Commit Graph

15628 Commits

Author SHA1 Message Date
Gilles Peskine
d28f293bb0 Import crypto_spe.h from TF-M
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/plain/secure_fw/partitions/crypto/crypto_spe.h?h=refs/heads/master

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 14:45:17 +02:00
Gilles Peskine
478ac0bcc1
Merge pull request #4704 from mpg/issue-3990-fix_psa_verify_with_alt-2.x
[Backport 2.x] Fix PSA RSA PSS verify with ALT implementations
2021-06-23 11:47:42 +02:00
Manuel Pégourié-Gonnard
727e1f17dd Mention that mbedtls_rsa_init can set hash_id too
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-23 10:35:55 +02:00
Gilles Peskine
df51a13c54
Merge pull request #4394 from gilles-peskine-arm/travis-windows-no-generate-2.x
2.2x only: No longer generate psa_constant_names_generated.c on Windows on Travis
2021-06-22 18:53:58 +02:00
Gilles Peskine
11bd2ac3da
Merge pull request #4705 from ronald-cron-arm/3258_implement_one-shot_MAC_2.x
Backport 2.x: Implement one-shot mac in PSA
2021-06-22 18:53:34 +02:00
Ronald Cron
f38646151e Add change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
54488c4abc psa: mac: Add driver dispatch tests for psa_mac_verify
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
4ed836883e psa: mac: Add driver delegation support for psa_mac_verify()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
ef0d8f17f8 psa: mac: Introduce psa_mac_compute_internal
Introduce psa_mac_compute_internal with an
additional `is_sign` parameter compared to
the psa_mac_compute API. The intent is to
call psa_mac_compute_internal() from
psa_mac_verify() as well to compute the
message MAC.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
93dcd5963f psa: mac: Add driver dispatch tests for psa_mac_compute
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
882eb780fb psa: mac: Improve MAC finalization code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
dbb8646c2c psa: mac: Add driver delegation support for psa_mac_compute()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
bfdfaa676c psa: mac: Add MAC compute builtin implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
def68e722a psa: mac: Improve implementation of psa_mac_finalize_alg_and_key_validation()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
1c650a1a37 psa: mac: Split psa_mac_setup()
Split out of psa_mac_setup() the final checks on
the requested algorithm and the key attributes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
Ronald Cron
48f875e809 psa: mac: Re-organize psa_mac_setup() internal function
Re-organize psa_mac_setup() to prepare the move
to a dedicated function of the additional checks
on the algorithm and the key attributes done by
this function. We want to move those checks in
a dedicated function to be able to do them
without duplicating them in psa_mac_compute().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
gabor-mezei-arm
a93e423739 Add test for one-shot MAC functions
Tests for psa_mac_compute and psa_mac_verify functions.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-22 13:43:13 +02:00
gabor-mezei-arm
a00616fc6b Implement one-shot MAC functions
Implement one-shot MAC APIs, psa_mac_compute and psa_mac_verify, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-22 13:43:13 +02:00
Janos Follath
03daae6894 Improve psa_rsa_decode_md_type()
Remove a case that cannot be triggered as PSA_ALG_SIGN_GET_HASH always
returns 0 for raw algorithms.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:05 +02:00
Janos Follath
0e89dafbab Add ChangeLog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:05 +02:00
Janos Follath
02becd90a6 Fix exercise key test
Hash and sign algorithms require the alignment of the input length with
the hash length at verification as well not just when signing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:04 +02:00
Janos Follath
3af7e8fe3a Fix verify_hash tests for PSA RSA PSS
The psa_verify_hash() is the pre-hashed version of the API and supposed
to work on hashes generated by the user. There were tests passing that
were getting "hashes" of sizes different from the expected.

Transform these into properly failing tests.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:04 +02:00
Janos Follath
b23b5745b5 PSA RSA PSS: pass pre-hash algorithm to Mbed TLS
PSA Crypto always passed MBEDTLS_MD_NONE to Mbed TLS, which worked well
as Mbed TLS does not use this parameter for anything beyond determining
the input lengths.

Some alternative implementations however check the consistency of the
algorithm used for pre-hash and for other uses in verification (verify
operation and mask generation) and fail if they don't match. This makes
all such verifications fail.

Furthermore, the PSA Crypto API mandates that the pre-hash and internal
uses are aligned as well.

Fixes #3990.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:57:00 +02:00
Janos Follath
456d7e055f mbedtls_rsa_rsassa_pss_*: improve documentation
Hashes used in RSA-PSS encoding (EMSA-PSS-ENCODE, see §9.1.1 in RFC
8017):

- H1: Hashing the message (step 2)
- H2: Hashing in the salt (step 6)
- H3: Mask generation function (step 9)

According to the standard:

- H1 and H2 MUST be done by the same hash function
- H3 is RECOMMENDED to be the same as the hash used for H1 and H2.

According to the implementation:

- H1 happens outside of the function call. It might or might not happen
and the implementation might or might not be aware of the hash used.
- H2 happens inside the function call, consistency with H1 is not
enforced and might not even be possible to detect.
- H3 is done with the same hash as H2 (with the exception of
mbedtls_rsassa_pss_verify_ext(), which takes a dedicated parameter for
the hash used in the MGF).

Issues with the documentation:

- The comments weren't always clear about the three hashes involved and
often only mentioned two of them (which two varied from function to
function).
- The documentation was giving the impression that the standard
recommends aligning H2 and H1 (which is not a recommendation but a
must).

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-22 12:50:26 +02:00
Manuel Pégourié-Gonnard
6a55de9057
Merge pull request #4623 from gilles-peskine-arm/debug-print-mpi-null-2.x
Backport 2.x: Fix mbedtls_debug_print_mpi crash on 0
2021-06-22 12:08:57 +02:00
Manuel Pégourié-Gonnard
9a11ac9cc1
Merge pull request #4621 from gilles-peskine-arm/default-hashes-curves-2.x
Backport 2.x: Curve and hash selection for X.509 and TLS
2021-06-22 12:08:43 +02:00
Gilles Peskine
5ea63a31c4 Mention the Montgomery curve exception
Montgomery curves are not in the expected place in the curve list.
This is a bug (https://github.com/ARMmbed/mbedtls/issues/4698), but
until this bug is fixed, document the current behavior and indicate
that it's likely to change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 10:50:04 +02:00
Dave Rodgman
c158213b2e
Merge pull request #4678 from JoeSubbiani/FixedMissingContextFree-test_suite_aes
Backport 2.x: Add missing free context at the end of aes_crypt_xts_size()
2021-06-22 09:24:14 +01:00
Manuel Pégourié-Gonnard
3f0538d7b7
Merge pull request #4688 from gilles-peskine-arm/winsock-fd-range-2.x
Backport 2.x: Fix net_sockets regression on Windows
2021-06-22 09:29:33 +02:00
Joe Subbiani
7d5fa2be81 Reword changelog - Test Resource Leak
- “Fix an issue where X happens” → ”Fix X“
  the extra words are just a distraction.
- “resource” → “a resource”
- “where resource is never freed” has a name: it's a resource leak
- “when running one particular test suite” → “in a test suite”

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-06-21 16:57:28 +01:00
Gilles Peskine
138d9f52cf SHA-1 is allowed for handshake signatures by default
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-21 09:53:25 +02:00
Gilles Peskine
51859aaff2 Fix fd range for select on Windows
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows: they were testing that the file
descriptor is in range for fd_set, but on Windows socket descriptors are not
limited to a small range. Fixes #4465.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:17:39 +02:00
Gilles Peskine
0f6351f8a9 Refactor file descriptor checks into a common function
This will make it easier to change the behavior uniformly.

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-20 23:17:39 +02:00
Joe Subbiani
02945bcab4 Update changelog formatting - Missing Free Context
Missing trailing full stop added to the end of the fixed issue number

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-06-18 18:55:57 +01:00
Joe Subbiani
707186d179 Update changelog formatting Missing Free Context
Trailing white space causing check_files.py to fail

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-06-18 17:45:34 +01:00
Joe Subbiani
5e1fac8b28 Update changelog formatting - Missing Free Context
The original formatting was in dos and the changelog
assembler would fail. The length of the description was
too long horizontally. This has been updated.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-06-18 15:42:42 +01:00
Joe Subbiani
2af8d04085 Changelog entry for Free Context in test_suite_aes fix
Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-06-18 12:06:31 +01:00
JoeSubbiani
67889a5e64 Free context in at the end of aes_crypt_xts_size()
in file tests/suite/test_suite_aes.function, aes_crypt_xts_size()
did not free the context upon the function exit.
The function now frees the context on exit.

Fixes #4176

Signed-off-by: JoeSubbiani <Joe.Subbiani@arm.com>
2021-06-17 16:15:31 +01:00
Gilles Peskine
f97a963037
Merge pull request #4656 from gilles-peskine-arm/psa_key_derivation-bad_workflow-20210527-2.x
Backport 2.x: PSA key derivation bad-workflow tests
2021-06-17 09:55:37 +02:00
Gilles Peskine
8d54b69c96 Fix copypasta in test data
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Gilles Peskine
a172cf53f7 Use UNUSED wherever applicable in derive_input tests
Exhaustivity check:
```
<tests/suites/test_suite_psa_crypto.data awk -F: '$1=="derive_input" { for (step=1; step<=3; step++) { if ($(4*step-1) == "0") { if ($(4*step) != "UNUSED" || $(4*step+1) != "\"\"" || $(4*step+2) != "UNUSED") print NR, step, $(4*step), $(4*step+1), $(4*step+2) } } }'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Gilles Peskine
f216f0d5d4 Fix missing state check for tls12_prf output
Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Gilles Peskine
d40a21cff1 Key derivation: add test cases where the secret is missing
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Gilles Peskine
f627931cde Add bad-workflow key derivation tests
Add HKDF tests where the sequence of inputs differs from the nominal
case: missing step, duplicate step, step out of order, or invalid step.

There were already similar tests for TLS 1.2 PRF. Add one with a key
agreement which has slightly different code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Gilles Peskine
0faba4e8c5 More explicit names for some bad-workflow key derivation tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-14 18:08:26 +02:00
Ronald Cron
766edb8476
Merge pull request #4635 from Patater/mbed-can-do-timing-2.x
Backport 2.x: config: Allow Mbed to implement TIMING_C

Trivial backport, only one reviewer is ok.
2021-06-11 09:14:00 +02:00
Dave Rodgman
78719eaa7b
Merge pull request #4646 from daverodgman/travis-disable-osx-development_2.x
Backport 2.x: Disable OS X builds on Travis
2021-06-10 17:48:27 +01:00
Dave Rodgman
fcf958afc7 Disable OS X builds on Travis
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-10 15:48:20 +01:00
Jaeden Amero
128c94dd87 config: Allow Mbed to implement TIMING_C
Mbed OS now provides POSIX-like time functions, although not alarm() nor
signal(). It is possible to implement MBEDTLS_TIMING_ALT on Mbed OS, so
we should not artificially prevent this in check-config. Remove the the
check that prevents implementing MBEDTLS_TIMING_ALT on Mbed OS.

Note that this limitation originally was added in the following commit,
although there isn't much context around why the restriction was
imposed: 63e7ebaaa1 ("Add material for generating yotta module"). In
2015, Mbed OS was quite a different thing: no RTOS, no threads, just an
asynchronous event loop model. I'd suppose the asynchronous event loop
model made it difficult before to implement MBEDTLS_TIMING_C on Mbed OS,
but that is no longer the case.

Fixes #4633

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-06-09 14:09:11 +01:00
Gilles Peskine
4de5a6096b Add missing parentheses
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-07 21:42:15 +02:00