Commit Graph

5203 Commits

Author SHA1 Message Date
Gilles Peskine
20b3ef3cad Add mbedtls_ecdh_can_do
All curves can currently do ECDH, but to make the API symmetric and
future-proof, add mbedtls_ecdh_can_do() to go with mbedtls_ecdsa_can_do().
2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
6ea2dea1c5 3rdparty: Add additional build facilities for 3rd-party code 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
ea24394c03 ECDH: Fix whitespace and permission problems 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
0082f9df6f ECDSA: Add mbedtls_ecdsa_can_do 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
62dddd08fd Add new 3rdparty build scripts 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
2e724a18a1 ECDH: Fix Everest ECDH side type 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
24fbceff50 ECDH: Everest: Remove unnecessary file 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
34811a8db2 ECDH: Use LOCAL_CFLAGS instead of CFLAGS 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
c3cbddecb5 ECDH: Fix whitespace, permissions 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
4936beb513 ECDH: Clean up the interface to Everest code 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
86e36c4c2b ECDH: Replace hex literal with decimal in ecp.c 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
fba94e9726 ECDH: Fix error code in mbedtls_ecdsa_sign 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
78c9c461cf ECDH: Fix typo in ecdh.c 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
c9f737b4ba ECDH: Enable Everest Curve25519 in ECDH/ECDSA/ECP 2019-08-19 13:36:44 +01:00
Christoph M. Wintersteiger
d5fd766c49 ECDH: Include Everest Curve25519 in build scripts 2019-08-19 13:36:44 +01:00
Jaeden Amero
89e7655691 Merge remote-tracking branch 'crypto/pr/212' into development
* crypto/pr/212: (337 commits)
  Make TODO comments consistent
  Fix PSA tests
  Fix psa_generate_random for >1024 bytes
  Add tests to generate more random than MBEDTLS_CTR_DRBG_MAX_REQUEST
  Fix double free in psa_generate_key when psa_generate_random fails
  Fix copypasta in test data
  Avoid a lowercase letter in a macro name
  Correct some comments
  Fix PSA init/deinit in mbedtls_xxx tests when using PSA
  Make psa_calculate_key_bits return psa_key_bits_t
  Adjust secure element code to the new ITS interface
  More refactoring: consolidate attribute validation
  Fix policy validity check on key creation.
  Add test function for import with a bad policy
  Test key creation with an invalid type (0 and nonzero)
  Remove "allocated" flag from key slots
  Take advantage of psa_core_key_attributes_t internally #2
  Store the key size in the slot in memory
  Take advantage of psa_core_key_attributes_t internally: key loading
  Switch storage functions over to psa_core_key_attributes_t
  ...
2019-08-16 11:02:31 +01:00
Jaeden Amero
9d20e1f2c4 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following actions:
- Reject changes to ChangeLog, as Mbed Crypto doesn't have one
- Reject changes to tests/compat.sh, as Mbed Crypto doesn't have it
- Reject changes to programs/fuzz/onefile.c, as Mbed Crypto doesn't have
  it
- Resolve minor whitespace differences in library/ecdsa.c by taking the
  version from Mbed TLS upstream.

* origin/development:
  Honor MBEDTLS_CONFIG_FILE in fuzz tests
  Test that a shared library build produces a dynamically linked executable
  Test that the shared library build with CMake works
  Add a test of MBEDTLS_CONFIG_FILE
  Exclude DTLS 1.2 only with older OpenSSL
  Document the rationale for the armel build
  Switch armel build to -Os
  Add a build on ARMv5TE in ARM mode
  Add changelog entry for ARM assembly fix
  bn_mul.h: require at least ARMv6 to enable the ARM DSP code
  Adapt ChangeLog
  ECP restart: Don't calculate address of sub ctx if ctx is NULL
2019-08-15 15:49:46 +01:00
Gilles Peskine
1435767d2a Merge remote-tracking branch 'upstream-public/pr/2753' into development 2019-08-14 16:00:11 +02:00
Gilles Peskine
0ed1df6206
Merge pull request #184 from hanno-arm/ecp_restartable_offset
Fix fragile method for passing from ECDSA to ECP restart contexts
2019-08-14 15:40:08 +02:00
Janos Follath
1d57a20cbe Make TODO comments consistent 2019-08-13 12:15:34 +01:00
Gilles Peskine
059d9d3fc5
Merge pull request #182 from gilles-peskine-arm/ecp-factorize-reduction
Replace some macros by functions in ecp
2019-08-08 19:16:27 +02:00
Janos Follath
8aa7e9bc56 Merge branch 'psa-api-1.0-beta' into merge-psa-api-branch-into-development 2019-08-08 14:40:23 +01:00
Gilles Peskine
0c77b0e2f9
Merge pull request #198 from gilles-peskine-arm/psa-api-1.0-beta-merge_development_20190801
Merge mbed-crypto/development into psa-api-1.0-beta
2019-08-08 10:24:53 +02:00
Gilles Peskine
f181eca350 Fix psa_generate_random for >1024 bytes
mbedtls_ctr_drbg_random can only return up to
MBEDTLS_CTR_DRBG_MAX_REQUEST (normally 1024) bytes at a time. So if
more than that is requested, call mbedtls_ctr_drbg_random in a loop.
2019-08-07 13:49:00 +02:00
Gilles Peskine
a6b2f60b4c Fix double free in psa_generate_key when psa_generate_random fails
When psa_generate_random fails, psa_generate_key_internal frees the
key buffer but a the pointer to the now-freed buffer in the slot. Then
psa_generate_key calls psa_fail_key_creation which sees the pointer
and calls free() again.

This bug was introduced by ff5f0e7221
"Implement atomic-creation psa_{generate,generator_import}_key" which
changed how psa_generate_key() cleans up on errors. I went through the
code and could not find a similar bug in cleanup on an error during
key creation.

Fix #207
2019-08-07 13:43:09 +02:00
Gilles Peskine
1b9505c451 Correct some comments 2019-08-07 10:59:45 +02:00
Gilles Peskine
01655daeee
Merge pull request #2417 from RonEld/2734
Update soon to be expired crl
2019-08-03 13:38:14 +02:00
Vikas Katariya
21599b6622 Return right error code.
Issue : 126
https://github.com/ARMmbed/mbed-crypto/issues/126

PSA_ERROR_BUFFER_TOO_SMALL error returned when we check for output_size.
2019-08-02 13:01:58 +01:00
Gilles Peskine
8908c5e81c Make psa_calculate_key_bits return psa_key_bits_t
This is cleaner and solves a complaint from MSVC about truncation from
size_t to psa_key_bits_t.
2019-07-31 18:55:00 +02:00
Gilles Peskine
8b66389d0d Adjust secure element code to the new ITS interface 2019-07-31 17:57:57 +02:00
Gilles Peskine
72c8c5b352 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190801
Conflict resolution:
* `scripts/config.pl`:
  Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch.
  Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from
  the development branch.
* `tests/scripts/all.sh`:
  Multiple instances of factoring a sequence of `config.pl` calls into
  a mere `config.pl baremetal` in the development branch, and a change in
  the composition of `baremetal` in the API branch. In each case, take the
  version from development.
* `tests/suites/test_suite_psa_crypto_slot_management.function`:
  A function became non-static in development and disappeared in the API
  branch. Keep the version from the API branch. Functions need to be
  non-static if they're defined but unused in some configurations,
  which is not the case for any function in this file at the moment.
* `tests/suites/test_suite_psa_crypto.function`:
  Consecutive changes in the two branches, reconciled.
2019-07-31 17:47:49 +02:00
Gilles Peskine
1b8594a218 More refactoring: consolidate attribute validation
Consolidate attribute validation at the beginning of key creation into
a single function. Improve comments.
2019-07-31 17:21:46 +02:00
Gilles Peskine
3825e14e65 Fix policy validity check on key creation.
Add a non-regression test.
2019-07-31 16:54:38 +02:00
Gilles Peskine
41e50d26ea Remove "allocated" flag from key slots
The flag to mark key slots as allocated was introduced to mark slots
that are claimed and in use, but do not have key material yet, at a
time when creating a key used several API functions: allocate a slot,
then progressively set its metadata, and finally create the key
material. Now that all of these steps are combined into a single
API function call, the notion of allocated-but-not-filled slot is no
longer relevant. So remove the corresponding flag.

A slot is occupied iff there is a key in it. (For a key in a secure
element, the key material is not present, but the slot contains the
key metadata.) This key must have a type which is nonzero, so use this
as an indicator that a slot is in use.
2019-07-31 16:54:38 +02:00
Gilles Peskine
76aa09c9a9 Take advantage of psa_core_key_attributes_t internally #2
Key creation and psa_get_key_attributes
2019-07-31 16:54:37 +02:00
Gilles Peskine
b46bef2f76 Store the key size in the slot in memory
There is now a field for the key size in the key slot in memory. Use
it.

This makes psa_get_key_attributes() marginally faster at the expense
of memory that is available anyway in the current memory layout (16
bits for the size, 16 bits for flags). That's not the goal, though:
the goal is to simplify the code, in particular to make it more
uniform between transparent keys (whose size can be recomputed) and
keys in secure elements (whose size cannot be recomputed).

For keys in a secure element, the bit size is now saved by serializing
the type psa_key_bits_t (which is an alias for uint16_t) rather than
size_t.
2019-07-31 14:16:50 +02:00
Gilles Peskine
2431859dc7 Take advantage of psa_core_key_attributes_t internally: key loading 2019-07-31 14:16:19 +02:00
Gilles Peskine
4ed0e6f11a Switch storage functions over to psa_core_key_attributes_t 2019-07-31 14:15:27 +02:00
Gilles Peskine
8e3387029d Use psa_core_key_attributes_t in key slots in memory
Change the type of key slots in memory to use
psa_core_key_attributes_t rather than separate fields. The goal is to
simplify some parts of the code. This commit only does the mechanical
replacement, not the substitution.

The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED`
in the `flags` field.

Write accessor functions for flags.

Key slots now contain a bit size field which is currently unused.
Subsequent commits will make use of it.
2019-07-31 14:15:27 +02:00
Jaeden Amero
fe93bc4ed4
Merge pull request #187 from Patater/tls-development-20190722
Bring in changes from Mbed TLS as of 2019-07-22
2019-07-31 11:50:15 +01:00
Jaeden Amero
8dd1690993 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following operations:
- Reject changes related to building a crypto submodule, since Mbed
  Crypto is the crypto submodule.
- Reject X.509, NET, and SSL changes.
- Reject changes to README, as Mbed Crypto is a different project from
  Mbed TLS, with a different README.
- Avoid adding mention of ssl-opt.sh in a comment near some modified
  code in include/CMakeLists.txt (around where ENABLE_TESTING as added).
- Align config.pl in Mbed TLS with config.pl in Mbed Crypto where PSA
  options are concerned, to make future merging easier. There is no
  reason for the two to be different in this regard, now that Mbed TLS
  always depends on Mbed Crypto. Remaining differences are only the
  PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option and the absence of X.509,
  NET, and SSL related options in Mbed Crypto's config.pl.
- Align config.h in Mbed Crypto with Mbed TLS's copy, with a few notable
  exceptions:
  - Leave CMAC on by default.
  - Leave storage on by default (including ITS emulation).
  - Avoid documenting the PSA Crypto API as is in beta stage in
    documentation for MBEDTLS_PSA_CRYPTO_C.
  The only remaining differences are a lack of X.509, NET, and SSL
  options in Mbed Crypto's config.h, as well as an additional
  Mbed-Crypto-specific PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option.
  Documentation for the check params feature and related macros is also
  updated to match Mbed TLS's description.
- Reject tests/data_files/Makefile changes to generate DER versions of
  CRTs and keys, as none of those are used by Mbed Crypto tests.
- Add the "no PEM and no filesystem" test to all.sh, without ssl-opt.sh
  run, as Mbed Crypto doesn't have ssl-opt.sh. Also remove use of PSA
  Crypto storage and ITS emulation, since those depend on filesystem
  support.
- Reject addition of test when no ciphersuites have MAC to all.sh, as
  the option being tested, MBEDTLS_SSL_SOME_MODES_USE_MAC, is not
  present in Mbed Crypto.
- Use baremetal config in all.sh, as Mbed Crypto's baremetal
  configuration does exclude the net module (as it doesn't exist in Mbed
  Crypto)
- Reject cmake_subproject_build changes, continuing to link only
  libmbedcrypto.
- Reject changes to visualc and associated templates. Mbed Crypto
  doesn't need additional logic to handle submodule-sourced headers.
- Avoid adding fuzzers from Mbed TLS. The only relevant fuzzers are the
  privkey and pubkey fuzzers, but non-trivial work would be required to
  integrate those into Mbed Crypto (more than is comfortable in a merge
  commit).
- Reject addition of Docker wrappers for compat.sh and ssl-opt.sh, as
  those are not present in Mbed Crypto.
- Remove calls to SSL-related scripts from basic-in-docker.sh

Fix test errors by performing the following:
- Avoid using a link that Doxygen can't seem to resolve in Mbed Crypto,
  but can resolve in Mbed TLS. In documentation for
  MBEDTLS_CHECK_PARAMS, don't attempt to link to MBEDTLS_PARAM_FAILED.

* origin/development: (339 commits)
  Do not build fuzz on windows
  No booleans and import config
  Removing space before opening parenthesis
  Style corrections
  Syntax fix
  Fixes warnings from MSVC
  Add a linker flag to enable gcov in basic-build-test.sh
  Update crypto submodule to a revision with the HAVEGE header changes
  Test with MBEDTLS_ECP_RESTARTABLE
  Allow TODO in code
  Use the docstring in the command line help
  Split _abi_compliance_command into smaller functions
  Record the commits that were compared
  Document how to build the typical argument for -s
  Allow running /somewhere/else/path/to/abi_check.py
  tests: Limit each log to 10 GiB
  Warn if VLAs are used
  Remove redundant compiler flag
  Consistently spell -Wextra
  Fix parsing issue when int parameter is in base 16
  ...
2019-07-31 10:37:53 +01:00
Gilles Peskine
68cc433b5b Store key sizes in 16 bits in attributes
This is larger than the maximum key size introduced in the previous
commit, by design.

Make some room for flags (not used yet).
2019-07-30 21:08:38 +02:00
Gilles Peskine
c744d99386 Limit keys to 65528 bits
65528 bits is more than any reasonable key until we start supporting
post-quantum cryptography.

This limit is chosen to allow bit-sizes to be stored in 16 bits, with
65535 left to indicate an invalid value. It's a whole number of bytes,
which facilitates some calculations, in particular allowing a key of
exactly PSA_CRYPTO_MAX_STORAGE_SIZE to be created but not one bit
more.

As a resource usage limit, this is arguably too large, but that's out
of scope of the current commit.

Test that key import, generation and derivation reject overly large
sizes.
2019-07-30 20:58:33 +02:00
Gilles Peskine
7e0cff90b9 Move attribute fields to a substructure
Move the "core attributes" to a substructure of psa_key_attribute_t.
The motivation is to be able to use the new structure
psa_core_key_attributes_t internally.
2019-07-30 20:58:27 +02:00
Gilles Peskine
e60d1d08a4 SE keys: save the bit size in storage
For a key in a secure element, save the bit size alongside the slot
number.

This is a quick-and-dirty implementation where the storage format
depends on sizeof(size_t), which is fragile. This should be replaced
by a more robust implementation before going into production.
2019-07-29 18:11:09 +02:00
Gilles Peskine
1801740a7c SE driver: report the bit size on key import
Add a parameter to the key import method of a secure element driver to
make it report the key size in bits. This is necessary (otherwise the
core has no idea what the bit-size is), and making import report it is
easier than adding a separate method (for other key creation methods,
this information is an input, not an output).
2019-07-29 18:07:09 +02:00
Gilles Peskine
dc5bfe9784 SE keys: implement and test psa_get_key_attributes 2019-07-29 18:07:03 +02:00
Gilles Peskine
424f89453b SE keys: store the bit size internally (partial implementation)
This commit blindingly copies the size from the attributes. This is
not correct for copy and import.
2019-07-29 17:06:06 +02:00
Gilles Peskine
adb1c52149
Merge pull request #157 from gilles-peskine-arm/psa-se_driver-create_key
Secure element key creation foundation
2019-07-26 14:39:55 +02:00
Gilles Peskine
66be51c35d If starting a transaction fails, wipe the transaction data
Nothing has been saved to disk yet, but there is stale data in
psa_crypto_transaction. This stale data should not be reused, but do
wipe it to reduce the risk of it mattering somehow in the future.
2019-07-26 13:23:51 +02:00