MBEDTLS_ECP_WINDOW_SIZE is a compromise between memory usage (growing based
on the value) and performance (faster with larger values). There are
disminishing returns as the value grows larger. Based on Manuel's benchmarks
recorded in https://github.com/ARMmbed/mbedtls/issues/4127, 4 is a good
compromise point, with larger values bringing little advantage. So reduce
the default from 6 to 4.
Document the default value as in optimized for performance mostly, but don't
document the specific value, so we may change it later or make it
platform-dependent.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Calling mbedtls_mpi_cmp_int reveals the number of leading zero limbs
to an adversary who is capable of very fine-grained timing
measurements. This is very little information, but could be practical
with secp521r1 (1/512 chance of the leading limb being 0) if the
adversary can measure the precise timing of a large number of
signature operations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used
as intended, for keys that cannot be modified through normal use of the API.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.
Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.
Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.
It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.
Fix#4499.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The sequence of calls starts-update-starts-update-finish is not a
guaranteed valid way to abort an operation and start a new one. Our
software implementation just happens to support it, but alt
implementations may very well not support it.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Fix a pointer mismatch when int32_t is not int, for example on Cortex-M where
in32_t is long int. Fix#4530
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The sample program aescrypt2 shows bad practice: hand-rolled CBC
implementation, CBC+HMAC for AEAD, hand-rolled iterated SHA-2 for key
stretching, no algorithm agility. The new sample program pbcrypt does
the same thing, but better. So remove aescrypt2.
Fix#1906
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add implementation for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
Merging as it has been ready for four days now and I prefer not having to go through other rebases especially given the coming change of scope of development (3.0 rather than 2.2x).
This reverts commit 0961e3db49.
This was merged by mistake in development instead of development_3.0.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
An incorrect error code addition was spotted by the new invasive testing
infrastructure whereby pk_get_pk_alg will always return a high level
error or zero and pk_parse_key_pkcs8_unencrypted_der will try to add
another high level error, resulting in a garbage error code.
Apply the same fix from ae3741e8a to fix the bug.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Memsan build was reporting a false positive use of uninitialised memory
in x509_crt.c on a struct filled by an _stat function call. According to
the man pages, the element reported has to be filled in by the call, so
to be safe, and keep memsan happy, zero the struct first.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Fix function mbedtls_ecp_mul_shortcuts() to skip multiplication when m
is 0 and simply assignt 0 to R. Additionally fix ecjpake_zkp_read() to
return MBEDTLS_ERR_ECP_INVALID_KEY when the above condintion is met.
Fix#1792
Signed-off-by: TRodziewicz <rodziewicz@gmail.com>
Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is beyond
FD_SETSIZE. The bug was due to not checking that the file descriptor
is within the range of an fd_set object.
Fix#4169
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Although the library documentation does not guarantee that calling
mbedtls_entropy_free() twice works, it's a plausible assumption and it's
natural to write code that frees an object twice. While this is uncommon for
an entropy context, which is usually a global variable, it came up in our
own unit tests (random_twice tests in test_suite_random).
Announce this in the same changelog entry as for RSA because it's the same
bug in the two modules.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This brings them in line with PSA Crypto API 1.0.0
PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH -> PSA_ALG_AEAD_WITH_SHORTENED_TAG
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
In psa_generate_derived_key_internal() an error case was returning
directly rather than jumping to the exit label, which meant that an
allocated buffer would not be free'd.
Found via coverity.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
