14 +00:00
Jaeden Amero
e8206622ad Update config-default.h to the latest from Mbed TLS
config-default.h should always be a verbatim copy of the default
configuration (include/mbedtls/config.h) from Mbed TLS.
2019-02-14 16:01:14 +00:00
Jaeden Amero
67ea2c5e6d Merge branch 'development-psa-proposed' into development
Resolve conflicts by performing the following.

- Take the upstream Mbed TLS ChangeLog verbatim.
- Reject changes to Makefiles and CMake that are related to using Mbed
  Crypto as a submodule. It doesn't make sense to use Mbed Crypto as a
  submodule of itself.
- Reject README changes, as Mbed Crypto has its own, different README.
- Reject PSA-related changes to config.h. We don't want to disable the
  availability of the PSA Crypto API by default in the Mbed Crypto
  config.h.
- Don't inadvertently revert dead code removal in
  mbedtls_cipher_write_tag() which was added in f2a7529403 ("Fix
  double return statement in cipher.c")
- Where Mbed Crypto already had some MBEDTLS_USE_PSA_CRYPTO code (from
  past companion PRs) take the latest version from Mbed TLS which
  includes integration with MBEDTLS_CHECK_PARAMS.
- Update the version of the shared library files to match what's
  currently present in Mbed TLS.
- Reject removal of testing with PSA from config full tests.
- Resolve conflicts in test tests/suites/helpers.function, where both
  Mbed Crypto and Mbed TLS both added documentation for TEST_ASSERT.
  Combine text from both documentation efforts.
- Reject adding a submodule of ourselves.
- Reject addition of submodule tests in all.sh.
- Reject addition of submodule to library path in
  tests/scripts/run-test-suites.pl.
- Avoid using USE_CRYPTO_SUBMODULE=1 in
  component_test_use_psa_crypto_full_cmake_asan() in all.sh.
2019-02-14 15:58:43 +00:00
Andrzej Kurek
eb5087126f all.sh: add a seedfile generation step
When using PSA with MBEDTLS_ENTROPY_NV_SEED, some test suites
require the seed file for PSA initialization, which was normally generated
later, when entropy tests were run. This change creates an initial seedfile
in all.sh.
2019-02-14 07:18:59 -05:00
Jaeden Amero
247842c0d6
Merge pull request #56 from gilles-peskine-arm/psa_constant_names-status_is_signed
psa_constant_names: status is signed
2019-02-14 11:20:13 +00:00
Andrzej Kurek
c058773798 Update submodule pointer to dea02cc8b 2019-02-14 05:28:21 -05:00
Gilles Peskine
c4cd2adae8 test_psa_constant_names: fix uses of C integer types
Some of the types may in principle be wider than `unsigned`, so use
`unsigned long` in printf.

Add support for signed types: a status is a signed value, and
preferentially printed in decimal.
2019-02-13 18:46:51 +01:00
Gilles Peskine
3f775264d3 psa_constant_names: adding support for signed types
psa_constant_names now works correctly with signed values, such as
psa_status_t may have.
2019-02-13 18:46:51 +01:00
Gilles Peskine
1b879843d1 psa_constant_names: factor unsigned support into its own function
This is in preparation for adding support for signed types (namely,
psa_status_t).
2019-02-13 18:46:51 +01:00
Gilles Peskine
f02fbf4bbe Don't mention "crypto service" when discussing a library integration 2019-02-13 15:43:35 +01:00
Jaeden Amero
3ea2687053 psa: Initialize crypto in tests that need to
Don't unconditionally enable PSA Crypto for all tests. Only enable it in
tests that require it. This allows crypto tests to check that
psa_crypto_init() fails when it is supposed to fail, since we want to
perform some action in a test, and then call psa_crypto_init() and check
the result without it having been called previously.
2019-02-13 07:34:54 -05:00
Jaeden Amero
2d7e5fe31d
Merge pull request #46 from Patater/fix-windows-initializers
psa: Test fresh contexts have default behavior
2019-02-12 16:34:10 +00:00
Gilles Peskine
b5a132f26c Minor clarifications 2019-02-12 16:47:20 +01:00
Jaeden Amero
1fb011f2a6
Merge pull request #152 from ARMmbed/psa-test-psa_constant_names
Test psa_constant_names
2019-02-12 13:39:25 +00:00
Jaeden Amero
a3abf540d0
Merge pull request #52 from Patater/verbosify-cmake-tests
all.sh: Enable verbose failure messages for CMake
2019-02-12 13:31:20 +00:00
Ron Eldor
3467dcf452 Use certificates from data_files and refer them
Use the server certificate from `data_files` folder, for formality,
and refer to the source, for easier reproduction.
2019-02-12 15:30:26 +02:00
Gilles Peskine
0b02002fec Specification of how Mbed Crypto uses storage
Describe the storage format for keys and random seed in Mbed Crypto
0.1.0 released with Mbed OS 5.11, over C stdio and over ITS with
32-bit file identifiers.

Describe the proposed storage format for keys and random seed in the
future release of Mbed Crypto for Mbed OS 5.12, over C stdio and over
ITS with 64-bit file identifiers.
2019-02-12 14:25:57 +01:00
Gilles Peskine
4945176ebe Add framework for architecture documents in Markdown 2019-02-12 14:25:40 +01:00
Jaeden Amero
d48e9c713e all.sh: Enable verbose failure messages for CMake
Set the CMake-observed variable `CTEST_OUTPUT_ON_FAILURE`, so that when
a "make test" run by CMake fails, verbose test output about the detail
of failure is available.
2019-02-12 11:38:14 +00:00
Andres Amaya Garcia
54efcb7ff0 Update query config with VSNPRINTF macro 2019-02-11 21:55:09 +00:00
Andres Amaya Garcia
4343384966 Fix typo in x509write test data 2019-02-11 21:33:10 +00:00
Jaeden Amero
8a23dc6642
Merge pull request #48 from dgreen-arm/fix-zero-key-copy
Allow NULL buffers in psa_copy_key_material when the key size is zero
2019-02-11 17:27:19 +00:00
Darryl Green
8096cafa94 Only zeroize buffer if the buffer length is non-zero 2019-02-11 14:03:03 +00:00
Andrzej Kurek
08b807a161 Update crypto submodule version to commit f54597144874
Use mbed-crypto repository in gitmodules file
2019-02-11 08:45:41 -05:00
Darryl Green
8593bca7f8 Allow NULL buffers in psa_copy_key_material when the key size is zero 2019-02-11 13:26:36 +00:00
Andrzej Kurek
f389629556 Move a restartable ecp context to a conditional compilation block
This was an unused variable when compiling with parameter validation
but without ecp_restartable
2019-02-11 05:15:54 -05:00
Jaeden Amero
6f7703df3a rsa: Enable use of zero-length null output
Enable handling of zero-length null output in PKCS1 v1.5 decryption.
Prevent undefined behavior by avoiding a memcpy() to zero-length null
output buffers.
2019-02-11 03:39:51 -05:00
Gilles Peskine
004f87b98d RSA encryption: accept input=NULL if ilen=0
In mbedtls_rsa_rsaes_oaep_encrypt and
mbedtls_rsa_rsaes_pkcs1_v15_encrypt, if the input length is 0 (which
is unusual and mostly useless, but permitted) then it is fine for the
input pointer to be NULL. Don't return an error in this case.

When `input` is NULL, `memcpy( p, input, ilen )` has undefined behavior
even if `ilen` is zero. So skip the `memcpy` call in this case.
Likewise, in `mbedtls_rsa_rsaes_oaep_decrypt`, skip the `memcpy` call if
`*olen` is zero.
2019-02-11 03:39:21 -05:00
Peter Kolbus
5da93f8903 Update ChangeLog 2019-02-09 10:21:57 -06:00
Hanno Becker
46f34d0ac0 Fix style issue and wording 2019-02-08 14:26:41 +00:00
Hanno Becker
c1e18bdf06 Fix memory leak 2019-02-08 14:26:41 +00:00
Hanno Becker
e2734e2be4 Improve formatting of ssl_parse_certificate_chain() 2019-02-08 14:26:41 +00:00
Hanno Becker
84879e32ef Add compile-time guards around helper routine 2019-02-08 14:26:41 +00:00
Hanno Becker
bd9d51d969 Adapt ChangeLog 2019-02-08 14:26:41 +00:00
Hanno Becker
def9bdc152 Don't store the peer CRT chain twice during renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).
During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit removes the simultaneous presence of two peer CRT chains
in memory during renegotiation, in the following way:
- Unlike in the case of SessionTickets handled in the previous commit,
  we cannot simply free the peer's CRT chain from the previous handshake
  before parsing the new one, as we need to verify that the peer's end-CRT
  hasn't changed to mitigate the 'Triple Handshake Attack'.
- Instead, we perform a binary comparison of the original peer end-CRT
  with the one presented during renegotiation, and if it succeeds, we
  avoid re-parsing CRT by moving the corresponding CRT pointer from the
  old to the new session structure.
- The remaining CRTs in the peer's chain are not affected by the triple
  handshake attack protection, and for them we may employ the canonical
  approach of freeing them before parsing the remainder of the new chain.

Note that this commit intends to not change any observable behavior
of the stack. In particular:
- The peer's CRT chain is still verified during renegotiation.
- The tail of the peer's CRT chain may change during renegotiation.
2019-02-08 14:26:41 +00:00
Hanno Becker
b2964cbe14 SSL/TLS client: Remove old session ticket on renegotiation
Context: During a handshake, the SSL/TLS handshake logic constructs
an instance of ::mbedtls_ssl_session representing the SSL session
being established. This structure contains information such as the
session's master secret, the peer certificate, or the session ticket
issues by the server (if applicable).

During a renegotiation, the new session is constructed aside the existing
one and destroys and replaces the latter only when the renegotiation is
complete. While conceptually clear, this means that during the renegotiation,
large pieces of information such as the peer's CRT or the session ticket
exist twice in memory, even though the original versions are removed
eventually.

This commit starts removing this memory inefficiency by freeing the old
session's SessionTicket before the one for the new session is allocated.
2019-02-08 14:26:41 +00:00
Hanno Becker
ac4172c5bb Adapt ChangeLog 2019-02-08 14:24:58 +00:00
Hanno Becker
2d8a2c0852 Modify existing X.509 test for also test new copyless API
The existing test `x509parse_crt()` for X.509 CRT parsing
so far used the generic parsing API `mbedtls_x509_crt_parse()`
capable of parsing both PEM encoded and DER encoded certficates,
but was actually only used with DER encoded input data. Moreover,
as the purpose of the test is the testing of the core DER X.509 parsing
functionality, not the PEM vs. DER dispatch (which is now already tested
in the various `x509_crt_info()` tests), the call can be replaced with a
direct call to `mbedtls_x509_parse_crt_der()`.

This commit does that, and further adds to the test an analogous
call to the new API `mbedtls_x509_parse_crt_der_nocopy()` to test
copyless parsing of X.509 certificates.
2019-02-08 14:24:58 +00:00
Hanno Becker
462c3e5210 Add test for mbedtls_x509_parse_file() with DER encoded CRT 2019-02-08 14:24:58 +00:00
Hanno Becker
1a65dcd44f Add a new X.509 API call for copy-less parsing of CRTs
Context:
The existing API `mbedtls_x509_parse_crt_der()` for parsing DER
encoded X.509 CRTs unconditionally makes creates a copy of the
input buffer in RAM. While this comes at the benefit of easy use,
-- specifically: allowing the user to free or re-use the input
buffer right after the call -- it creates a significant memory
overhead, as the CRT is duplicated in memory (at least temporarily).
This might not be tolerable a resource constrained device.

As a remedy, this commit adds a new X.509 API call

   `mbedtls_x509_parse_crt_der_nocopy()`

which has the same signature as `mbedtls_x509_parse_crt_der()`
and almost the same semantics, with one difference: The input
buffer must persist and be unmodified for the lifetime of the
established instance of `mbedtls_x509_crt`, that is, until
`mbedtls_x509_crt_free()` is called.
2019-02-08 14:24:58 +00:00
Jaeden Amero
fb236739da Revert "Forbid passing NULL input buffers to RSA encryption routines"
Resolve incompatibilties in the RSA module where changes made for
parameter validation prevent Mbed Crypto from working. Mbed Crypto
depends on being able to pass zero-length buffers that are NULL to RSA
encryption functions.

This reverts commit 2f660d047d.
2019-02-08 08:43:31 -05:00
Andrzej Kurek
02f39ace58 Adjust documentation of mbedtls_cipher_update_ad 2019-02-08 06:50:55 -05:00
Andrzej Kurek
57f04e56c1 Adjust documentation of mbedtls_cipher_update_ad
Fix indentation and capitalization
2019-02-08 06:44:43 -05:00
Gilles Peskine
47e79fb5ab Fix minor errors in key derivation and key agreement documentation 2019-02-08 11:36:59 +01:00
Gilles Peskine
12b58abad6 Remove duplicate definition of PSA_ALG_IS_WILDCARD
This was due to a bad merge.
2019-02-08 11:36:59 +01:00
Gilles Peskine
6bce7f7ebb Fix copypasta in multipart AEAD macro 2019-02-08 11:36:59 +01:00
Gilles Peskine
4c6fdbbe8d Fix typos in doxygen formatting commands 2019-02-08 11:36:59 +01:00
Jaeden Amero
2a0f48ae1f
Merge pull request #43 from Patater/update-2.16-dev
Update to a development version of Mbed TLS 2.16.0
2019-02-08 08:13:41 +00:00