yuzu-mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-mirror/mbedtls.git synced 2025-12-06 07:12:32 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
23791 commits 89 branches 205 tags 114 MiB
Commit graph

10531 commits

Author SHA1 Message Date
Jerry Yu c4bf5d658e fix various issues 
- Signature of
  - mbedtls_tls13_set_hs_sent_ext_mask
  - check_received_extension and issues
- Also fix comment issue.
- improve readablity.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 03112ae022 change input extension_type 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 0c354a211b introduce sent/recv extensions field 
And remove `extensions_present`

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu ffa1582793 move get_extension mask 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 9872eb2d69 change return type for unexpected extension 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 43ff252688 Remove unnecessary checks. 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu d15992d3ce fix wrong setting of unrecognized ext 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 6ba9f1c959 Add extension check for NewSessionTicket 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 2c5363e58b Add extension check for ServerHello and HRR 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 2eaa76044b Add extension check for Certificate 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu c55a6af9eb Add extensions check for CertificateRequest 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu cbd082f396 Add extension check for EncryptedExtensions 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu e18dc7eb9a Add forbidden extensions check for ClientHello 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu 471dee5a12 Add debug helpers to track extensions 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-31 16:41:42 +08:00
Jerry Yu def7ae4404 Add auth mode check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-30 17:57:06 +08:00
Nick Child 5f39767495 pkcs7: Fix imports 
Respond to feedback about duplicate imports[1] and new import style [2].

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r991355485
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#pullrequestreview-1138745361
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-10-28 12:38:41 -05:00
Nick Child bb82ab764f pkcs7: Respond to feeback on parsing logic 
After recieving review on the pkcs7 parsing functions, attempt
to use better API's, increase consisitency and use better
documentation. The changes are in response to the following
comments:
 - use mbedtls_x509_crt_parse_der instead of mbedtls_x509_crt_parse [1]
 - make lack of support for authenticatedAttributes more clear [2]
 - increment pointer in pkcs7_get_content_info_type rather than after [3]
 - rename `start` to `p` for consistency in mbedtls_pkcs7_parse_der [4]

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992509630
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992562450
[3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992741877
[4] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992754103

Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-10-28 12:28:54 -05:00
Glenn Strauss 7db3124c00 Skip asn1 zeroize if freeing shallow pointers 
This skips zeroizing additional pointers to data.
(Note: actual sensitive data should still be zeroized when freed.)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-10-28 12:51:35 -04:00
Glenn Strauss a4b4041219 Shared code to free x509 structs 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-10-28 12:51:35 -04:00
Nick Child 73621ef0f0 pkcs7: Improve verify logic and rebuild test data 
Various responses to feedback regarding the
pkcs7_verify_signed_data/hash functions. Mainly, merge these two
functions into one to reduce redudant logic [1]. As a result, an
identified bug about skipping over a signer is patched [2].

Additionally, add a conditional in the verify logic that checks if
the given x509 validity period is expired [3]. During testing of this
conditional, it turned out that all of the testing data was expired.
So, rebuild all of the pkcs7 testing data to refresh timestamps.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r999652525
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r997090215
[3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967238206
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-10-28 11:24:25 -05:00
Ronald Cron 04e2133f45
Merge pull request #6482 from ronald-cron-arm/tls13-misc 
TLS 1.3: Update documentation for the coming release and misc
 2022-10-28 11:09:03 +02:00
Gilles Peskine 75c4eaf1f8
Merge pull request #5841 from aurel32/ecp_mul_mxz-timing-leak 
Fix a timing leak in ecp_mul_mxz()
 2022-10-27 19:46:48 +02:00
Minos Galanakis 4d4c98b1b9 bignum_mod: mbedtls_mpi_mod_modulus_setup() refactoring. 
This patch addresses more review comments, and fixes
a circular depedency in the `mbedtls_mpi_mod_modulus_setup()`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-27 17:47:26 +01:00
Minos Galanakis 771c47055f bignum_mod: Style changes 
This patch addresses review comments with regards to style of
`mbedtls_mpi_mod_modulus_setup/free()`.

It also removes a test check which was triggering a use-after-free.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-27 12:36:24 +01:00
Minos Galanakis 8b33363315 bignum_mod: Updated modulus lifecycle with mm and rr. 
This patch updates the `mbedtls_mpi_mod_modulus_setup/free()`
methods to precalculate mm and rr(Montgomery const squared) during
setup and zeroize it during free.

A static `set_mont_const_square()` is added to manage the memory allocation
and parameter checking before invoking the
`mbedtls_mpi_core_get_mont_r2_unsafe()`

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-27 11:43:54 +01:00
Minos Galanakis 760f5d6b6b bignum_mod: Updated mbedtls_mpi_mod_modulus_setup/free with new fields 
At the current state, those fields are initialised to 0, NULL.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-27 11:43:54 +01:00
Hanno Becker cd860dfe02 bignum_mod: Added Montgomery constants 
This patch adds the Montgomery constants to the `mbedtls_mpi_mont_struct`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-27 11:43:54 +01:00
Gilles Peskine 9603daddaa
Merge pull request #6230 from tom-cosgrove-arm/issue-6223-core-add 
Bignum: extract core_add from the prototype
 2022-10-27 11:25:27 +02:00
Ronald Cron 77e15e8a2c
Merge pull request #6460 from xkqian/tls13_add_early_data_preparatory 
Internal and Open CI merge job ran successfully. Good to go.
 2022-10-27 10:40:56 +02:00
Gilles Peskine 88f5fd9099
Merge pull request #6479 from AndrzejKurek/depends-py-no-psa 
Enable running depends.py in a configuration without MBEDTLS_USE_PSA_CRYPTO and remove perl dependency scripts
 2022-10-26 20:02:57 +02:00
Gilles Peskine d4d080b41b
Merge pull request #6407 from minosgalanakis/minos/6017_add_montgomery_constant_squared 
Bignum: Added pre-calculation of Montgomery constants
 2022-10-26 14:28:16 +02:00
Ronald Cron 4f7feca0dc
Merge pull request #6391 from davidhorstmann-arm/fix-x509-get-name-cleanup 
The Open CI ran successfully thus I think we can ignore the internal CI.
 2022-10-26 14:27:54 +02:00
Xiaokang Qian 72dbfef6e4 Improve coding styles 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-26 06:33:57 +00:00
Ronald Cron eac00ad2a6 tls13: server: Note down client not being authenticated in SSL context 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-25 20:02:03 +02:00
Gilles Peskine 744fd37d23
Merge pull request #6467 from davidhorstmann-arm/fix-unusual-macros-0 
Fix unusual macros
 2022-10-25 19:55:29 +02:00
Ronald Cron a709a0f2c6 tls13: Declare PSK ephemeral key exchange mode first 
In the PSK exchange modes extension declare first
PSK ephemeral if we support both PSK ephemeral
and PSK. This is aligned with our implementation
giving precedence to PSK ephemeral over pure PSK
and improve compatibility with GnuTLS.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-25 19:05:26 +02:00
Tom Cosgrove 6469fdfb0a Fix whitespace issue spotted in review 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-10-25 16:29:58 +01:00
Tom Cosgrove 82f131063a Update documentation following review comment 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-10-25 16:29:58 +01:00
Tom Cosgrove af7d44b4d2 Tidy up, remove MPI_CORE(), apply the naming convention, and use the new mbedtls_mpi_core_add() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-10-25 16:29:58 +01:00
Hanno Becker c98871339d Extract MPI_CORE(add) from the prototype 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-10-25 16:29:58 +01:00
Minos Galanakis a081c51cd3 Renamed mpi_core_get_mont_R2_unsafe_neg -> mpi_core_get_mont_r2_unsafe_neg 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-25 15:12:38 +01:00
Minos Galanakis 51d638baf6 bignum_core: Style update 
'mbedtls_mpi_core_get_mont_R2_unsafe' aligns const
keyword to match the style of the rest of the module.

Documentation is also updated to remove
`MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-25 15:12:38 +01:00
Minos Galanakis ae4fb671b4 mbedtls_mpi_core_get_mont_R2_unsafe: Removed NULL input checking 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-25 15:12:38 +01:00
Minos Galanakis b85506e250 bignum_core.h: Comment update for mbedtls_mpi_core_get_mont_R2_unsafe 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-25 15:12:23 +01:00
Minos Galanakis 4f43f61c6a Renamed mbedtls_mpi_get_montgomery_constant_unsafe to mpi_core_get_mont_R2_unsafe 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-25 15:12:23 +01:00
Hanno Becker ec440f2397 bignum_mod_raw: Ported mbedtls_mpi_get_montgomery_constant_unsafe from prototype 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-10-25 15:08:08 +01:00
David Horstmann 3a334c2edc Minor improvements to ssl_tls12_server.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-25 10:53:44 +01:00
David Horstmann 7aee0ec0ba Minor improvements in ssl_client.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-25 10:38:25 +01:00
David Horstmann 6e11687ba5 Minor improvements to ecp.c changes 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-25 10:32:08 +01:00
David Horstmann 9b0eb90131 Rename ARIA_SELF_TEST_IF_FAIL 
Change to ARIA_SELF_TEST_ASSERT

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-25 10:23:34 +01:00
David Horstmann 059848ff23 Minor changes to asn1write.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-25 10:16:45 +01:00
Gilles Peskine e5a715e8c0
Merge pull request #6449 from gilles-peskine-arm/bignum-core-shift_r 
Bignum core: shift_r
 2022-10-25 10:40:39 +02:00
Xiaokang Qian 72de95dcf5 Move function mbedtls_ssl_tls13_conf_early_data to ssl_tls.c 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-25 05:34:25 +00:00
Xiaokang Qian 600804b0e7 Remove useless early data related macros for the time being 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-25 03:00:18 +00:00
Xiaokang Qian 54413b10c2 Add early data support preparatory work 
Add MBEDTLS_SSL_EARLY_DATA configuration option
Define early_data_enabled field in mbedtls_ssl_config
Add function mbedtls_ssl_conf_early_data

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-25 03:00:18 +00:00
Andrzej Kurek 409248a73a mbedtls_ssl_get_handshake_transcript is unusable without hashes 
Mark unused variables when compiling without
SHA256 and SHA384. In future a proper dependency
will be added to TLS 1.2 to enforce either of these hashes
to be on.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-24 15:56:10 -04:00
Andrzej Kurek 57d1063db9 Fix tls_prf generic dependencies 
One version was already surrounded by the USE_PSA define,
so the VIA_XX_OR_XX macros were removed;
Second version is when USE_PSA is undefined, so MBEDTLS_
macros can be used. 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-24 15:56:10 -04:00
Andrzej Kurek 468c50656e Fix key exchange dependencies for ssl_parse_server_ecdh_params 
Resulting from particular configs in which this code is used.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-24 15:55:18 -04:00
Ronald Cron 083da8eb53 tls13: client: Improve coding style 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron a2900bcd1e tls13: keys: Simplify code guard 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron 766c0cdb1f tls13: Add missing kex guards 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron 82be0d4b4d tls13: Do not use MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron de08cf3543 tls13: Do not use MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron 73fe8df922 Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED 
Introduce and use
MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED to
guard TLS code (both 1.2 and 1.3) specific
to handshakes involving PSKs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron e68ab4f55e Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED 
Introduce and use
MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED to
guard TLS code (both TLS 1.2 and 1.3) specific
to handshakes involving certificates.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron 41a443a68d tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK.*ENABLED 
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to guard
code specific to one of the TLS 1.3 key exchange mode with
PSK.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Ronald Cron 928cbd34e7 tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED to guard
code specific to the TLS 1.3 ephemeral key exchange mode.

Use it also for the dependencies of TLS 1.3 only tests
relying on ephemeral key exchange mode, but for
tests in tls13-kex-modes.sh where the change is done
later using all
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_.*ENABLED macros.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-22 14:42:04 +02:00
Gilles Peskine abc6fbb8d7 Fix brief description 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-21 18:36:31 +02:00
Ronald Cron d29e13eb1b tls: Use the same function in TLS 1.2 and 1.3 to check PSK conf 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron 2a87e9bf83 tls: Align set and usage check for PSK 
Check that the identity length is not
zero in ssl_conf_set_psk_identity()
as it is done in
mbedtls_ssl_conf_has_static_psk().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron fa1e04a7c4 tls13: keys: Fix PSK build only case 
When deriving the handshake stage master
secret, in the case of a PSK only build,
the only possible key exchange mode is PSK
and there is no ephemeral key exchange
shared secret in that case. Thus do not
error out in that case in the first
phae of the derivation dedicated to the
shared secret.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron 9a6a49c7cb tls13: keys: Fail if the group type is not ECDHE or DHE 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron b15d4d8966 tls13: keys: Fix error code 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron 3b056202d3 tls13: keys: Do not use handshake->premaster 
`handshake->premaster` was used to store the
(EC)DHE shared secret but in TLS 1.3 there is
no need to store it in a context.

Futhermore, `handshake->premaster` and more
specifically its sizing is TLS 1.2 specific
thus better to not use it in TLS 1.3.

Allocate a buffer to store the shared secret
instead. Allocation instead of a stack buffer
as the maintenance of the size of such buffer
is harder (new elliptic curve for ECDHE,
support for FFDHE ... ).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron 4c7edb2b9b tls13: keys: Fix indentation 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Ronald Cron 831fee68c3 tls13: keys: Avoid input buffer copy 
In mbedtls_ssl_tls13_evolve_secret() avoid
to copy the input buffer into a local buffer
as the copy is avoidable.

This also fixes a potential overflow as the
size of the local buffer was not checked when
copying into it.

With the current calls to mbedtls_ssl_tls13_evolve_secret()
no buffer overflow was expected to happen though.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-10-21 14:34:20 +02:00
Manuel Pégourié-Gonnard 45c6792faf
Merge pull request #6385 from AndrzejKurek/depends-py-reloaded 
Unified tests/scripts/depends.py - reloaded
 2022-10-21 10:17:58 +02:00
Gilles Peskine c279b2fa4a Move mbedtls_mpi_core_shift_r to the proper source file 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-20 11:40:15 +02:00
Gilles Peskine 6641420951 Bignum core: Break shift_r function out of the classic shift_r 
This commit contains the function prototype for mbedtls_mpi_core_shift_r,
and the implementation minimally modified from mbedtls_mpi_shift_r.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-20 11:40:15 +02:00
Gilles Peskine 4281ae0bd2
Merge pull request #6373 from gilles-peskine-arm/bignum-core-conventions 
Spell out bignum core conventions
 2022-10-19 15:53:33 +02:00
Gilles Peskine db2996357c
Merge pull request #6289 from gabor-mezei-arm/6237_Add_conditional_assign_and_swap_for_bignum 
Bignum: Add safe conditional assign and swap for the new MPI types
 2022-10-19 15:51:19 +02:00
Andrzej Kurek 9387b7b34e Add a temporary solution to create a seedfile 
This caused problems if a config with SHA512 was
compiled after a config without it and the seedfile
did not contain enough data.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:09 -04:00
Andrzej Kurek c610e7402e Formatting & unnecessary (void) fixes 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:09 -04:00
Andrzej Kurek ecb630925f Fix constant name in ssl_tls13_keys 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:09 -04:00
Andrzej Kurek e5a5cc1944 Remove the dependency of tls1_3 key evolution tests on curve25519 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:09 -04:00
Andrzej Kurek eabeb30c65 Fix SHA512 vs SHA384 dependencies 
When building SHA512 without SHA384,
there are some code paths that resulted
in unused variables or usage of undefined code.
This commit fixes that.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:09 -04:00
Andrzej Kurek c19fb08dd3 Add missing ECDH dependency in tls 1.3 client 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
Andrzej Kurek 68327748d3 Add missing dependencies 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
Andrzej Kurek 46a987367c Formatting fix 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
Andrzej Kurek 084334c8f2 Compile constant time masking and hmac if there are suites using MAC 
This is used in TLS 1.2 authentication with NULL cipher,
when there are no TLS_CBC suites.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
Andrzej Kurek 2d59dbc032 Use TLS prf only if TLS 1.2 is compiled in 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
Andrzej Kurek 894edde991 Add tls prf handling when there's no SHA256 or SHA384 
Return a null prf function pointer and check for it when populating transform.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
Andrzej Kurek 252283f2aa Fix missing cipher mode dependencies 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-10-19 08:35:08 -04:00
David Horstmann 078250eb56 Fix incorrect return style 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-18 18:11:13 +01:00
David Horstmann 178ec96c89 Remove unnecessary NULL assignments 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-18 18:09:30 +01:00
David Horstmann 11307a1933 Clarify wording on allocation 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-17 18:10:23 +01:00
Aditya Deshpande cfb441d5ee Fix spacing and formatting 
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
 2022-10-17 15:17:30 +01:00
Gilles Peskine 8874cd570e
Merge pull request #4826 from RcColes/development 
Add LMS implementation
 2022-10-14 18:33:01 +02:00
Aditya Deshpande 40c05cc8e4 Newlines at end of file + trim trailing whitespace 
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
 2022-10-14 16:46:51 +01:00
Aditya Deshpande 17845b8f71 Add driver wrapper function for raw key agreement, along with test call for transparent drivers. 
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
 2022-10-14 16:46:00 +01:00
Gilles Peskine dcd1717f5f Forbid aliasing outputs 
Aliasing between two outputs is hardly ever useful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-14 17:15:21 +02:00
Gabor Mezei 4086de667d
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-10-14 16:29:42 +02:00
Manuel Pégourié-Gonnard b3c30907d6
Merge pull request #6383 from mprse/aead_driver_test 
Enable testing of AEAD drivers with libtestdriver1
 2022-10-14 11:11:01 +02:00
Raef Coles 1951259a10
Update how lms.c imports platform.h 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 16:47:13 +01:00
Ronald Cron 49e4184812
Merge pull request #6299 from xkqian/tls13_add_servername_check 
Add server name check when proposing pre-share key
 2022-10-13 16:00:59 +02:00
Raef Coles cbd02adc6e
Simplify LMS context freeing 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:30:32 +01:00
Raef Coles 45c4ff93c9
Fix windows requiring explicit cast in LMS calloc 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:30:14 +01:00
Raef Coles 142e577c34
Add extra zeroization to LMS and LMOTS 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:30:03 +01:00
Raef Coles 9fc303a99a
Add extra LMOTS import negative tests 
And fix failures that are related to the new tests

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:30:01 +01:00
Raef Coles 4829459c90
Validate LMOTS sig length before parsing type 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:47 +01:00
Raef Coles 285d44b180
Capitalize "Merkle" in LMS and LMOTS code 
As it is a proper noun

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:43 +01:00
Raef Coles faf59babe8
Make LMS verification return VERIFY_FAILED more 
To align with PSA error code rules on when VERIFY_FAILED is returned vs
INVALID_ARGUMENT

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:42 +01:00
Raef Coles fbd60ec775
Change LMS and LMOTS init functions to use memset 
Instead of zeroize

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:40 +01:00
Raef Coles 9b0daf60fb
Improve LMS private function warning 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:38 +01:00
Raef Coles f6cb5a4826
Fix LMS return statements having incorrect style 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:35 +01:00
Raef Coles 75b4c7790e
Fix LMS internal function documentation 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:34 +01:00
Raef Coles d48f7e90bb
Allocate LMS C_RANDOM_VALUE as hash size 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:32 +01:00
Raef Coles 1fb2f32ef5
Check LMS offsets are sane at runtime 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:31 +01:00
Raef Coles e34e3c0e59
Remove unneeded cast in LMS calloc 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:30 +01:00
Raef Coles 370cc43630
Make LMS public key export part of public key api 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:28 +01:00
Raef Coles e89488debf
Fix bug in LMS public key loading 
To avoid using the type before it is parsed from the signature

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:27 +01:00
Raef Coles 3f6cdd7aab
Fix LMS not checking RNG function return value 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:24 +01:00
Raef Coles 02cf8234b4
Fix ots sig length check in LMS validate function 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:22 +01:00
Raef Coles f36874a535
Fix error type of lms_import_public_key 
Was returning an incorrect error when bad public key sizes were input

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:21 +01:00
Raef Coles dc8fb79e09
Simplify LMS private key generation error handling 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:20 +01:00
Raef Coles be3bdd8240
Rename LMS and LMOTS init/free functions 
To match convention

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:18 +01:00
Raef Coles 29117d2e4e
Update LMS PSA error conversion 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:17 +01:00
Raef Coles be0c2f9183
Update LMS local variable allocation 
To use a default failure value, and to avoid a call to
psa_hash_operation_init()

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:15 +01:00
Raef Coles 2ac352a322
Make LMS functions args const where required 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:14 +01:00
Raef Coles 5127e859d7
Update LMS and LMOTS dependency macros 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:11 +01:00
Raef Coles 56fe20a473
Move MBEDTLS_PRIVATE required defines into lms.h 
From lmots.h, as it is a private header

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:10 +01:00
Raef Coles ab300f15e8
Move public header content from lmots.h to lms.h 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:08 +01:00
Raef Coles 0b7da1b787
Fix overflow in LMS context init 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:03 +01:00
Raef Coles 57d5328ad5
Remove MBEDTLS_LM(OT)S prefix from internal macros 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:29:00 +01:00
Raef Coles ad05425ab7
Update naming of internal LMS functions 
To comply with the mbedtls_ requirement

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:59 +01:00
Raef Coles 40158e11fc
Add LMOTS test hook to header 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:58 +01:00
Raef Coles 3982040232
Fix LMS zeroization using wrong sizeof type 
Causing a buffer write out of bounds

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:55 +01:00
Raef Coles 98d6e22050
Remove doxygen markup from internal LMS functions 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:54 +01:00
Raef Coles 40f184c83e
Cast LMS allocation sizes to size_t 
To prevent implict casting errors on 64-bit platforms

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:52 +01:00
Raef Coles 1310ecb389
Update LMOTS function documentation 
To avoid CI failure

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:51 +01:00
Raef Coles 9c9027b1a4
Add extra LMS and LMOTS tests 
NULL-message and LMOTS signature leak tests

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:50 +01:00
Raef Coles fa24f9d6ea
Minor fixes to LMS and LMOTS macros 
Update some names, use the correct macro in certain places.

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:48 +01:00
Raef Coles 0a967ccf9a
Document LMS and LMOTS internal functions 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:47 +01:00
Raef Coles 8738a49d0c
Fix iterator types in LMOTS 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:45 +01:00
Raef Coles e0a17610d1
Fix LMS/LMOTS if-statement style 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:41 +01:00
Raef Coles 9b88ee5d5d
Fix LMS and LMOTS coding style violations 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:40 +01:00
Raef Coles 366d67d9af
Shorted LMS and LMOTS line-lengths 
To attempt to comply with the 80-char suggestion

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:38 +01:00
Raef Coles e9479a0264
Update LMS API to support multiple parameter sets 
Parameterise macros to allow variation of sizes

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:36 +01:00
Raef Coles ab4f87413a
Add MBEDTLS_LMS_PRIVATE define 
To enable private key operations

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:35 +01:00
Raef Coles ebd35b5b80
Rename LMS internal tree-manipulation functions 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:31 +01:00
Raef Coles 891c613f31
Update LMOTS signature use of temporary variables 
Document them properly, and move random value to a temporary variable

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:29 +01:00
Raef Coles 0c88d4e447
Remove superfluous casts in LMS and LMOTS 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:28 +01:00
Raef Coles f5632d3efc
Remove MBEDTLS_PRIVATE usage from LMS and LMOTS 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:27 +01:00
Raef Coles 01c71a17b3
Update LMS and LMOTS api 
Fix function names and parameters. Move macros to be more private.
Update implementation.

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:25 +01:00
Raef Coles c8f9604d7b
Use PSA hashing for LMS and LMOTS 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:23 +01:00
Raef Coles 7dce69a27a
Make LMOTS a private api 
Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:22 +01:00
Raef Coles 8ff6df538c
Add LMS implementation 
Also an LM-OTS implementation as one is required for LMS.

Signed-off-by: Raef Coles <raef.coles@arm.com>
 2022-10-13 14:28:15 +01:00
Manuel Pégourié-Gonnard 02f82bbfa9 Fix MSVC warning 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-10-13 13:32:02 +02:00
Manuel Pégourié-Gonnard f155ab9a91 Abort on errors when we should 
We're not strictly required to abort, but at least to leave the context
is an invalid state. For "late" functions like input() and output(),
calling abort() is the easiest way to do that. Do it systematically for
input() and output() by using a wrapper. psa_pake_get_implicit_key() was
already doing it. For "early" function, we can just leave the operation
in its current state which is already invalid.

Restore previous tests about that. Not adding systematic tests, though,
just test the two functions that are the most important, and more likely
to return errors.

Since we now abort in more cases, we need to make sure we don't
invalidate the operation that's going to be re-used later in the test.
For that reason, use a copy of the operation for calls to input() and
output() that are expected to return errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-10-13 13:20:31 +02:00
Gilles Peskine 0fe6631486
Merge pull request #6291 from gilles-peskine-arm/platform.h-unconditional-3.2 
Include platform.h unconditionally
 2022-10-13 10:19:22 +02:00
Xiaokang Qian 28af501cae Fix the ticket_lifetime equal to 0 issue 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-13 08:18:19 +00:00
Xiaokang Qian 126bf8e4d7 Address some comments 
Delete reference immediately after shallow copy
Fix format issues

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-13 02:57:15 +00:00
Xiaokang Qian 997669aeeb Fix heap use-after-free corruption issue 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 14:30:27 +00:00
Xiaokang Qian 307a7303fd Rebase and replace session_negotiate 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:14:32 +00:00
Xiaokang Qian baa4764d77 Fix typo issues 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian 8730644da1 Move ticket and hostname set code just after shallow-copy 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian ed3afcd6c3 Fix various typo and macro guards issues 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian ed0620cb13 Refine code base on comments 
Move code to proper macro guards protection
Fix typo issues

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian 03409290d2 Add MBEDTLS_SSL_SESSION_TICKETS guard to server name check 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian d7adc374d3 Refine the server name compare logic 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian a3b451f950 Adress kinds of comments base on review 
Rename function name to mbedtls_ssl_session_set_hostname
Add two extra check cases for server name
Fix some coding styles

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:51 +00:00
Xiaokang Qian 2f9efd3038 Address comments base on review 
Change function name to ssl_session_set_hostname()
Remove hostname_len
Change hostname to c_string
Update test cases to multi session tickets

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:49 +00:00
Xiaokang Qian bc663a0461 Refine code based on commnets 
Change code layout
Change hostname_len type to size_t
Fix various issues

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:06:01 +00:00
Xiaokang Qian adf84a4a8c Remove public api mbedtls_ssl_reset_hostname() 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:05:11 +00:00
Xiaokang Qian be98f96de2 Remove useless hostname check in server side 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:03:44 +00:00
Xiaokang Qian 6af2a6da74 Fix session save-load overflow issue 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:03:44 +00:00
Xiaokang Qian ecd7528c7f Address some comments 
Hostname_len has at least one byte
Change structure serialized_session_tls13
Fix various issues

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:03:44 +00:00
Xiaokang Qian 281fd1bdd8 Add server name check when proposeing pre-share key 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-10-12 11:03:41 +00:00
Gilles Peskine 8fd3254cfc
Merge pull request #6374 from mprse/enc_types 
Test TLS 1.2 builds with each encryption type
 2022-10-12 12:45:50 +02:00
Jerry Yu c79742303d Remove unnecessary empty line and fix format issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-11 21:22:33 +08:00
Jerry Yu 22c18c1432 Add NULL check in prepare hello 
`session_negotiate` is used directly in `ssl_prepare_client_hello`
without NULL check. Add the check in the beggining to avoid segment
fault.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-11 18:07:19 +08:00
Jerry Yu c2bfaf00d9 fix wrong typo 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-11 18:07:19 +08:00
Jerry Yu 4f77ecf409 disable session resumption when ticket expired 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-10 22:10:08 +08:00
Jerry Yu 03aa174d7c Improve test message and title 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-10 21:48:37 +08:00
Jerry Yu 6916e70521 fix various issues 
- adjust guards. Remove duplicate guards and adjust format.
- Return success at function end. Not `ret`
- change input len

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-10 21:33:51 +08:00
Jerry Yu 21092062f3 Restrict cipher suite validation to TLS1.3 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-10 21:21:31 +08:00
Gabor Mezei d7edb1d225
Initialize variable 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-10-10 14:32:09 +02:00
Gabor Mezei e9c013c222
Handle if parameters are alised 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-10-10 14:26:57 +02:00
Przemek Stekiel 88ade84735 psa_aead_setup: remove redundant tag length check 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-10-08 17:56:18 +02:00
Przemek Stekiel 6ab50762e0 psa_aead_setup: validate tag length before calling driver setup 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-10-08 17:54:30 +02:00
Jerry Yu a99cbfa2d3 fix various issues 
- rename function and variable
- change signature of `ssl_tls13_has_configured_psk`
- remove unnecessary statements
- remove unnecessary local variables
- wrong variable initial value
- improve output message

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-08 14:35:47 +08:00
Jerry Yu 40afab61a8 Add ciphersuite check in set_session 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-08 14:35:43 +08:00
Jerry Yu 21f9095fa8 Revert "move ciphersuite validation to set_session" 
This reverts commit 19ae6f62c7.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-08 14:35:34 +08:00
Jerry Yu 379b91a393 add ticket age check 
Remove ticket if it is expired.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-08 10:21:15 +08:00
David Horstmann 91e20a0580 Refactor macro-spanning ifs in ecdh.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann fc735dffd6 Refactor macro-spanning ifs in ecp.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann 8a7629fd0f Refactor macro-spanning if in asn1write.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann 2788f6b668 Refactor macro-spanning if in sha512.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann 687262ca7d Refactor macro-spanning if in sha256.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann 21b89761f8 Refactor macro-spanning if in ssl_tls13_server.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann 10be134d8e Refactor macro-spanning if in ssl_msg.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann 4a28563e84 Refactor macro-spanning ifs in ssl_client.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:42 +01:00
David Horstmann e0af39a2ef Refactor macro-spanning ifs in ssl_tls12_server.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-07 14:08:36 +01:00
Przemek Stekiel 86679c7bd8 psa_validate_tag_length(): use PSA_WANT_ALG_xxx instead MBEDTLS_PSA_BUILTIN_ALG_xxx guards 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-10-07 08:24:19 +02:00
Jerry Yu 4a698341c9 Re-org selected_identity parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 6183cc7470 Re-org binders writer 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu f75364bee1 Re-organize identities writer 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 8b41e893a2 fix various issues 
- Re-order code and comments
  - move comment above `write_identities`
  - move `write_binder` above `write_identities`.
- Add has_{psk,identity} into {ticket,psk}_get_{psk,identity}
- rename `*_session_tickets_*` to `_ticket_`

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 19ae6f62c7 move ciphersuite validation to set_session 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 25ab654781 Add dummy ticket support 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu b300e3c5be add selected_identity parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 1a0a0f4416 Add binders writer 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu f7c125917c Add identites writer 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 0c6105bc9e empty pre_shared_key functions 
To easy review

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
Jerry Yu 8897c07075 Add server only guards for psk callback 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-10-07 10:11:05 +08:00
David Horstmann b21bbef061 Refactor macro-spanning if in ssl_tls12_client.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-06 18:00:51 +01:00
David Horstmann 3b2276a439 Refactor macro-spanning ifs in ssl_tls.c 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-06 17:59:57 +01:00
Przemek Stekiel 8a05a646f4 Remove psa_driver_get_tag_len() and use PSA_ALG_AEAD_GET_TAG_LENGTH macro instead 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-10-06 17:01:58 +02:00
Przemek Stekiel ff1efc9a84 psa_aead_check_nonce_length: Fix unused variable warining 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-10-06 16:53:47 +02:00
David Horstmann 0763ccf04f Refactor ARIA_SELF_TEST_IF_FAIL macro 
Change the ARIA_SELF_TEST_IF_FAIL macro to be more code-style friendly.
Currently it expands to the body of an if statement, which causes
problems for automatic brace-addition for if statements.

Convert the macro to a function-like macro that takes the condition as
an argument and expands to a full if statement inside a do {} while (0)
idiom.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-06 14:32:30 +01:00
Manuel Pégourié-Gonnard 0771d41584 Fix missing length check 
There was a check against the remaining size of the buffer, which used
to be correct, but was broken two commits ago when we started not just
copying the input but also adding to it.

Replace it with a check that the input length is not greater that what's
expected for this step. This guarantees we won't overflow the internal
buffer.

While at it, add an explicit cast to uint8_t when writing the length to
the buffer, so silence an MSVC warning. This cast is safe because we
checked that the length is no larger than 65 or 32 (depending on the
step), so in any case is fits in one byte.

This was found because some lengths had not been adjusted in the test
suite, and instead of failing cleanly, library code performed buffer
overflows. I'll fix the tests in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-10-06 09:30:34 +02:00
Manuel Pégourié-Gonnard 79617d99ae Fix namespacing issue 
This macro is specific to the Mbed TLS implementation and not part of
the public API, so it shouldn't used the PSA_ namespace.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-10-05 12:55:50 +02:00
Manuel Pégourié-Gonnard ec7012dbc7 Fix I/O format of PSA EC J-PAKE for compliance 
The format used by the mbedtls_ecjpake_xxx() APIs and that defined by
the PSA Crypto PAKE extension are quite different; the former is
tailored to the needs of TLS while the later is quite generic and plain.
Previously we only addressed some part of this impedance mismatch: the
different number of I/O rounds, but failed to address the part where the
legacy API adds some extras (length bytes, ECParameters) that shouldn't
be present in the PSA Crypto version. See comments in the code.

Add some length testing as well; would have caught the issue.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-10-05 12:52:48 +02:00
David Horstmann ed79483aca Free structs in mbedtls_x509_get_name() on error 
mbedtls_x509_get_name() allocates a linked list of mbedtls_x509_name
structs but does not free these when there is an error, leaving the
caller to free them itself. Change this to cleanup these objects within
the function in case of an error.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2022-10-05 11:51:16 +01:00
Gilles Peskine 01af3ddc82 Fixed confusion between number size and limb size; define limb 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-04 16:23:29 +02:00
Gilles Peskine 2926484de1 Describe generic conventions for the bignum core module 
This commit codifies some conventions that result from the original design
goals and others that have emerged after starting the implementation.

* Value ranges
* Bignum parameter naming and ordering
* Sizes
* Aliasing and overlap
* Error handling

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-04 14:51:21 +02:00
Gilles Peskine 7aab2fbe41 Add a short description of what each module does 
There was already a short introduction to _who_ should use each module, but
not to _what_ each module does.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-04 14:50:17 +02:00
Gilles Peskine 7f887bdc05 Move license out of Doxygen comment 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-10-04 14:50:17 +02:00
Gabor Mezei dba2677597
Update documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-10-03 17:01:02 +02:00
Glenn Strauss 2ff77119df mbedtls_ecp_point_read_binary from compressed fmt 
mbedtls_ecp_point_read_binary from MBEDTLS_ECP_PF_COMPRESSED format

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-10-03 05:43:27 -04:00
Denis V. Lunev 2df73ae742 mbedtls: fix possible false success in ...check_tags() helpers 
We should report a error when the security check of the security
tag was not made. In the other case false success is possible and
is not observable by the software.

Technically this could lead to a security flaw.

Signed-off-by: Denis V. Lunev <dlunev@gmail.com>
 2022-09-30 17:15:49 +01:00
Gabor Mezei 86dfe384c2
Fix documentation tags to be lower case 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 14:03:04 +02:00
Gabor Mezei e5b8585f1e
Follow parameter naming convention 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:54:02 +02:00
Gabor Mezei 1c628d5700
Follow parameter naming comvention 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:40 +02:00
Gabor Mezei 3eff425b1a
Use only one limb parameter for assign 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:40 +02:00
Gabor Mezei 81e57021c6
Change the input parameters to be const 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:40 +02:00
Gabor Mezei 2b5bf4cec7
Fix doumentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:40 +02:00
Gabor Mezei f4dd3b6a6d
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:40 +02:00
Gabor Mezei cfc0eb8d22
Remove unused parameter 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:39 +02:00
Gabor Mezei 87638a9ead
Add missing include 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:39 +02:00
Gabor Mezei 63c3282ec4
Remove retrun code from mod_raw_cond_assign/swap 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:39 +02:00
Gabor Mezei 24d183aa00
Use the new swap and assign function in the old interface 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:39 +02:00
Gabor Mezei 9f6615f146
Remove argument checking from constant time functions 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:36:39 +02:00
Gabor Mezei 12071d4403
Add conditional assign and swap function for MPI modulus 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:33:35 +02:00
Gabor Mezei e1d31c4aad
Add conditional swap and assign function for MPI core 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-09-30 13:33:30 +02:00
Gilles Peskine 845de0898e
Merge pull request #6083 from tom-cosgrove-arm/issue-6015-montgomery-multiplication 
Montgomery multiplication from bignum prototype
 2022-09-30 10:35:21 +02:00
Tom Cosgrove 6da3a3b15f Fix doc regarding aliasing of modulus input to mbedtls_mpi_core_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-29 17:20:18 +01:00
Victor Barpp Gomes 47c7a732d2 Print RFC 4108 hwSerialNum in hex format 
Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com>
 2022-09-29 11:34:23 -03:00
Tom Cosgrove 4386ead662 Correct the aliasing requirements in doc for mbedtls_mpi_core_montmul(), and test them 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-29 14:40:21 +01:00
Przemek Stekiel ce5b68c7a3 Revert "Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions" 
This reverts commit a82290b727.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-29 15:29:18 +02:00
Ronald Cron 77c691f099
Merge pull request #6194 from xkqian/tls13_add_psk_client_cases 
TLS 1.3: Add PSK client cases
 2022-09-28 17:08:06 +02:00
Manuel Pégourié-Gonnard e3358e14b2
Merge pull request #6051 from mprse/permissions_2b_v2 
Permissions 2b: TLS 1.3 sigalg selection
 2022-09-28 09:50:04 +02:00
Manuel Pégourié-Gonnard f3f9e450b6
Merge pull request #6115 from AndrzejKurek/ecjpake-kdf-tls-1-2 
Ad-hoc KDF for EC J-PAKE in TLS 1.2
 2022-09-28 09:47:32 +02:00
Xiaokang Qian ca343ae280 Improve message logs and test cases description in psk 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-09-28 02:07:54 +00:00
Przemek Stekiel 4c49927bad Fix unused variables warnings in default + stream cipher only build 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-27 15:04:14 +02:00
Przemek Stekiel a82290b727 Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions 
Both functions are calling mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions. These functions are guarded with MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C flags - make it consistent.
As a result ssl_server2 won't build now with MBEDTLS_SSL_SESSION_TICKETS enabled (mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions not available).
Mark MBEDTLS_SSL_SESSION_TICKETS as dependent on MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C and disable MBEDTLS_SSL_SESSION_TICKETS in stream cipher only build.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-27 15:04:14 +02:00
Przemek Stekiel 89ad62352d Fix guards for mbedtls_ct_size_mask() and mbedtls_ct_memcpy_if_eq() 
Both functions are used when MBEDTLS_SSL_SOME_SUITES_USE_MAC is defined not MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-27 15:04:14 +02:00
Ronald Cron c27a9074c4 tls13: server: Add comment when trying another sig alg 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-09-27 10:07:55 +02:00
Xiaokang Qian cb6e96305f Change kex mode string name 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-09-27 08:02:41 +00:00
Ronald Cron b72dac4ed7 Fix PSA identifier of RSA_PKCS1V15 signing algorithms 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-09-27 09:25:47 +02:00
Andrzej Kurek b510cd2c50 Fix a copy-paste error - wrong macro used 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-26 10:50:22 -04:00
Andrzej Kurek 5603efd525 Improve readability and formatting 
Also use a sizeof instead of a constant for zeroization, as
requested in review.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-26 10:49:16 -04:00
Nick Child 5f9456f3e3 pkcs7: Fix trailing whitespace 
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-26 09:18:12 -05:00
Xiaokang Qian 5beec4b339 Refine ssl_get_kex_mode_str() for easy automatic generation 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-09-26 08:23:45 +00:00
Xiaokang Qian ac8195f4f7 Fix wrongly kex mode fallback issue in psk cases 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-09-26 06:31:58 +00:00
Gilles Peskine 5596c74a98
Merge pull request #6140 from Zaya-dyno/validation_remove_change_auth_enc 
Validation remove change auth enc
 2022-09-23 17:04:31 +02:00
Gilles Peskine 12a1e85caa
Merge pull request #6138 from Zaya-dyno/validation_remove_change_key_agree 
Validation remove change key agree
 2022-09-23 17:04:20 +02:00
Gilles Peskine 87953f228f
Merge pull request #6091 from Zaya-dyno/validation_remove_change_pk 
Validation remove change pk
 2022-09-23 17:03:30 +02:00
Paul Elliott 2c282c9bd0
Merge pull request #6180 from yuhaoth/pr/add-tls13-multiple-session-tickets 
TLS 1.3: NewSessionTicket: Add support for sending multiple tickets per session.
 2022-09-23 15:48:33 +01:00
Xiaokang Qian 8939930b82 Rebase and fix some test failures 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-09-23 01:49:33 +00:00
Xiaokang Qian 5001bfc619 Add key exchange mode log in client side 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-09-23 01:49:33 +00:00
XiaokangQian 335cfaadf9 Finalize client side code for psk 
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-09-23 01:48:26 +00:00
Jerry Yu 359e65f784 limit session ticket number when resumption 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-22 23:47:43 +08:00
Jerry Yu f3bdf9dd51 fix various issues 
- improve document about configuration item.
- format issue
- variable type issue.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-22 23:47:14 +08:00
Tom Cosgrove 87d9c6c4d8 Ensure client mbedtls_ssl_handshake_step() returns success for HELLO_REQUEST 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-22 09:27:56 +01:00
Gilles Peskine 07ba2be20b
Merge pull request #6304 from yuhaoth/pr/exclude-pre_shared_key-from-hrr-msg 
TLS 1.3: PSK: Exclude pre_shared_key for HRR
 2022-09-22 10:21:06 +02:00
Manuel Pégourié-Gonnard 1475ac49a4
Merge pull request #6107 from Zaya-dyno/validation_remove_change_hash 
Validation remove change hash
 2022-09-22 09:24:44 +02:00
Manuel Pégourié-Gonnard d5c82fb821
Merge pull request #6085 from Zaya-dyno/validation_remove_change_cipher 
Validation remove and change in files related to cipher in library
 2022-09-22 09:10:13 +02:00
Jerry Yu b7e3fa7fbd move count decrement after success sent 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-22 13:21:29 +08:00
Jerry Yu d0766eca58 fix various issues 
- Improve comments
- Align count variable name to `new_session_tickets_count`
- move tickets_count init to handshake init

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-22 13:21:29 +08:00
Tom Cosgrove 2fdc7b3599 Return an error from mbedtls_ssl_handshake_step() if neither client nor server 
This prevents an infinite loop in mbedtls_ssl_handshake(). Fixes #6305.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-21 12:33:17 +01:00
Tom Cosgrove c573882674 Merge remote-tracking branch 'upstream/development' into issue-6015-montgomery-multiplication 2022-09-21 12:08:43 +01:00
Manuel Pégourié-Gonnard d433cd7d07
Merge pull request #6283 from mpg/driver-only-hashes-wrap-up 
Driver only hashes wrap-up
 2022-09-21 08:29:46 +02:00
Tom Cosgrove 4782823ec3 Ensure we explicitly document the modulus for fixed-width arithmetic 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-20 13:51:50 +01:00
Tom Cosgrove b0b77e1b13 Document and test aliasing of the bignums given to mbedtls_mpi_core_mla() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-20 13:33:40 +01:00
Ronald Cron 067a1e735e tls13: Try reasonable sig alg for CertificateVerify signature 
Instead of fully validating beforehand
signature algorithms with regards to the
private key, do minimum validation and then
just try to compute the signature. If it
fails try another reasonable algorithm if any.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-09-20 14:30:13 +02:00
Ronald Cron 38391bf9b6 tls13: Do not impose minimum hash size for RSA PSS signatures 
When providing proof of possession of
an RSA private key, allow the usage for RSA
PSS signatures of a hash with a security
level lower that the security level of the
RSA private key.

We did not allow this in the first place to
align with the ECDSA case. But as it is not
mandated by the TLS 1.3 specification (in
contrary to ECDSA), let's allow it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-09-20 14:29:41 +02:00
Ronald Cron 67ea2543ed tls13: server: Add sig alg checks when selecting best certificate 
When selecting the server certificate based on
the signature algorithms supported by the client,
check the signature algorithms as close as possible
to the way they are checked to compute the
signature for the server to prove it possesses
the private key associated to the certificate.

That way we minimize the odds of selecting a
certificate for which the server will not be
able to compute the signature to prove it
possesses the private key associated to the
certificate.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-09-20 14:26:32 +02:00
Tom Cosgrove ea45c1d2d4 Document and test aliasing of output for mbedtls_mpi_core_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-20 13:17:51 +01:00
Jerry Yu d4e7500a07 Enable multi session tickets on Server 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-19 14:24:03 +08:00
Jerry Yu 1ad7ace6b7 Add conf new session tickets 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-19 14:22:21 +08:00
Ronald Cron be0224aef3
Merge pull request #6167 from yuhaoth/pr/finalize-tls13-session-tickets 2022-09-18 21:18:13 +02:00
Andrzej Kurek 7763829c5c Add missing ifdef when calculating operation capacity 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-16 12:24:52 -04:00
Andrzej Kurek 3c4c514302 Remove PSA_ALG_IS_TLS12_ECJPAKE_TO_PMS 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-16 07:24:14 -04:00
Andrzej Kurek b093650033 Add proper capacity calculation for EC J-PAKE to PMS KDF 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-16 07:13:00 -04:00
Andrzej Kurek 702776f7cc Restrict the EC J-PAKE to PMS input type to secret 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-16 06:22:44 -04:00
Jerry Yu ad4d2bb3e1 Exclude pre_shared_key for HRR 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-16 18:16:49 +08:00
Manuel Pégourié-Gonnard 07018f97d2 Make legacy_or_psa.h public. 
As a public header, it should no longer include common.h, just use
build_info.h which is what we actually need anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-09-16 12:02:48 +02:00
Jerry Yu 6ee726e1ab Replace md translation function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-16 16:32:27 +08:00
Jerry Yu a5df584d87 fix build fail for test_psa_crypto_config_accel_hash_use_psa 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-16 11:28:54 +08:00
Gilles Peskine ed1c7f4cd7 Include platform.h unconditionally: gcm 
gcm.c had a slightly different pattern for the conditional inclusion of
platform.h which didn't fit the general replacement. Simplify it manually.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-09-15 20:34:50 +02:00
Gilles Peskine e9b55929dc Remove useless platform macro redefinitions: automatic part 
Some source files had code to set mbedtls_xxx aliases when
MBEDTLS_PLATFORM_C is not defined. These aliases are defined unconditionally
by mbedtls/platform.h, so these macro definitions were redundant. Remove
them.

This commit used the following code:
```
perl -i -0777 -pe 's~#if !defined\(MBEDTLS_PLATFORM_C\)\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*#endif.*\n~~mg' $(git grep -l -F '#if !defined(MBEDTLS_PLATFORM_C)')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-09-15 20:34:15 +02:00
Gilles Peskine a7aa80c058 Include platform.h unconditionally: second automatic part 
Some source files included platform.h in a nested conditional. The previous
commit "Include platform.h unconditionally: automatic part" only removed
the outer conditional. This commit removes the inner conditional.

This commit once again replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-09-15 20:34:10 +02:00
Gilles Peskine 945b23c46f Include platform.h unconditionally: automatic part 
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.

There should be no change in behavior since just including the header should
not change the behavior of a program.

This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-09-15 20:33:07 +02:00
Tom Cosgrove 3bd7bc3add Use X rather than A for accumulator-style input (and output!) params, and rename others accordingly 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-15 15:55:07 +01:00
Tom Cosgrove 5c0e8104bc Prefer 'fixed-size' to 'known-size' in doc comments 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-15 15:46:10 +01:00
Tom Cosgrove b7438d1f62 Update name of mbedtls_mpi_montg_init() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-15 15:05:59 +01:00
Tom Cosgrove 2701deaa4b Use mbedtls_ct_mpi_uint_mask() rather than rolling our own 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-15 15:00:07 +01:00
Tom Cosgrove 818d992cc7 Note that T must not overlap other parameters of mbedtls_mpi_core_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-15 14:58:10 +01:00
Przemek Stekiel dca224628b ssl_tls13_select_sig_alg_to_psa_alg: optimize code 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-15 14:16:11 +02:00
Przemek Stekiel f937e669bd Guard new code with MBEDTLS_USE_PSA_CRYPTO 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-15 14:16:11 +02:00
Przemek Stekiel 3c326f9697 Add function to convert sig_alg to psa alg and use it 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-15 14:16:11 +02:00
Przemek Stekiel b40f2e81ec TLS 1.3: Take into account key policy while picking a signature algorithm 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-15 14:10:19 +02:00
Manuel Pégourié-Gonnard c42c7e660e Update documentation in legacy_or_psa.h 
- Some things that were indicated as in the near future are now done.
- Clarify when these macros are needed and when they're not.
- Prepare to make the header public.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-09-15 11:28:24 +02:00
Manuel Pégourié-Gonnard 1dc37258de Style: wrap a long line 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-09-15 11:10:26 +02:00
Manuel Pégourié-Gonnard 409a620dea
Merge pull request #6255 from mprse/md_tls13 
Driver-only hashes: TLS 1.3
 2022-09-15 10:37:46 +02:00
Jerry Yu 0a55cc647c Remove unnecessary var and improve comment 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-15 16:15:06 +08:00
Manuel Pégourié-Gonnard 18dff1f226
Merge pull request #5871 from superna9999/4153-psa-expose-ec-j-pake 
Expose ECJPAKE through the PSA Crypto API
 2022-09-15 09:25:55 +02:00
Nick Child 8ce1b1afc8 pkcs7: Correct various syntatical mistakes 
Resond to feedback from the following comments:
 - use correct spacing [1-7]
 - remove unnecessary parenthesis [8]
 - fixup comments [9-11]
 - remove unnecessary init work [12]
 - use var instead of type for sizeof [13]
[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953655691
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953661514
[3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953689929
[4] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953696384
[5] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697558
[6] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697793
[7] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697951
[8] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953699102
[9] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r971223775
[10] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967133905
[11] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967135932
[12] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967151430
[13] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967154159
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-14 15:13:52 -05:00
Nick Child 34d5e931cf pkcs7: Use better return code for unimplemented specifications 
In response to feedback [1] [2], use MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
instead of MBEDTLS_ERR_PKCS7_INVALID_FORMAT for errors due to the
pkcs7 implemntation being incomplete.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953649079
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953658276

Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-14 14:44:03 -05:00
Nick Child 7089ce8381 pkcs7: Handle md errors in multisigner pkcs7 verification 
In resonse to feedback [1], if `mbedtls_md_info_from_type` were to
fail then skip the signer and try the next one.

Additionally, use a for loop instead of a while loop when iterating
over signers because it simplifies the use of `continue`.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967198650
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-14 14:18:00 -05:00
Andrzej Kurek d60907b85d Define ECJPAKE_TO_PMS in config_psa only if SHA_256 is available 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-14 14:57:51 -04:00
Jerry Yu f7dad3cfbe fix various issues 
- Naming
- format
- Reduce negative tolerance window

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-14 22:31:39 +08:00
Andrzej Kurek 08d34b8693 Add an EC J-PAKE KDF to transform K -> SHA256(K.X) for TLS 1.2 
TLS uses it to derive the session secret. The algorithm takes a serialized
point in an uncompressed form, extracts the X coordinate and computes
SHA256 of it. It is only expected to work with P-256.
Fixes #5978.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-14 08:39:26 -04:00
Ronald Cron 208257b39f
Merge pull request #6259 from yuhaoth/pr/add-psk_ephemeral-possible-group-tests 
TLS 1.3: PSK: Add possible group tests for psk with ECDHE
 2022-09-14 14:21:46 +02:00
Przemyslaw Stekiel ab9b9d4669 ssl_tls13_keys.h: use PSA max hash size 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-14 13:51:07 +02:00
Przemyslaw Stekiel da6452578f ssl_tls13_generic.c: fix hash buffer sizes (use PSA_HASH_MAX_SIZE) 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-14 12:50:51 +02:00
Neil Armstrong 6a12a7704d Fix typo in comment 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-14 12:17:42 +02:00
Przemyslaw Stekiel 004c2181f0 ssl_misc.h: hash guards adaptations 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-14 11:00:57 +02:00
Jerry Yu acff823846 Add negative tolerance window 
If `now == session->start` or the timer of
client is faster than server, client age might
be bigger than server.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-14 14:50:44 +08:00
Jerry Yu 95db17ed5f fix various issues 
- improve obfuscated ticket age generator
- improve psk getter

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-14 10:37:58 +08:00
Przemek Stekiel 0852ef8b96 mbedtls_ssl_reset_transcript_for_hrr: remove redundant 'else' statement 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-13 18:08:54 +02:00
Przemek Stekiel 9dfbf3a006 ssl_tls13_generic.c: optimize code to save memory 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-13 18:08:54 +02:00
Przemek Stekiel 153b442cc3 mbedtls_ssl_tls13_sig_alg_is_supported: adapt guards 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-13 18:08:54 +02:00
Przemek Stekiel 47e3cb1875 ssl_tls13_generic.c: adapt guards for MBEDTLS_SHAxxx_C 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-13 18:08:54 +02:00
Neil Armstrong fa84962296 Add comment explaining PSA PAKE vs Mbedtls J-PAKE API matching strategy 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-13 15:19:56 +02:00
Neil Armstrong 3d4966a5cb Move possible input/output steps check inside PSA_ALG_JPAKE handling 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-13 15:19:56 +02:00
Neil Armstrong 017db4cdda Drop calls to mbedtls_ecjpake_check() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-13 15:19:56 +02:00
Neil Armstrong 1d0294f6ed Clarify sequence length calculation comment 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-13 15:19:56 +02:00
Neil Armstrong cb679f23bc Replace 0s with proper defines when possible 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-13 14:43:07 +02:00
Przemek Stekiel 5166954d14 Make more use of MBEDTLS_MAX_HASH_SIZE macro 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-13 12:57:05 +02:00
Jerry Yu 4746b10c2e fix various issues 
- Format issues
- Possible memory leak
- Improve naming and comment issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-13 15:37:46 +08:00
Jerry Yu 8d4bbbae4f fix ticket age check issues 
- Ticket age and ticket age add, obfuscated age
  use different unit. Align the units to million
  seconds.
- Add maximum ticket age check. Until now,
  ticket_lifetime is not recorded in server side.
  Check it with maximum ticket_lifetime.
- Free session when error found.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-13 15:37:46 +08:00
Jerry Yu 46bffe0e82 Refine rsumption master secret compute function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-13 15:09:49 +08:00
Jerry Yu 466dda8553 Rename resumption master secret compute function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-13 14:28:15 +08:00
Nick Child 9f4fb3e63f pkcs7: Unite function return style 
In response to feedback[1], standardize return variable
management across all pkcs7 functions.

Additionally, when adding return codes from two error values,
use `MBEDTLS_ERROR_ADD` as recommended [2].

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953634781
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953635128

Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-12 16:32:36 -05:00
Neil Armstrong ecb221b1ff Move operation buffer in operation struct and remove dynamic allocation 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-08 11:21:07 +02:00
Hannes Tschofenig fd6cca4448 CID update to RFC 9146 
The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content.

Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
 2022-09-07 17:15:05 +02:00
Przemek Stekiel 40afdd2791 Make use of MBEDTLS_MAX_HASH_SIZE macro 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-06 14:18:45 +02:00
Przemek Stekiel c3f2767c25 hash_info.h: add MBEDTLS_MAX_HASH_SIZE macro 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-09-06 14:18:39 +02:00
Neil Armstrong 9720b881f5 Remove doxygen markup outside doxygen block in psa_pake_sequence comment 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-06 11:39:21 +02:00
Neil Armstrong b39833cff2 Fix typo in psa_pake_sequence comment 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-06 11:36:02 +02:00
Jerry Yu 58af2335d9 Add possible group tests for psk with ECDHE 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-06 14:49:39 +08:00
Jerry Yu fd310ebf2d fix coding style issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-09-06 09:16:35 +08:00
Neil Armstrong bcd5bd933e Add a comment expliciting usage of internal PAKE step/state/sequence enums 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-05 18:34:12 +02:00
Neil Armstrong 5bbdb70131 Fix style in psa_pake_input() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-09-05 17:54:15 +02:00
Tom Cosgrove 67c9247ed9 Move the T++ in mbedtls_mpi_core_montmul() to within the loop body 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-09-02 13:28:59 +01:00
Andrzej Kurek 216baca131 pkcs5: improve error handling 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:15:34 -04:00
Andrzej Kurek e3d544c58f Minor PKCS5 improvements 
Add consts, more elegant size calculation and 
variable initialization.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:07:15 -04:00
Andrzej Kurek 3d0dfb99c9 Change the pkcs5_pbkdf2_hmac deprecation approach 
The shared part has now been extracted and will
be used regardless of the deprecation define.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:07:15 -04:00
Andrzej Kurek f000471c66 Add missing MD dependency for pkcs5_pbkdf2_hmac 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:07:15 -04:00
Andrzej Kurek ed98e95c81 Adjust pkcs5 test dependencies 
Hashing via PSA is now supported 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:03:25 -04:00
Andrzej Kurek 890e78ae66 Deprecate mbedtls_pkcs5_pbkdf2_hmac 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:03:25 -04:00
Andrzej Kurek dd36c76f09 Provide a version of pkcs5_pbkdf2_hmac without MD usage 
Use the new implementation locally
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-02 04:03:25 -04:00
Manuel Pégourié-Gonnard 97fc247d6a
Merge pull request #6232 from AndrzejKurek/pkcs12-no-md 
Remove MD dependency from pkcs12 module
 2022-09-02 09:43:13 +02:00
Nick Child 62b2d7e7d4 pkcs7: Support verification of hash with multiple signers 
Make `mbedtls_pkcs7_signed_hash_verify` loop over all signatures in the
PKCS7 structure and return success if any of them verify successfully.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-01 19:45:41 -05:00
Daniel Axtens 3538479faa pkcs7: support multiple signers 
Rather than only parsing/verifying one SignerInfo in the SignerInfos
field of the PKCS7 stucture, allow the ability to parse and verify more
than one signature. Verification will return success if any of the signatures
produce a match.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-01 19:45:41 -05:00
Nick Child 5d881c36ea pkcs7: Change copyright 
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-01 19:45:41 -05:00
Nick Child 6427b34dec pkcs7.c: Use pkcs7_get_version for signerInfo 
The function pkcs7_get_version can be used again
when parsing the version of the signerInfo. Both
require that the version be equal to 1. The
pkcs7_get_version function will return error
if the found value is not the expected version
as opposed to mbedtls_asn1_get_int which does not.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-01 19:45:41 -05:00
Nick Child 6671841d91 pkcs7.c: Do not ignore return value of mbedlts_md 
CI was failing due to the return value of mbedtls_md being ignored.
If this function does fail, return early and propogate the md error.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-01 19:45:41 -05:00
Nick Child c448c94fe3 pkcs7: pkcs7_get_content_info_type should reset *p on error 
The function `pkcs7_asn1_get_tag` should return an update pointer only
on success. Currently, the pointer is being updated on a failure case.
This commit resets *p to start if the first call to
mbedtls_asn1_get_tag fails.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Nick Child <nick.child@ibm.com>
 2022-09-01 19:45:41 -05:00
Daniel Axtens aa91d4ef0b pkcs7: build under CMake 
The patch updates CMakeLists.txt to include pkcs7.

Signed-off-by: Daniel Axtens <dja@axtens.net>
 2022-09-01 19:45:41 -05:00
Nayna Jain 673a226698 pkcs7: add support for signed data 
OpenSSL provides APIs to generate only the signted data
format PKCS7 i.e. without content type OID. This patch
adds support to parse the data correctly even if formatted
only as signed data

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
 2022-09-01 19:45:41 -05:00
Nayna Jain c9deb184b0 mbedtls: add support for pkcs7 
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.

This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:

* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
 2022-09-01 19:45:33 -05:00
Andrzej Kurek e16e6edfce Remove the dependency on MD_MAX_SIZE from PKCS12 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-01 08:57:59 -04:00
Andrzej Kurek 7bd12c5d5e Remove MD dependency from pkcs12 module 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-09-01 08:57:41 -04:00
Tom Cosgrove f0b2231fcd Update comments at the end of montmul following Gilles' feedback 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-31 17:57:34 +01:00
Tom Cosgrove 5eefc3db3f Move macros to come before function declarations 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-31 17:16:50 +01:00
Tom Cosgrove 630110ab23 Fix documentation where ciL should be biL 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-31 17:15:04 +01:00
Tom Cosgrove ed43c6caeb In add_if(), B MAY be aliased to A. Also update another comment for consistency. 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-31 17:15:04 +01:00
Tom Cosgrove 9354990a54 Don't use multiplication by condition in even a semi-constant time function 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-31 17:15:02 +01:00
Jerry Yu 8253486c4f Add session ticket support for server 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Jerry Yu 95699e72f3 Add session ticket identity check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Jerry Yu 661dd943b6 Add dummy server name extension paser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Jerry Yu e976492a11 Add session ticket tests for client 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Jerry Yu e6527512d2 Add obfuscated_ticket_age write 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Jerry Yu 49d63f8c36 Implement generate resumption master secret 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Jerry Yu db8c5faed7 Add getting session ticket for client 
- Move ssl_get_psk_to_offer to `ssl_tls13_client.c`
- Rename to `ssl_tls13_get_psk_to_offer`
- Add session ticket parser

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 23:24:25 +08:00
Ronald Cron e00d6d6b55
Merge pull request #6135 from yuhaoth/pr/tls13-finalize-external-psk-negotiation 
TLS 1.3: SRV: Finalize external PSK negotiation
 2022-08-31 17:21:57 +02:00
Tuvshinzaya Erdenekhuu 9077dbfd94 Remove NULL pointer validation in poly1305.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:18:14 +01:00
Tuvshinzaya Erdenekhuu 913819e73f Remove NULL pointer validation in chachapoly.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:18:14 +01:00
Tuvshinzaya Erdenekhuu 6a473b2f17 Remove NULL pointer validation in rsa.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:59 +01:00
Tuvshinzaya Erdenekhuu 1c5609df09 Remove NULL pointer validation in dhm.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:59 +01:00
Tuvshinzaya Erdenekhuu 5893ab02b6 Re-introduce ENUM validation in sha512.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:25 +01:00
Tuvshinzaya Erdenekhuu 3446c2603a Remove NULL pointer validation in sha512.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:25 +01:00
Tuvshinzaya Erdenekhuu 696dfb6b1e Re-introduce ENUM validation in sha256.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:25 +01:00
Tuvshinzaya Erdenekhuu df2f560316 Remove NULL pointer validation in sha256.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:25 +01:00
Tuvshinzaya Erdenekhuu 6b150ad8fa Remove NULL pointer validation in sha1.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:15:25 +01:00
Tuvshinzaya Erdenekhuu c6b8a6704e Re-introduce ENUM validation in gcm.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu 505ce0b37e Remove NULL pointer validation in gcm.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu 80a6af6ab5 Re-introduce ENUM validation in cipher.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu 5ce8e52907 Remove NULL pointer validation in cipher.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu ce8908ed0a Remove NULL pointer validation in chacha20.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu 1fd7f98546 Re-introduce ENUM validation in camellia.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu 6291b131ca Remove NULL pointer validation in camellia.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu a8ef1565bb Re-introduce ENUM validation in aes.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu cac11d7797 Remove NULL pointer validation in aes.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu c388af63e4 Remove extra spacings 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:25 +01:00
Tuvshinzaya Erdenekhuu dcf9c96274 Remove NULL pointer validation in pkparse.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:25 +01:00
Tuvshinzaya Erdenekhuu 088e936839 Remove NULL pointer validation in pkwrite.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:25 +01:00
Tuvshinzaya Erdenekhuu 78c1d8c299 Re-introduce ENUM validation in pk.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:25 +01:00
Tuvshinzaya Erdenekhuu 26b39c6c6f Remove NULL pointer validation in pk.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-08-31 10:14:25 +01:00
Neil Armstrong f19a3cb613 Use the mbedtls_ecjpake_write_shared_key() to input raw shared key material as derivation secret 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 12663092bc Introduce mbedtls_ecjpake_write_shared_key() to export the EC J-PAKE shared key material before the KDF() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong db05cbfb86 Introduce and use mbedtls_ecjpake_to_psa_error() to translate various ECP/MPI errors to expected PSA errors 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 1e855601ca Fix psa_pake_get_implicit_key() state & add corresponding tests in ecjpake_rounds() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong e92311176a Add missing parentheses on return statements 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 5fb07c6a96 No need to check for state in psa_pake_setup() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong a557cb8c8b Fixing XXX_ALG_ECJPAKE to XXX_ALG_JPAKE to match specification 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong fbc4b4aa8e Fix psa_pake_abort() order to correctly free memory when alg is PSA_ALG_JPAKE 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 0d001ef3da Check more parameters of psa_pake_output/psa_pake_input 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 4efd7a463d Check for PSA_ALG_ECJPAKE alg for the ECJPAKE builtin implementation 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong df598abbd3 Fix key usage test in psa_pake_set_password_key() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 6b1f99f5f1 Use proper buffer size macro for allocation in psa_pake_ecjpake_setup() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 5282393091 Remove useless braces in psa_crypto_pake.c 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong c29f8477e2 Fix comments in psa_crypto_pake.c 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong a4cc7d6d6b Add PSA PAKE buildin implementation 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Neil Armstrong 4b5710f8a0 Allow KEY_TYPE_PASSWORD/KEY_TYPE_PASSWORD_HASH to be imported 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-31 10:49:18 +02:00
Jerry Yu 1e05b6dd6d fix coding style and unnecessary assignment 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-31 10:35:52 +08:00
Tom Cosgrove f0c8a8cf44 One statement per line 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-30 15:15:02 +01:00
Tom Cosgrove 5dd97e60d5 Update comments following code review 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-30 14:31:49 +01:00
Tom Cosgrove b496486cdc Reorder functions in bignum_core.[ch] 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-30 11:57:22 +01:00
Manuel Pégourié-Gonnard bf22a2500b
Merge pull request #6208 from AndrzejKurek/tls-tests-no-md-structured 
Remove the dependency on MD from TLS 1.2 tests
 2022-08-30 12:34:37 +02:00
Dave Rodgman e2b772d1b6 Fix whitespace, missing const 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-30 10:25:45 +01:00
Dave Rodgman 5f3f0d06e6 Address minor review comments 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-30 10:25:45 +01:00
Nicholas Wilson ca841d32db Add test for mbedtls_x509write_crt_set_ext_key_usage, and fix reversed order 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-30 10:25:43 +01:00
Nicholas Wilson 8e5bdfbbcf Improve programs/cert_write with a way to set extended key usages 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-30 10:08:43 +01:00
Dave Rodgman 0edfa9dd26
Merge pull request #6207 from daverodgman/ticket_time 
Fix type used for capturing TLS ticket generation time
 2022-08-30 10:03:06 +01:00
Jerry Yu e5834fd0d7 remove unnecessary test 
also optimize check sum

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-29 20:33:33 +08:00
Tom Cosgrove d932de8857 Remove incorrect constant-time claim from doc for mbedtls_mpi_core_add_if() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-25 16:43:43 +01:00
Tom Cosgrove ecbb124292 Fix incorrect parameter name in mbedtls_mpi_core_add_if() doc comment 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-25 10:13:44 +01:00
Jerry Yu 0baf907e11 remove select_ciphersuite 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-25 11:21:04 +08:00
Jerry Yu c5a23a0f12 fix various issues 
- code style
- variable initialize
- update comments


Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-25 11:09:35 +08:00
Tom Cosgrove b2c06f4acf Remove stale comment, and fix whitespace issue 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-24 17:45:58 +01:00
Dave Rodgman fac3ea5656
Merge pull request #6184 from leorosen/ssl_tls_curve_group_id_null_protect 
mbedtls_ssl_check_curve prevent potential NULL pointer dereferencing
 2022-08-24 15:16:45 +01:00
Tom Cosgrove bcc13c943f
Add further missing whitespaces inside parentheses 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

Co-authored-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-24 15:08:16 +01:00
Tom Cosgrove 20c1137350
Fix coding style 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

Co-authored-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-24 15:06:13 +01:00
Dave Rodgman 5a28142410
Merge pull request #6189 from Kxuan/fix-ctr_drbg-uninit 
ctr_drbg: fix free uninitialized aes context
 2022-08-24 14:58:44 +01:00
Tom Cosgrove 72594633a1 Apply the function parameter naming convention 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-24 11:51:58 +01:00
Tom Cosgrove f0ffb1585a Have mbedtls_mpi_montg_init() take the modulus, rather than just its least significant limb 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-24 11:17:15 +01:00
Tom Cosgrove 958fd3dc0c Remove bignum_new.c, moving contents to bignum_core.c 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-24 11:08:51 +01:00
Tom Cosgrove 2523791d00 Better constant-time properties for mbedtls_mpi_core_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:32:22 +01:00
Tom Cosgrove f88b47ea27 Remove 'const' qualifier from temporary for mpi_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:31:42 +01:00
Tom Cosgrove 4641ec6c52 Fix style following review comments 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:31:06 +01:00
Tom Cosgrove 40d229487d Tidy up doc comments on existing function mpi_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:30:27 +01:00
Tom Cosgrove 9384284530 Use mbedtls_mpi_core_montmul() in mpi_montmul() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:29:32 +01:00
Tom Cosgrove f334d9622b Add unit tests for bignum_new.c:mbedtls_mpi_core_montmul() 
These tests are also used to test the existing mpi_montmul() function (which
too is renamed with mbedtls_ prefix). Some of these are replays of captured
invocations during unit test runs. Others are generated.  They use a mixture
of primes and odd numbers for N, with four randomly-generated cases for each N.

The lines in the .data file were generated by the following script

```
    #!/usr/bin/env perl
    #
    # mpi-test-core-montmul.pl - generate MPI tests in Perl for mbedtls_mpi_core_montmul()
    #
    use strict;
    use warnings;
    use Math::BigInt;
    use sort 'stable';

    generate_tests();

    sub generate_tests {
        generate_mbedtls_mpi_core_montmul();
    }

    # XXX mbedtls_mpi_grow() and mbedtls_mpi_shrink() work in little-endian manner

    # \brief Montgomery multiplication: X = A * B * R^-1 mod N  (HAC 14.36)
    #
    # \param[out]     X      The destination MPI, as a big endian array of length \p n.
    #                        On successful completion, X contains the result of
    #                        the multiplication A * B * R^-1 mod N where
    #                        R = (2^ciL)^n.
    # \param[in]      A      Big endian presentation of first operand.
    #                        Must have exactly \p n limbs.
    # \param[in]      B      Big endian presentation of second operand.
    # \param[in]      B_len  The number of limbs in \p B.
    # \param[in]      N      Big endian presentation of the modulus.
    #                        This must be odd and have exactly \p n limbs.
    # \param[in]      n      The number of limbs in \p X, \p A, \p N.
    # \param          mm     The Montgomery constant for \p N: -N^-1 mod 2^ciL.
    #                        This can be calculated by `mbedtls_mpi_montg_init()`.
    # \param[in,out]  T      Temporary storage of size at least 2*n+1 limbs.
    #                        Its initial content is unused and
    #                        its final content is indeterminate.
    #
    # void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X,
    #                                const mbedtls_mpi_uint *A,
    #                                const mbedtls_mpi_uint *B, size_t B_len,
    #                                const mbedtls_mpi_uint *N, size_t n,
    #                                mbedtls_mpi_uint mm, mbedtls_mpi_uint *T );

    sub generate_mbedtls_mpi_core_montmul {

        my $sub_name = (caller(0))[3];      # e.g. main::generate_mbedtls_mpi_sub_mpi
        my ($ignore, $test_name) = split("main::generate_", $sub_name);

        my @cases = ();

        my @replay = (
            # [ limbsAN_4, limbsB_4, limbsAN_8, limbsB_8, hexA, hexB, hexN, hexExpected ]
            [ 2, 1, 1, 1, "19", "1", "1D", "18" ],
            [ 2, 1, 1, 1, "7", "1", "9", "1" ],
            [ 2, 1, 1, 1, "4", "1", "9", "7" ],
            #montmul:
            #A.n = 3
            #A.p = FFFE000000008004
            #      0000000000007FFC
            #      0000000000000000
            #B.n = 1
            #B.p = 0000000000000001
            #N.n = 3
            #N.p = 0000000000000001
            #      0000000000008000
            #      0000000000000000
            #mm = FFFFFFFFFFFFFFFF
            #res.n = 3
            #res.p = EFFF9FFF3FFF8001
            #        0000000000007FFF
            #        0000000000000000
            #[ "MBEDTLS_HAVE_INT32", 3, 1, 3, "7FFCFFFE000000008004", "1", "80000000000000000001", "2000C001800100000000" ],
            #[ "MBEDTLS_HAVE_INT64", 3, 1, 3, "7FFCFFFE000000008004", "1", "80000000000000000001", "7FFFEFFF9FFF3FFF8001" ],

            [ 12, 1, 6, 1, "3C246D0E059A93A266288A7718419EC741661B474C58C032C5EDAF92709402B07CC8C7CE0B781C641A1EA8DB2F4343", "1", "66A198186C18C10B2F5ED9B522752A9830B69916E535C8F047518A889A43A594B6BED27A168D31D4A52F88925AA8F5", "36E139AEA55215609D2816998ED020BBBD96C37890F65171D948E9BC7CBAA4D9325D24D6A3C12710F10A09FA08AB87" ],

            #A.n = 5
            #A.p = 340E918CE03C6211
            #      9888165CB75BFA1F
            #      FCCE74B999E470CA
            #      1E442976B0E63D64
            #      0000000000000000
            #B.n = 1
            #B.p = 0000000000000001
            #N.n = 4
            #N.p = 8054B3D124D0E561
            #      92A338655DCE4CA8
            #      E28581ECD892E0F5
            #      B3A119602EE213CD
            #mm = E41CFB909805815F
            #res.n = 5
            #res.p = 0E65383B59F8CA5B
            #        B103B17A2EEF84E6
            #        F23BC08FD0801C55
            #        38EB7749F4A5DA80
            #        0000000000000000
            [ 8, 1, 4, 1, "1E442976B0E63D64FCCE74B999E470CA9888165CB75BFA1F340E918CE03C6211", "1", "B3A119602EE213CDE28581ECD892E0F592A338655DCE4CA88054B3D124D0E561", "38EB7749F4A5DA80F23BC08FD0801C55B103B17A2EEF84E60E65383B59F8CA5B" ],

            #A.n = 12
            #A.p = 542306BCA7A2366E
            #      D2780B2B4968F8D8
            #      CBDFC696104353E4
            #      7776839B0AC9DB23
            #      B7E125BE407E7415
            #      D711917FD7537E13
            #      82392870D6D08F87
            #      D83ED5FA38560FFB
            #      9994B0FED1D2A8D3
            #      63C65413F57249F5
            #      007CF5AC97304E0B
            #      0000000000000000
            #B.n = 1
            #B.p = 0000000000000001
            #N.n = 11
            #N.p = E1AD22CEB7BA0123
            #      32B2A6AA42ADA923
            #      C56C62082912B661
            #      C6F0EAD752500A32
            #      DBC8D651793E93C9
            #      0B2F60D99CC1950C
            #      5B4CDCB5734C58F9
            #      09D3CB5BC5585472
            #      9A2C2BE12ED487A8
            #      BE09A8111926AAA3
            #      0284139EA19C139E
            #mm = C02E2164B293C975
            #res.n = 12
            #res.p = F6B14471839D8D31
            #        FF843ED3B17C44D7
            #        1C3D52C7CB9E0BA6
            #        82F3590C866BF9F8
            #        49C371DB2A4FB164
            #        964ECA2527A031ED
            #        FAACEC6982E0E5BE
            #        1F70C4CB2426AEE1
            #        2C92B02886267AB4
            #        0630B14113BEAD74
            #        01E4426A3D6C425F
            #        0000000000000000
            [ 22, 1, 11, 1, "7CF5AC97304E0B63C65413F57249F59994B0FED1D2A8D3D83ED5FA38560FFB82392870D6D08F87D711917FD7537E13B7E125BE407E74157776839B0AC9DB23CBDFC696104353E4D2780B2B4968F8D8542306BCA7A2366E", "1", "284139EA19C139EBE09A8111926AAA39A2C2BE12ED487A809D3CB5BC55854725B4CDCB5734C58F90B2F60D99CC1950CDBC8D651793E93C9C6F0EAD752500A32C56C62082912B66132B2A6AA42ADA923E1AD22CEB7BA0123", "1E4426A3D6C425F0630B14113BEAD742C92B02886267AB41F70C4CB2426AEE1FAACEC6982E0E5BE964ECA2527A031ED49C371DB2A4FB16482F3590C866BF9F81C3D52C7CB9E0BA6FF843ED3B17C44D7F6B14471839D8D31" ],
        );

        for my $c (@replay) {
            # For all of these, la4 = 2 * la8, so $xh4 == $xh8 (so we just have $xh)
            my ($la4, $lb4, $la8, $lb8, $ah, $bh, $nh, $xh) = @$c;    # limbs(A), limbs(B), limbs(N), (A, B, N, expected) hex

            my $a = Math::BigInt->from_hex($ah);
            my $b = Math::BigInt->from_hex($bh);
            my $n = Math::BigInt->from_hex($nh);

            my $desc = "$test_name #NUMBER (replay)";
            # mbedtls_mpi_core_montmul:mpiSize:limbs(A,N):limbs(B):<A>:<B>:<N>:<expected4>:<expected8>
            # (just repeat $xh, as la4 = 2 * la8, so $xh4 == $xh8)
            my $case = output($test_name, $la4, $lb4, $la8, $lb8, str($ah), str($bh), str($nh), str($xh), str($xh));

            push(@cases, [$case, $desc]);
        }

        # see mpi-modmul-gen.pl for the source of these test cases

        my @generate = (
            # [ hexN, hexA, hexB, info ]
            [ "3", "2", "2", "" ],
            [ "3", "1", "2", "" ],
            [ "3", "2", "1", "" ],
            [ "7", "6", "5", "" ],
            [ "7", "3", "4", "" ],
            [ "7", "1", "6", "" ],
            [ "7", "5", "6", "" ],
            [ "B", "3", "4", "" ],
            [ "B", "7", "4", "" ],
            [ "B", "9", "7", "" ],
            [ "B", "2", "a", "" ],
            [ "29", "25", "16", "(0x29 is prime)" ],
            [ "29", "8", "28", "" ],
            [ "29", "18", "21", "" ],
            [ "29", "15", "f", "" ],
            [ "FF", "e2", "ea", "" ],
            [ "FF", "43", "72", "" ],
            [ "FF", "d8", "70", "" ],
            [ "FF", "3c", "7c", "" ],
            [ "101", "99", "b9", "(0x101 is prime)" ],
            [ "101", "65", "b2", "" ],
            [ "101", "81", "32", "" ],
            [ "101", "51", "dd", "" ],
            [ "38B", "d5", "143", "(0x38B is prime)" ],
            [ "38B", "3d", "387", "" ],
            [ "38B", "160", "2e5", "" ],
            [ "38B", "10f", "137", "" ],
            [ "8003", "7dac", "25a", "(0x8003 is prime)" ],
            [ "8003", "6f1c", "3286", "" ],
            [ "8003", "59ed", "2f3f", "" ],
            [ "8003", "6893", "736d", "" ],
            [ "10001", "d199", "2832", "(0x10001 is prime)" ],
            [ "10001", "c3b2", "3e5b", "" ],
            [ "10001", "abe4", "214e", "" ],
            [ "10001", "4360", "a05d", "" ],
            [ "7F7F7", "3f5a1", "165b2", "" ],
            [ "7F7F7", "3bd29", "37863", "" ],
            [ "7F7F7", "60c47", "64819", "" ],
            [ "7F7F7", "16584", "12c49", "" ],
            [ "800009", "1ff03f", "610347", "(0x800009 is prime)" ],
            [ "800009", "340fd5", "19812e", "" ],
            [ "800009", "3fe2e8", "4d0dc7", "" ],
            [ "800009", "40356", "e6392", "" ],
            [ "100002B", "dd8a1d", "266c0e", "(0x100002B is prime)" ],
            [ "100002B", "3fa1cb", "847fd6", "" ],
            [ "100002B", "5f439d", "5c3196", "" ],
            [ "100002B", "18d645", "f72dc6", "" ],
            [ "37EEE9D", "20051ad", "37def6e", "(0x37EEE9D is prime)" ],
            [ "37EEE9D", "2ec140b", "3580dbf", "" ],
            [ "37EEE9D", "1d91b46", "190d4fc", "" ],
            [ "37EEE9D", "34e488d", "1224d24", "" ],
            [ "8000000B", "2a4fe2cb", "263466a9", "(0x8000000B is prime)" ],
            [ "8000000B", "5643fe94", "29a1aefa", "" ],
            [ "8000000B", "29633513", "7b007ac4", "" ],
            [ "8000000B", "2439cef5", "5c9d5a47", "" ],
            [ "8CD626B9", "4de3cfaa", "50dea178", "(0x8CD626B9 is prime)" ],
            [ "8CD626B9", "b8b8563", "10dbbbac", "" ],
            [ "8CD626B9", "4e8a6151", "5574ec19", "" ],
            [ "8CD626B9", "69224878", "309cfc23", "" ],
            [ "10000000F", "fb6f7fb6", "afb05423", "(0x10000000F is prime)" ],
            [ "10000000F", "8391a243", "26034dcd", "" ],
            [ "10000000F", "d26b98c", "14b2d6aa", "" ],
            [ "10000000F", "6b9f1371", "a21daf1d", "" ],
            [ "174876E7E9", "9f49435ad", "c8264ade8", "0x174876E7E9 is prime (dec) 99999999977" ],
            [ "174876E7E9", "c402da434", "1fb427acf", "" ],
            [ "174876E7E9", "f6ebc2bb1", "1096d39f2a", "" ],
            [ "174876E7E9", "153b7f7b6b", "878fda8ff", "" ],
            [ "8000000017", "2c1adbb8d6", "4384d2d3c6", "(0x8000000017 is prime)" ],
            [ "8000000017", "2e4f9cf5fb", "794f3443d9", "" ],
            [ "8000000017", "149e495582", "3802b8f7b7", "" ],
            [ "8000000017", "7b9d49df82", "69c68a442a", "" ],
            [ "864CB9076D", "683a134600", "6dd80ea9f6", "(0x864CB9076D is prime)" ],
            [ "864CB9076D", "13a870ff0d", "59b099694a", "" ],
            [ "864CB9076D", "37d06b0e63", "4d2147e46f", "" ],
            [ "864CB9076D", "661714f8f4", "22e55df507", "" ],
            [ "F7F7F7F7F7", "2f0a96363", "52693307b4", "" ],
            [ "F7F7F7F7F7", "3c85078e64", "f2275ecb6d", "" ],
            [ "F7F7F7F7F7", "352dae68d1", "707775b4c6", "" ],
            [ "F7F7F7F7F7", "37ae0f3e0b", "912113040f", "" ],
            [ "1000000000F", "6dada15e31", "f58ed9eff7", "(0x1000000000F is prime)" ],
            [ "1000000000F", "69627a7c89", "cfb5ebd13d", "" ],
            [ "1000000000F", "a5e1ad239b", "afc030c731", "" ],
            [ "1000000000F", "f1cc45f4c5", "c64ad607c8", "" ],
            [ "800000000005", "2ebad87d2e31", "4c72d90bca78", "(0x800000000005 is prime)" ],
            [ "800000000005", "a30b3cc50d", "29ac4fe59490", "" ],
            [ "800000000005", "33674e9647b4", "5ec7ee7e72d3", "" ],
            [ "800000000005", "3d956f474f61", "74070040257d", "" ],
            [ "800795D9BA47", "48348e3717d6", "43fcb4399571", "(0x800795D9BA47 is prime)" ],
            [ "800795D9BA47", "5234c03cc99b", "2f3cccb87803", "" ],
            [ "800795D9BA47", "3ed13db194ab", "44b8f4ba7030", "" ],
            [ "800795D9BA47", "1c11e843bfdb", "95bd1b47b08", "" ],
            [ "1000000000015", "a81d11cb81fd", "1e5753a3f33d", "(0x1000000000015 is prime)" ],
            [ "1000000000015", "688c4db99232", "36fc0cf7ed", "" ],
            [ "1000000000015", "f0720cc07e07", "fc76140ed903", "" ],
            [ "1000000000015", "2ec61f8d17d1", "d270c85e36d2", "" ],
            [ "100000000000051", "6a24cd3ab63820", "ed4aad55e5e348", "(0x100000000000051 is prime)" ],
            [ "100000000000051", "e680c160d3b248", "31e0d8840ed510", "" ],
            [ "100000000000051", "a80637e9aebc38", "bb81decc4e1738", "" ],
            [ "100000000000051", "9afa5a59e9d630", "be9e65a6d42938", "" ],
            [ "ABCDEF0123456789", "ab5e104eeb71c000", "2cffbd639e9fea00", "" ],
            [ "ABCDEF0123456789", "197b867547f68a00", "44b796cf94654800", "" ],
            [ "ABCDEF0123456789", "329f9483a04f2c00", "9892f76961d0f000", "" ],
            [ "ABCDEF0123456789", "4a2e12dfb4545000", "1aa3e89a69794500", "" ],
            [ "25A55A46E5DA99C71C7", "8b9acdf013d140f000", "12e4ceaefabdf2b2f00", "0x25A55A46E5DA99C71C7 is the 3rd repunit prime (dec) 11111111111111111111111" ],
            [ "25A55A46E5DA99C71C7", "1b8d960ea277e3f5500", "14418aa980e37dd000", "" ],
            [ "25A55A46E5DA99C71C7", "7314524977e8075980", "8172fa45618ccd0d80", "" ],
            [ "25A55A46E5DA99C71C7", "ca14f031769be63580", "147a2f3cf2964ca9400", "" ],
            [ "314DC643FB763F2B8C0E2DE00879", "18532ba119d5cd0cf39735c0000", "25f9838e31634844924733000000", "0x314DC643FB763F2B8C0E2DE00879 is (dec)99999999977^3" ],
            [ "314DC643FB763F2B8C0E2DE00879", "a56e2d2517519e3970e70c40000", "ec27428d4bb380458588fa80000", "" ],
            [ "314DC643FB763F2B8C0E2DE00879", "1cb5e8257710e8653fff33a00000", "15fdd42fe440fd3a1d121380000", "" ],
            [ "314DC643FB763F2B8C0E2DE00879", "e50d07a65fc6f93e538ce040000", "1f4b059ca609f3ce597f61240000", "" ],
            [ "47BF19662275FA2F6845C74942ED1D852E521", "1ea3ade786a095d978d387f30df9f20000000", "127c448575f04af5a367a7be06c7da0000000", "0x47BF19662275FA2F6845C74942ED1D852E521 is (dec) 99999999977^4" ],
            [ "47BF19662275FA2F6845C74942ED1D852E521", "16e15b0ca82764e72e38357b1f10a20000000", "43e2355d8514bbe22b0838fdc3983a0000000", "" ],
            [ "47BF19662275FA2F6845C74942ED1D852E521", "be39332529d93f25c3d116c004c620000000", "5cccec42370a0a2c89c6772da801a0000000", "" ],
            [ "47BF19662275FA2F6845C74942ED1D852E521", "ecaa468d90de0eeda474d39b3e1fc0000000", "1e714554018de6dc0fe576bfd3b5660000000", "" ],
            [ "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", "32298816711c5dce46f9ba06e775c4bedfc770e6700000000000000", "8ee751fd5fb24f0b4a653cb3a0c8b7d9e724574d168000000000000", "0x97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931 is (dec) 99999999977^6" ],
            [ "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", "29213b9df3cfd15f4b428645b67b677c29d1378d810000000000000", "6cbb732c65e10a28872394dfdd1936d5171c3c3aac0000000000000", "" ],
            [ "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", "6f18db06ad4abc52c0c50643dd13098abccd4a232f0000000000000", "7e6bf41f2a86098ad51f98dfc10490ba3e8081bc830000000000000", "" ],
            [ "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", "62d3286cd706ad9d73caff63f1722775d7e8c731208000000000000", "530f7ba02ae2b04c2fe3e3d27ec095925631a6c2528000000000000", "" ],
            [ "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", "a6c6503e3c031fdbf6009a89ed60582b7233c5a85de28b16000000000000000", "75c8ed18270b583f16d442a467d32bf95c5e491e9b8523798000000000000000", "0xDD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499 is (dec) 99999999977^7" ],
            [ "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", "bf84d1f85cf6b51e04d2c8f4ffd03532d852053cf99b387d4000000000000000", "397ba5a743c349f4f28bc583ecd5f06e0a25f9c6d98f09134000000000000000", "" ],
            [ "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", "6db11c3a4152ed1a2aa6fa34b0903ec82ea1b88908dcb482000000000000000", "ac8ac576a74ad6ca48f201bf89f77350ce86e821358d85920000000000000000", "" ],
            [ "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", "3001d96d7fe8b733f33687646fc3017e3ac417eb32e0ec708000000000000000", "925ddbdac4174e8321a48a32f79640e8cf7ec6f46ea235a80000000000000000", "" ],
            [ "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41", "1029048755f2e60dd98c8de6d9989226b6bb4f0db8e46bd1939de560000000000000000000", "51bb7270b2e25cec0301a03e8275213bb6c2f6e6ec93d4d46d36ca0000000000000000000", "0x141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41 is 99999999977^8" ],
            [ "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41", "1c5337ff982b3ad6611257dbff5bbd7a9920ba2d4f5838a0cc681ce000000000000000000", "520c5d049ca4702031ba728591b665c4d4ccd3b2b86864d4c160fd2000000000000000000", "" ],
            [ "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41", "57074dfa00e42f6555bae624b7f0209f218adf57f73ed34ab0ff90c000000000000000000", "41eb14b6c07bfd3d1fe4f4a610c17cc44fcfcda695db040e011065000000000000000000", "" ],
            [ "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41", "d8ed7feed2fe855e6997ad6397f776158573d425031bf085a615784000000000000000000", "6f121dcd18c578ab5e229881006007bb6d319b179f11015fe958b9c000000000000000000", "" ],
            [ "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451", "2a462b156180ea5fe550d3758c764e06fae54e626b5f503265a09df76edbdfbfa1e6000000000000000000000000", "1136f41d1879fd4fb9e49e0943a46b6704d77c068ee237c3121f9071cfd3e6a00315800000000000000000000000", "0x2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451 is (dec) 99999999977^10" ],
            [ "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451", "c1ac3800dfb3c6954dea391d206200cf3c47f795bf4a5603b4cb88ae7e574de4740800000000000000000000000", "c0d16eda0549ede42fa0deb4635f7b7ce061fadea02ee4d85cba4c4f7096034193c800000000000000000000000", "" ],
            [ "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451", "19e45bb7633094d272588ad2e43bcb3ee341991c6731b6fa9d47c4018d7ce7bba5ee800000000000000000000000", "1e4f83166ae59f6b9cc8fd3e7677ed8bfc01bb99c98bd3eb084246b64c1e18c3365b800000000000000000000000", "" ],
            [ "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451", "1aa93395fad5f9b7f20b8f9028a054c0bb7c11bb8520e6a95e5a34f06cb70bcdd01a800000000000000000000000", "54b45afa5d4310192f8d224634242dd7dcfb342318df3d9bd37b4c614788ba13b8b000000000000000000000000", "" ],
            [ "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051", "544f2628a28cfb5ce0a1b7180ee66b49716f1d9476c466c57f0c4b2308991784306d48f78686115ee19e25400000000000000000000000000000000", "677eb31ef8d66c120fa872a60cd47f6e10cbfdf94f90501bd7883cba03d185be0a0148d1625745e9c4c827300000000000000000000000000000000", "0x8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051 is prime, (dec) 10^143 + 3^4" ],
            [ "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051", "76bb3470985174915e9993522aec989666908f9e8cf5cb9f037bf4aee33d8865cb6464174795d07e30015b80000000000000000000000000000000", "6aaaf60d5784dcef612d133613b179a317532ecca0eed40b8ad0c01e6d4a6d8c79a52af190abd51739009a900000000000000000000000000000000", "" ],
            [ "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051", "6cfdd6e60912e441d2d1fc88f421b533f0103a5322ccd3f4db84861643ad63fd63d1d8cfbc1d498162786ba00000000000000000000000000000000", "1177246ec5e93814816465e7f8f248b350d954439d35b2b5d75d917218e7fd5fb4c2f6d0667f9467fdcf33400000000000000000000000000000000", "" ],
            [ "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051", "7a09a0b0f8bbf8057116fb0277a9bdf3a91b5eaa8830d448081510d8973888be5a9f0ad04facb69aa3715f00000000000000000000000000000000", "764dec6c05a1c0d87b649efa5fd94c91ea28bffb4725d4ab4b33f1a3e8e3b314d799020e244a835a145ec9800000000000000000000000000000000", "" ],
        );

        my %described = ();

        for my $g (@generate) {
            my ($nh, $ah, $bh, $info) = @$g;
            my $a = Math::BigInt->from_hex($ah);
            my $b = Math::BigInt->from_hex($bh);
            my $n = Math::BigInt->from_hex($nh);

            my $ln4 = mpi4s($n);
            my $la4 = mpi4s($a);
            my $lb4 = mpi4s($b);

            my $ln8 = mpi8s($n);
            my $la8 = mpi8s($a);
            my $lb8 = mpi8s($b);

            my $r4 = bound_mpi4($n->copy());
            my $i4 = $r4->copy()->bmodinv($n);
            my $x4 = $a * $b * $i4;
            $x4->bmod($n);
            my $xh4 = Math::BigInt->new($x4)->to_hex();

            my $r8 = bound_mpi8($n->copy());
            my $i8 = $r8->copy()->bmodinv($n);
            my $x8 = $a * $b * $i8;
            $x8->bmod($n);
            my $xh8 = Math::BigInt->new($x8)->to_hex();

            die("") if $la4 > $ln4 || $la8 > $ln8;

            my $desc = "$test_name #NUMBER (gen)";
            if ($ln4 > 1) {
                if (!$described{"2-MPI4"}) {
                    $desc .= " (start of 2-MPI 4-byte bignums)";
                    $described{"2-MPI4"} = 1;
                }
            }
            if ($ln8 > 1) {
                if (!$described{"2-MPI8"}) {
                    $desc .= " (start of 2-MPI 8-byte bignums)";
                    $described{"2-MPI8"} = 1;
                }
            }
            if (length($info) && !$described{$info}) {
                $desc .= " " . $info;
                $described{$info} = 1;
            }
            my $case = output($test_name, $ln4, $lb4, $ln8, $lb8, str($ah), str($bh), str($nh), str($xh4), str($xh8));

            #push(@cases, [$case, $desc, "MBEDTLS_HAVE_INT64"]);    -- now doing it differently
            push(@cases, [$case, $desc]);
        }

        output_cases("", @cases);
    }

    sub output_cases {

        my ($explain, @cases) = @_;

        my $count = 1;
        for my $c (@cases) {

            my ($case, $desc, $dep) = @$c;
            $desc =~ s/NUMBER/$count/; $count++;
            if (defined($explain) && $desc =~ /EXPLAIN/) {
                $desc =~ s/EXPLAIN/$explain/;
                $explain = "";
            }

            my $depends = "";
            $depends = "depends_on:$dep\n" if defined($dep) && length($dep);

            print <<EOF;

    $desc
    $depends$case
    EOF
        }
    }

    # The first number (a power of 2) that won't fit in the number of MPIs
    # needed for the given number
    sub bound_mpi4 {
        my $one = Math::BigInt->new(1);     # blsft modifies caller
        return $one->blsft(bits_mpi4($_[0]));
    }

    sub bound_mpi8 {
        my $one = Math::BigInt->new(1);     # blsft modifies caller
        return $one->blsft(bits_mpi8($_[0]));
    }

    # How many bits (a multiple of 32) needed to store the specified number
    # when using 4-byte MPIs
    sub bits_mpi4 {
        return 32 * mpi4s($_[0]);
    }

    # How many bits (a multiple of 64) needed to store the specified number
    # when using 8-byte MPIs
    sub bits_mpi8 {
        return 64 * mpi8s($_[0]);
    }

    # How many 4-byte MPIs needed to store the specified number
    sub mpi4s {
        my ($n) = @_;
        my $h = $n->to_hex();
        return int((length($h) + 7) / 8);
    }

    # How many 8-byte MPIs needed to store the specified number
    sub mpi8s {
        my ($n) = @_;
        my $h = $n->to_hex();
        return int((length($h) + 15) / 16);
    }

    sub output {
        #run_test(@_);

        return join(":", @_);
    }

    sub str {
        return '"' . $_[0] . '"';
    }
```

The data for the generated test cases (@generate) for mpi-test-core-montmul.pl
was created by

```
    #!/usr/bin/env perl
    #
    # mpi-modmul-gen.pl - randomly generate test cases for mpi-test-core-montmul.pl
    #
    use strict;
    use warnings;
    use Math::BigInt;
    use sort 'stable';

    my %seen = ();

    my @primes = (
        "3",
        "7",
        "B",
        "29",
        "101",
        "38B",
        "8003",
        "10001",
        "800009",
        "100002B",
        "37EEE9D",
        "8000000B",
        "8CD626B9",
        # From here they require > 1 4-byte MPI
        "10000000F",
        "174876E7E9",
        "8000000017",
        "864CB9076D",
        "1000000000F",
        "800000000005",
        "800795D9BA47",
        "1000000000015",
        "100000000000051",
        # From here they require > 1 8-byte MPI
        "25A55A46E5DA99C71C7",      # this is 11111111111111111111111 decimal
        # 10^143 + 3^4: (which is prime)
        # 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081
        "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051",
    );
    my %prime = map { $_ => 1 } @primes;

    my @moduli = (
        [ "3", "" ],
        [ "7", "" ],
        [ "B", "" ],
        [ "29", "" ],
        [ "FF", "" ],
        [ "101", "" ],
        [ "38B", "" ],
        [ "8003", "" ],
        [ "10001", "" ],
        [ "7F7F7", "" ],
        [ "800009", "" ],
        [ "100002B", "" ],
        [ "37EEE9D", "" ],
        [ "8000000B", "" ],
        [ "8CD626B9", "" ],
        [ "10000000F", "" ],
        [ "174876E7E9", "0x174876E7E9 is prime (dec) 99999999977" ],
        [ "8000000017", "" ],
        [ "864CB9076D", "" ],
        [ "F7F7F7F7F7", "" ],
        [ "1000000000F", "" ],
        [ "800000000005", "" ],
        [ "800795D9BA47", "" ],
        [ "1000000000015", "" ],
        [ "100000000000051", "" ],
        [ "ABCDEF0123456789", "" ],
        [ "25A55A46E5DA99C71C7", "0x25A55A46E5DA99C71C7 is the 3rd repunit prime (dec) 11111111111111111111111" ],
        [ "314DC643FB763F2B8C0E2DE00879", "0x314DC643FB763F2B8C0E2DE00879 is (dec)99999999977^3" ],
        [ "47BF19662275FA2F6845C74942ED1D852E521", "0x47BF19662275FA2F6845C74942ED1D852E521 is (dec) 99999999977^4" ],
        [ "97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931", "0x97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931 is (dec) 99999999977^6" ],
        [ "DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499", "0xDD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499 is (dec) 99999999977^7" ],
        [ "141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41", "0x141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41 is 99999999977^8" ],
        [ "2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451", "0x2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451 is (dec) 99999999977^10" ],
        [ "8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051", "0x8335616AED761F1F7F44E6BD49E807B82E3BF2BF11BFA6AF813C808DBF33DBFA11DABD6E6144BEF37C6800000000000000000000000000000000051 is prime, (dec) 10^143 + 3^4" ], # 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081
    );

    #99999999977^2:
    #ibase=16 ; obase=10 ; 174876E7E9*174876E7E9
    #99999999977^3:
    #ibase=16 ; obase=10 ; 174876E7E9*174876E7E9*174876E7E9
    #99999999977^2: 21E19E0C58BACE25211
    #99999999977^3: 314DC643FB763F2B8C0E2DE00879
    #99999999977^4: 47BF19662275FA2F6845C74942ED1D852E521
    #99999999977^5: 6867A5A664437D20ED7941408583AADA2193CE95695209
    #99999999977^6: 97EDD86E4B5C4592C6D32064AC55C888A7245F07CA3CC455E07C931
    #99999999977^7: DD15FE80B731872AC104DB37832F7E75A244AA2631BC87885B861E8F20375499
    #99999999977^8: 141B8EBD9009F84C241879A1F680FACCED355DA36C498F73E96E880CF78EA5F96146380E41
    #99999999977^9: 1D42AEA1837AA78C6339224E9B39A483E4AAAF12CE7752E1EA1681082CBC8AB056A36B6299557D7A029
    #99999999977^10: 2A94608DE88B6D5E9F8920F5ABB06B24CC35AE1FBACC87D075C621C3E2833EC902713E40F51E3B3C214EDFABC451

    my %mentioned = ();

    for my $mod (@moduli) {
        my ($nh, $info) = @$mod;
        my $n = Math::BigInt->from_hex($nh);

        my $xxx = $n->to_hex();
        die("$xxx != $nh") unless lc($xxx) eq lc($nh);

        my $cases = ($n < 5) ? 3 : 4;
        for (my $case = 0; $case < $cases; $case++) {
            my ($a, $b);
            for ($a = 0; $a == 0; ) {
                $a = int(rand($n));
            }
            for ($b = 0; $b == 0; ) {
                $b = int(rand($n));
            }

            my $cstr = "$a|$b|$n";
            if (exists($seen{$cstr})) {     # don't repeat ourselves
                $case--;
                next;
            }

            $seen{$cstr} = 1;

            my $ah = Math::BigInt->new($a)->to_hex();
            my $bh = Math::BigInt->new($b)->to_hex();

            my $desc = "";
            if (length($info)) {
                $desc = $info if !$mentioned{$info};
                $mentioned{$info} = 1;
            } elsif (length($nh) > 1 && $prime{$nh} && !$mentioned{$nh}) {
                $desc = "(0x$nh is prime)";
                $mentioned{$nh} = 1;
            }

            print <<EOF;
            [ "$nh", "$ah", "$bh", "$desc" ],
    EOF
        }
    }
```

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:29:00 +01:00
Tom Cosgrove 79b70f6394 Make a public version of mpi_montg_init() in bignum_new.c and add unit tests 
The unit tests were created by capturing runs of the existing function during
execution of existing unit tests.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:28:32 +01:00
Tom Cosgrove 268f96b0ef Fix Windows builds, which were getting "possible loss of data" 
"bignum_new.c(61,52): warning C4244: 'function': conversion from 'mbedtls_mpi_uint' to 'unsigned int', possible loss of data"

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:17:26 +01:00
Tom Cosgrove 7e655f7b4c Use new mbedtls_mpi_core_sub() instead of old static mpi_sub_hlp() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:15:44 +01:00
Tom Cosgrove 90c426b932 Tidy up, removing MPI_CORE(), and using the new mbedtls_mpi_core_mla() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 16:15:19 +01:00
Jerry Yu f35ba384ff Add select ciphersuite entry function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-23 22:01:58 +08:00
Hanno Becker 71f4b0dda6 Add bignum_new.c starting with MPI_CORE(montmul) for Montgomery multiplication 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 12:09:35 +01:00
Tom Cosgrove 82d3f1e824 Remove bignum_internal.h, moving contents to bignum_core.h 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-23 12:01:39 +01:00
Jerry Yu dd1bef788e Add ciphersuite_info check 
return null if no valid ciphersuite info

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-23 17:57:02 +08:00
Jerry Yu 29d9faa468 fix various issues. 
- comments issues
- code format style issues
- naming improvement.
- error return improvements

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-23 17:53:43 +08:00
Andrzej Kurek 299b1d6c93 Remove unnecessary psa/crypto.h include 
This is now included in `legacy_or_psa.h`.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-23 05:42:33 -04:00
Andrzej Kurek cccb044804 Style & formatting fixes 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-23 05:26:02 -04:00
Janos Follath 645ff5b8ff
Merge pull request #6095 from gabor-mezei-arm/6016_add_new_modulus_and_residue_structures 
Add the new modulus and the residue structures with low level I/O operations
 2022-08-23 09:02:43 +01:00
Andrzej Kurek 7e16ce3a72 Clarify TLS 1.2 dependencies with and without PSA crypto 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-22 17:46:50 -04:00
Andrzej Kurek 8c95ac4500 Add missing dependencies / alternatives 
A number of places lacked the necessary dependencies on one of
the used features: MD, key exchange with certificate, 
entropy, or ETM.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-22 17:46:50 -04:00
Andrzej Kurek 25f271557b Update SHA and MD5 dependencies in the SSL module 
The same elements are now also used when MBEDTLS_USE_PSA_CRYPTO
is defined and respective SHA / MD5 defines are missing.
A new set of macros added in #6065 is used to reflect these dependencies.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-22 17:46:50 -04:00
Andrzej Kurek 0ce592169e Use hash_info_get_size in ssl_tls12_client 
This way the code does not rely on the MBEDTLS_MD_C define
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-22 17:46:50 -04:00
Andrzej Kurek a242e83b21 Rename the sha384 checksum context to reflect its purpose 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-08-22 17:02:04 -04:00
Gilles Peskine e5018c97f9
Merge pull request #6195 from superna9999/6149-driver-only-hashes-ec-j-pake 
Driver-only hashes: EC J-PAKE
 2022-08-22 17:28:15 +02:00
Gilles Peskine 20ebaac85e
Merge pull request #6211 from tom-cosgrove-arm/explicit-warning-re-ct-conditions-not-0-or-1 
Be explicit about constant time bignum functions that must take a 0 or 1 condition value
 2022-08-22 17:24:04 +02:00
Gilles Peskine 03f1c39ac7
Merge pull request #6171 from mprse/md_x509_test 
Driver-only hashes: X.509
 2022-08-22 17:18:47 +02:00
Janos Follath 2e328c8591 Remove confusing const qualifier 
Since a is not a pointer, it is passed by value and declaring it const
doesn’t make any sense and on the first read can make me miss the fact
that a is not a pointer.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-22 11:19:10 +01:00
Janos Follath c459641ad1 Bignum: add missing limb qualifiers 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-22 10:04:52 +01:00
Janos Follath af3f39c01c Fix typos 
Co-authored-by: Tom Cosgrove <81633263+tom-cosgrove-arm@users.noreply.github.com>
Co-authored-by: Werner Lewis <Werner.Lewis@arm.com>

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-22 09:08:04 +01:00
Jerry Yu 5725f1cf3a Align ciphersuite with overwrite. 
Selected ciphersuite MUST be same with ciphsersuite of PSK.
Overwrite the old ciphersuite with the one of PSK.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 17:50:27 +08:00
Jerry Yu 01e42d2d4c fix issues in export handshake psk 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 13:00:07 +08:00
Jerry Yu 9f7f646b11 Revert "remove psk key when ephemeral selected" 
This reverts commit 5c28e7aa0e.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 12:59:17 +08:00
Jerry Yu e9d4fc09a3 fix binder value security issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 12:59:17 +08:00
Jerry Yu 24b8c813c4 fix comments and wrong initial value issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 12:55:45 +08:00
Jerry Yu 5d01c05d93 fix various issues 
- wrong typo in comments
- replace psk null check with key_exchange_mode check
- set psk NULL when error return in export hs psk

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 12:55:01 +08:00
Jerry Yu 6cf6b47b5c fix format and comment issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-21 12:54:53 +08:00
Dave Rodgman beb4fc0723
Merge pull request #6185 from leorosen/tls12_server_null_on_missing_key 
ssl_tls12_server: fix potential NULL-dereferencing if local certifica…
 2022-08-19 20:22:59 +01:00
Leonid Rozenboim 19e5973566 mbedtls_ssl_check_curve prevent potential NULL pointer dereferencing 
Avoid the shorthand practice of the form 'x = func(foo)->bar' which
exposes the code to NULL pointer de-referencing when the 'func()'
returns a NULL pointer.

The first chunk is for when the curve group code is not recognized by
the library, and is cleanly rejected if offered.

The second chunk addresses the unlikely case of an internal error:
if 'mbedtls_pk_can_do()' returns TRUE, it should rule out
'mbedtls_pk_ec()' returning a NULL, unless there is a regression.

Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
 2022-08-19 11:49:22 -07:00
Janos Follath a95f204cd3 Improve documentation 
Co-authored-by: Tom Cosgrove <81633263+tom-cosgrove-arm@users.noreply.github.com>
Co-authored-by: Werner Lewis <werner.wmlewis@gmail.com>
Co-authored-by: Minos Galanakis <minos.galanakis@arm.com>

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-19 13:11:22 +01:00
Janos Follath ca5688e10c Improve coding style 
Co-authored-by: Tom Cosgrove <81633263+tom-cosgrove-arm@users.noreply.github.com>
Co-authored-by: Werner Lewis <werner.wmlewis@gmail.com>

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-19 13:11:22 +01:00
Janos Follath b7a88eca42 Bignum: Apply naming conventions 
Numbers:

- A, B for mbedtls_mpi_uint* operands
- a, b for mbedtls_mpi_uint operands
- X or x for result
- HAC references where applicable

Lengths:

- Reserve size or length for length/size in bytes or byte buffers.
- For length of mbedtls_mpi_uint* buffers use limbs
- Length parameters are qualified if possible (eg. input_length or
  a_limbs)

Setup functions:

- The parameters match the corresponding structure member's name
- The structure to set up is a standard lower case name even if in other
  functions different naming conventions would apply

Scope of changes/conventions:

- bignum_core
- bignum_mod
- bignum_mod_raw

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-19 13:11:22 +01:00
Janos Follath 6b8a4ad0d8 Bignum: update const qualifiers 
While at it, mark parameters based on their role.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-19 13:11:22 +01:00
Dave Rodgman c947751a5f Fix ECDSA signature verification edge-case 
For R and S equal to 1, ensure the public key is checked
for validity.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-19 11:16:37 +01:00
Neil Armstrong ecaba1c9b2 Make use of PSA crypto hash if MBEDTLS_MD_C isn't defined 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-19 11:49:22 +02:00
Neil Armstrong 0d76341eac Remove md_info by md_type in ecjpake context, use mbedtls_hash_info_get_size() to get hash length 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-08-19 11:49:22 +02:00
Przemek Stekiel bc3906c58f pem_pbkdf1(): optimize psa version 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:36:57 +02:00
Przemek Stekiel bf01c64e9d oid.c: unify dependencies (VIA_MD_OR_PSA->VIA_LOWLEVEL_OR_PSA) 
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel 4146525ce9 Fix compilation guard (comment) 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel 0cd6f08e6f pem.c: fix style issues (redundant spaces) 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel d23a4efe2c pem.c: remove redundant compilation guard 
If MBEDTLS_MD5_C is not defined MBEDTLS_USE_PSA_CRYPTO must be defined due to PEM_RFC1421.

*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel c410ccc528 Include psa/crypto.h in legacy_or_psa.h 
It is needed for PSA_WANT_ALG_xxxx symbols

*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel 4092ff9ba9 pem.c: add internal macro to increase code readability 
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel 829e97d029 Fix include order 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel 76b753bbb7 Change the dependencies in pem.c to xxx_BASED_ON_USE_PSA and related files 
This is done to be able to bild test_psa_crypto_config_accel_hash component where MD5 is only available accelerated (PSA_WANT_ALG_MD5 is enabled and MBEDTLS_MD5_C is disabled) but MBEDTLS_USE_PSA_CRYPTO is disabled.
So the build should not attempt to enable pem_pbkdf1.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel 81799fd9d8 pem.c, test_suite_pem: fix dependency MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA->MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA 
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

*** Comparing reference -> drivers ***
   x509parse: total 723; skipped  89 ->  89
   x509write: total  41; skipped   3 ->   3
         pem: total  13; skipped   0 ->   0
         oid: total  28; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel be92bee58a pem.c: Fix conditional compilation flags 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel a68d08f7d1 pem.c: adjust for bulid without md 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel de81028f00 Adjust dependencies in library/oid.c 
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Przemek Stekiel fd18366965 Adjust declared dependencies in library/x509* 
*** Comparing before-default -> after-default ***
   x509parse: total 723; skipped  26 ->  26
   x509write: total  41; skipped   8 ->   8

*** Comparing before-full -> after-full ***
   x509parse: total 723; skipped  25 ->  25
   x509write: total  41; skipped   0 ->   0

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-19 10:15:56 +02:00
Ronald Cron f3f6b0a5c3
Merge pull request #6123 from yuhaoth/pr/finialize-tls13-serialize_session_save_load 
TLS 1.3:finalize tls13 serialize session save and load
 2022-08-19 08:16:05 +02:00
Leonid Rozenboim 70dfd4c8ac ssl_tls12_server: fix potential NULL-dereferencing if local certificate was not set. 
Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
 2022-08-18 14:39:37 -07:00
Tom Cosgrove 583816caaf Be explicit about constant time bignum functions that must take a 0 or 1 condition value 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-08-18 14:09:18 +01:00
Dave Rodgman 92cd8642fa
Merge pull request #6090 from hanno-arm/fix_bnmul_arm_v7a 
Remove encoding width suffix from Arm bignum assembly
 2022-08-18 08:48:03 +01:00
Jerry Yu e28d9745a1 fix coding style issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-18 15:44:03 +08:00
Jerry Yu 3419107e8d Add checks for ticket and resumption_key fields 
From RFC 8446 and the definition of session, we
should check the length.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-18 11:28:41 +08:00
Dave Rodgman 86c333e79e Add explicit cast to satisfy compiler 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-17 16:57:26 +01:00
Jerry Yu e36fdd676c Change signature of tls13_session_save 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-17 21:50:25 +08:00
Dave Rodgman 392f714153 Fix type used for capturing TLS ticket generation time 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-08-17 12:38:24 +01:00
Dave Rodgman a7448bf19d
Merge pull request #6141 from mpg/driver-hashes-rsa-v21 
Driver hashes rsa v21
 2022-08-16 09:52:39 +01:00
Janos Follath cc93908b88 Bignum: Declare loop variable in loop head 
In the new bignum files (bignum_core.c, bignum_mod_raw.c and
bignum_mod.c) the loop variables are declared in the loop head wherever
this change is beneficial.

There are loops where the loop variable is used after the end of the
loop (this might not be good practice, but that is out of scope for this
commit) and others where there are several loop variables and declaring
them there would hurt readability.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-15 12:08:49 +01:00
Janos Follath 620c58ced9 Bignum: make const placement consistent 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-15 11:58:42 +01:00
Janos Follath ed5c8d3d1e Bignum: make modulus value const 
The modulus value won't change during normal operations, make this clear
in the struct and the function signatures.

This won't prevent the caller from modifying the passed buffer, but
might give a hint and reinforces the message of the documentation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-15 11:50:22 +01:00
Janos Follath 138f51c5c8 Fix alphabetic order in makefiles 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-15 11:38:30 +01:00
Gabor Mezei fd65e82753
Rename structure elements 
Use better names for structure elements and adopting the convention of
the other modules.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 18:09:12 +02:00
Gabor Mezei c414ba3fc0
Simplify code 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 17:59:53 +02:00
Gabor Mezei 5a5c0c5f0a
Move the declaration of variables to their scope of usage 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 15:40:09 +02:00
Gabor Mezei 7f93264ab1
Change struct element order 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 15:37:27 +02:00
Gabor Mezei 89e31460db
Typo 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 15:36:56 +02:00
Dave Rodgman 7b1be55484
Merge pull request #5993 from eliteraspberries/android-soname 
Allow non-versioned library soname.
 2022-08-12 13:49:55 +01:00
Gabor Mezei 5f56df44f0
Remove redundant check 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 14:41:54 +02:00
Gabor Mezei bf9da1dfb1
Do not read if output pointer is NULL 
Skip reading if output pointer is NULL even if the length of the input buffer is 0.
The memory sanitizer will mark this as an error.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-12 14:11:56 +02:00
Mansour Moufid 6a8673092f Allow non-versioned library soname. 
Signed-off-by: Mansour Moufid <mansourmoufid@gmail.com>
 2022-08-12 11:02:01 +01:00
Janos Follath 6318468183 Improve bignum documentation 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-11 17:42:59 +01:00
Janos Follath a30b4e5692 Bignum: remove duplicate documentation from source 
These functions have full documentation in the header. Maintaing two
copies does not worth the effort and having an out of sync reduced
duplicate is not helpful.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-11 17:15:18 +01:00
Janos Follath 2ab2d3e3e9 Inline mpi_core_clear() 
This used to resize MPIs in the legacy interface, which is not
needed/possible as the new interface has fixed size MPIs.

Inlining this function makes the code easier to read and maintain, while
there is no obvious drawback to it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-11 16:16:49 +01:00
Janos Follath 56a10f97ba Bignum: remove unnecessary NULL pointer checks 
A null pointer dereference, or null pointer plus small offset, is a
clean runtime error in most environments. So it's not particularly
useful to protect against this.

While at it make a null pointer check that is actually necessary more
robust.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-11 15:19:00 +01:00
Janos Follath 296ea66442 Bignum: clean up use of enums 
- Made use of enums in struct and function declaration
- All enums are handled by switch case now
- If the switch does nothing on default, omit the default case to make
  compiler warnings more powerful
- The two enums are now disjoint and the value 1 is skipped to make
  mistakes easier to detect

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-11 14:58:29 +01:00
Jerry Yu 5c28e7aa0e remove psk key when ephemeral selected 
ephemeral is selected, `handshake->psk` must be removed.
Otherwise the encrypt key will be caculate fail.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Jerry Yu 56acc9421c Write key_share base on key_exchange mode. 
In ServerHello, write key share should base on key_exchange mode, not
base on configuration.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Jerry Yu f0bad2554a Continue check next psk key when binder mismatch 
with matched identity and mismatch binder, should check next psk key.
Exit with error will break multi-psk cases.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Jerry Yu 32e1370fbc Add config check for pre_shared_key parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Jerry Yu e95c8af266 Align ciphersuite with psk key 
With OpenSSL and GnuTLS client, if the MAC of ciphersuite
does not match selected binder, client will reject connection.
This change is to select ciphersuite base on algo of psk binder.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Jerry Yu ccc68a466e change handshake psk key type for tls13 
PSK key type of TLS1.3 must be HKDF_EXTRACT and the algo is
decided when create binder

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Ronald Cron 295d93ebe8 Add psk handshake with gnutls 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Jerry Yu 40f3771e18 Add handshake psk export function. 
Rename `ssl_tls13_get_psk` and export the
function.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-08-11 21:25:35 +08:00
Przemek Stekiel 71bf28bb34 Fix include file path 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-11 12:50:06 +02:00
Przemek Stekiel f98b57f231 Initialize status/ret to error value 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-11 12:50:06 +02:00
Przemek Stekiel 2aae040615 make ret_from_status() global function and move it to has_info.[ch] 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-11 12:50:06 +02:00
Przemek Stekiel 712bb9c5af Use more suitable function for checking if hash is supported 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-08-11 12:50:06 +02:00
Manuel Pégourié-Gonnard 79b99f47a1 Fix definition of MD_OR_PSA macros 
The code will make the decision based on availability of MD, not of
MD+this_hash. The later would only be possible at runtime (the hash
isn't known until then, that's the whole point of MD), so we'd need to
have both MD-based and PSA-based code paths in a single build, which
would have a very negative impact on code size. So, instead, we choose
based on the presence of MD, which is know at compile time, so we only
have one of the two code paths in each build.

Adjust the macros so that they match the logic of the code using them.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:50:06 +02:00
Manuel Pégourié-Gonnard 077ba8489d PKCS#1 v2.1 now builds with PSA if no MD_C 
Test coverage not there yet, as the entire test_suite_pkcs1_v21 is
skipped so far - dependencies to be adjusted in a future commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:47:02 +02:00
Manuel Pégourié-Gonnard faa3b4e0c3 Get rid of md_info outside helper functions 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:47:02 +02:00
Manuel Pégourié-Gonnard 35c09e4824 Introduce compute_hash() function 
This allows callers not to worry with md_info and makes it easier to
provide a PSA version for when MD_C is not available.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:47:02 +02:00
Manuel Pégourié-Gonnard f701acc088 Extract common code into hash_mprime() 
This will also make it easier to provide a PSA-based version for when MD
is not available.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:47:02 +02:00
Manuel Pégourié-Gonnard f3a6755450 Simplify callers of mgf_mask() 
Some of them no longer need md_ctx, some of those no longer need the
exit dance that was used to free it, or need it on a smaller scope.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:47:02 +02:00
Manuel Pégourié-Gonnard 259c213545 Tune API of internal function mgf_mask in RSA 
This is a first step towards making a version of this function that
uses PSA when MD is not available.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-08-11 12:47:02 +02:00
Dave Rodgman 8a9f88899d
Merge pull request #6186 from leorosen/ssl_tls_null_on_invalid_code 
ssl_tls: avoid the appearance of a potential NULL dereferencing
 2022-08-11 10:12:34 +01:00
kXuan 9ac6b28e27
ctr_drbg: remove mbedtls_aes_init call from mbedtls_ctr_drbg_seed 
Since 11e9310 add mbedtls_aes_init call in mbedtls_ctr_drbg_init, it
should not init aes_ctx again in mbedtls_ctr_drbg_seed.

Signed-off-by: kXuan <kxuanobj@gmail.com>
 2022-08-11 16:38:45 +08:00
Janos Follath d0895708e2 Bignum: move internal constants to headers 
Now that the check_names script allows it, we can do so.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-10 13:32:16 +01:00
kXuan 11e9310fd1
ctr_drbg: fix free uninitialized aes context 
Application may enabled AES_ALT and define mbedtls_aes_context by its own.
The initial state of user-defined mbedtls_aes_context may not all byte zero.

In mbedtls_ctr_drbg_init, the code set all byte to zero, including the AES
context nested in the ctr_drbg context.

And in mbedtls_ctr_drbg_free, the code calls mbedtls_aes_free on an AES
context without calling mbedtls_aes_init.

If user-defined AES context requires an non-zero init, the mbedtls_aes_free
call in mbedtls_ctr_drbg_free is illegal.

This patch fix this issue by add mbedtls_aes_init in mbedtls_ctr_drbg_init.

So aes context will always be initialized to correct state.

Signed-off-by: kXuan <kxuanobj@gmail.com>
 2022-08-10 16:43:28 +08:00
Leonid Rozenboim e9d8dcdbf5 ssl_tls: avoid the appearance of a potential NULL dereferencing 
Looking at the bigger picture it is clear that if `ssl->session` is NULL,
there will be a failure much earlier, and that is well protected from,
however, the practice of dereferencing a pointer which has not been
verified in prior for validity goes against secure coding practices.

Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
 2022-08-09 12:34:30 -07:00
Janos Follath c47c0569d4 Remove VALIDATE macros from bignum_core.c 
They are deprecated and are declared to be empty anyway.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-09 13:54:43 +01:00
Janos Follath d1baedb786 Bignum: extract bignum_mod.h functions 
Extract functions declared in bignum_mod.h into a source file with a
matching name.

We are doing this because:

- This is a general best practice/convention
- We hope that this will make resolving merge conflicts in the future
  easier
- Having them in a unified source file is a premature optimisation at
  this point

This makes library/bignum_new.c empty and therefore it is deleted.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-09 13:44:53 +01:00
Janos Follath 0ded631879 Bignum: extract bignum_mod_raw.h functions 
Extract functions declared in bignum_mod_raw.h into a source file with a
matching name.

We are doing this because:

- This is a general best practice/convention
- We hope that this will make resolving merge conflicts in the future
  easier
- Having them in a unified source file is a premature optimisation at
  this point

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-09 13:34:54 +01:00
Janos Follath 3ca0775e59 Bignum: extract bignum_core.h functions 
Extract functions declared in bignum_core.h into a source file with a
matching name.

We are doing this because:

- This is a general best practice/convention
- We hope that this will make resolving merge conflicts in the future
  easier
- Having them in a unified source file is a premature optimisation at
  this point

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-09 11:45:47 +01:00
Dave Rodgman f421d45869
Merge pull request #6139 from AdityaHPatwardhan/fix/build_error_due_to_missing_prototype 
Fix build error due to  missing prototype warning when `MBEDTLS_DEPRECATED_REMOVED` is enabled
 2022-08-09 11:27:42 +01:00
Dave Rodgman 953ce3962f
Merge pull request #5971 from yuhaoth/pr/add-rsa-pss-rsae-for-tls12 
Add rsa pss rsae for tls12
 2022-08-09 10:21:45 +01:00
Janos Follath dae1147596 Improve Bignum documentation 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-08 11:50:02 +01:00
Janos Follath 8ff0729dd7 Fix typos in Bignum documentation 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-08 08:39:52 +01:00
Gabor Mezei 6666914b76 Revert "Move Bignum macros to common header" 
This reverts commit 62c5901f0a5061a8825e19c77f88c91fea235078.

Reverting commit due the macros are meant to be local and not following the
naming convention.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:10:51 +01:00
Gabor Mezei 37b06360b3 Add documentation for new bignum functions 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:10:51 +01:00
Gabor Mezei c0b9304f92 Use value as numerical value instead of bitfield value 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:08:53 +01:00
Gabor Mezei d8f5bc2d3d Free the correct struct element 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:08:53 +01:00
Gabor Mezei 535f36d203 Unify parameter naming 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:08:53 +01:00
Gabor Mezei e66b1d47ed Typo 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath 8b718b5a66 Add bounds check to residue input 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath 23bdeca64d Add core constant time comparison 
Unfortunately reusing the new function from the signed constant time
comparison is not trivial.

One option would be to do temporary conditional swaps which would prevent
qualifying input to const. Another way would be to add an additional
flag for the sign and make it an integral part of the computation, which
would defeat the purpose of having an unsigned core comparison.

Going with two separate function for now and the signed version can be
retired/compiled out with the legacy API eventually.

The new function in theory could be placed into either
`library/constant_time.c` or `library/bignum_new.c`. Going with the
first as the other functions in the second are not constant time yet and
this distinction seems more valuable for new (as opposed to belonging to
the `_core` functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath 5f016650d7 Reuse Bignum core I/O functions 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath 91dc67d31c Allow (NULL, 0) as a representation of 0 
- We don't check for NULL pointers this deep in the library
- Accessing a NULL pointer when the limb number is 0 as a mistake is the
  very similar to any other out of bounds access
- We could potentially mandate at least 1 limb representation for 0 but
  we either would need to enforce it or the implementation would be less
  robust.
- Allowing zero limb representation - (NULL, 0) in particular - for zero
  is present in the legacy interface, if we disallow it, the
  compatibility code will need to deal with this (more code size and
  opportunities for mistakes)

In summary, interpreting (NULL, 0) as the number zero in the core
interface is the least of the two evils.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath 4670f88991 Reuse Bignum helper functions 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath 4614b9ad1b Move Bignum macros to common header 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:08:52 +01:00
Janos Follath f1d617deb8 Add tests for big endian core I/O 
The test case where there were extra limbs in the MPI failed and this
commit contains the corresponding fix as well. (We used to use the
minimum required limbs instead of the actual limbs present.)

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:06:31 +01:00
Janos Follath ba5c139e4c Add more validation to modulus life cycle 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:03:56 +01:00
Janos Follath 281ccda8a5 Clean up mpi_mod_init/free 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:03:56 +01:00
Janos Follath 5005edb36c Fix typos 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-08-05 17:03:56 +01:00
Gabor Mezei c5328cf9a6 Add a set of I/O functions for the modulus structure 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:03:56 +01:00
Gabor Mezei b903070cec Add a set of I/O functions 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:03:56 +01:00
Gabor Mezei 0c655572dc Build the new bignum_new.c file 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:03:56 +01:00
Gabor Mezei f049dbfe94 Add the new modulus and the residue structures 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-08-05 17:03:56 +01:00
Gilles Peskine b3edc1576c
Merge pull request #2602 from edsiper/crt-symlink 
x509_crt: handle properly broken links when looking for certificates
 2022-08-03 13:05:29 +02:00
Gilles Peskine 07e7fe516b
Merge pull request #6088 from tuvshinzayaArm/validation_remove_change_curve 
Validation remove and change in files related to curve in library
 2022-08-03 13:05:16 +02:00
Gilles Peskine 7e1ee0f04b
Merge pull request #6114 from mman/development 
Use double quotes to include private header file psa_crypto_cipher.h
 2022-08-03 13:04:57 +02:00
Martin Man 4741e0b56c Use double quotes to include private header file psa_crypto_cipher.h 
Signed-off-by: Martin Man <mman@martinman.net>
Co-authored-by: Tom Cosgrove <81633263+tom-cosgrove-arm@users.noreply.github.com>
 2022-08-02 12:44:35 +02:00
Aditya Patwardhan 3096f331ee Fix missing prototype warning when MBEDTLS_DEPRECATED_REMOVED is 
enabled

Added the changelog.d entry

Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com>
 2022-08-02 11:15:18 +05:30
Dave Rodgman 919ff15ecf
Merge pull request #4686 from Kazuyuki-Kimura/patch_#2020 
Fixed a bug that the little-endian Microblaze does not work when MBEDTLS_HAVE_ASM is defined
 2022-07-29 17:08:11 +01:00
Dave Rodgman 27036c9e28
Merge pull request #6142 from tom-cosgrove-arm/fix-comments-in-docs-and-comments 
Fix a/an typos in doxygen and other comments
 2022-07-29 12:59:05 +01:00
Jerry Yu c3bf748dc7 fix vertical alignment 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-29 10:27:17 +08:00
Jerry Yu 09a99fcf8a Add rsa_pss_rsae_* sig algos for tls12 default 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-28 23:08:00 +08:00
Jerry Yu 379b1ff3a5 remove useless comment 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-28 23:08:00 +08:00
Jerry Yu 95b743ca17 Rename get_pk_type_and_md_alg 
The function is for both tls12 and tls13 now.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-28 23:08:00 +08:00
Jerry Yu 693a47ab1d add rsa_pss_rsae_* support in tls12 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-28 23:08:00 +08:00
Tuvshinzaya Erdenekhuu 86669de348 Broke 2 long lines 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-28 10:31:16 +01:00
Dave Rodgman aba26d0099
Merge pull request #5963 from tom-daubney-arm/remove_ssl_compression_new 
Remove use of SSL session compression
 2022-07-28 10:28:23 +01:00
Manuel Pégourié-Gonnard f6b8c3297a
Merge pull request #6065 from mpg/explore2 
Driver-only hashes: RSA 1.5 and PK + strategy doc
 2022-07-28 10:43:38 +02:00
Tom Cosgrove ce7f18c00b Fix a/an typos in doxygen and other comments 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-07-28 05:50:56 +01:00
Manuel Pégourié-Gonnard 68429fc44d Fix a few more typos 
Update link while at it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-27 20:44:02 +02:00
Tuvshinzaya Erdenekhuu 22f3654324 Remove NULL pointer validation in ecp.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-27 15:21:48 +01:00
Tuvshinzaya Erdenekhuu a891f83803 Re-introduce ENUM validation in ecjpake.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-27 15:20:08 +01:00
Tuvshinzaya Erdenekhuu 2b1ecdaf4e Remove NULL pointer validation in ecjpake.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-27 15:20:08 +01:00
Tuvshinzaya Erdenekhuu f69cac784a Reintroduce enum validation ecdh.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-27 14:43:38 +01:00
Tuvshinzaya Erdenekhuu 7857caadcd Remove NULL pointer validation in ecdh.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-27 14:40:47 +01:00
Tuvshinzaya Erdenekhuu 375950f119 Remove NULL pointer validations in ecdsa.c 
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
 2022-07-27 14:28:20 +01:00
Thomas Daubney 31e03a8e15 Replace hard-coded zeroes for constant 
Replace two occurances of hard-coded zero for
MBEDTLS_SSL_COMPRESS_NULL in TLS 1.3 code.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
 2022-07-26 16:13:23 +01:00
Thomas Daubney 54e38ea9cd Remove remaining references to compression in docs 
Some references to compression exist in the docs.
This commit removes those instances.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
 2022-07-26 16:13:23 +01:00
Thomas Daubney 20f89a9605 Remove uses of SSL compression 
Remove or modify current uses of session compression.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
 2022-07-26 16:13:03 +01:00
Manuel Pégourié-Gonnard de9ffe37ab Fix typos in hash_info.[ch] 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-26 10:20:52 +02:00
Ronald Cron e579ece305
Merge pull request #6087 from yuhaoth/pr/add-tls13-serialize_session_save_load 
TLS 1.3: Add serialize session save load
I can see that https://github.com/Mbed-TLS/mbedtls/pull/6087#discussion_r927935696 and https://github.com/Mbed-TLS/mbedtls/pull/6087#discussion_r924252403 are addressed in  #6123. Thus I am ok to merge it as it is.
 2022-07-23 08:57:11 +02:00
Ronald Cron 340c559cb3
Merge pull request #6079 from yuhaoth/pr/add-tls13-parse-pre_shared_key_offered_psks 
TLS 1.3: PSK: Add parser/writer of pre_shared_key extension on server side.
 2022-07-23 08:50:45 +02:00
Jerry Yu 13ab81d5ac Add handshake failure in pre_shared_key withou psk_kex_modes 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 23:17:11 +08:00
Jerry Yu bc7c1a4260 fix typo/format/name issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 23:09:40 +08:00
Jerry Yu 438ddd835b Add tls13 session save/load 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 23:08:43 +08:00
Jerry Yu a66fecebe7 Add endpoint/ticket_flag field for session 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 23:08:43 +08:00
Jerry Yu 6f1db3fc92 fix format and potential non-PSK fail issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 23:05:59 +08:00
Jerry Yu ce6ed7076a Change the order of key_exchange determine 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 21:49:53 +08:00
Jerry Yu ba9b6e9e53 fix unkown identity case 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 21:45:05 +08:00
Jerry Yu 568ec2502a fix format/name issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 21:27:34 +08:00
Jerry Yu 2f0abc94d8 fix typo/type/format issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-22 19:34:48 +08:00
Ronald Cron 4beb870fa8
Merge pull request #6064 from xkqian/tls13_add_psk 
Add psk code to tls13 client side
 2022-07-22 11:35:05 +02:00
Dave Rodgman a948f0588c
Merge pull request #1986 from jacmet/bn_mul-fix-x86-pic-compilation-for-gcc-4 
bn_mul.h: fix x86 PIC inline ASM compilation with GCC < 5
 2022-07-21 17:34:48 +01:00
Jerry Yu 77f0148e11 Add psk/psk_ephemeral key exchange check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 23:27:22 +08:00
Ronald Cron 32578b3bd0
Merge pull request #6069 from yuhaoth/pr/add-tls13-write-new-session-ticket 
TLS 1.3:add tls13 write new session ticket
Validated by the internal CI and Travis.
 2022-07-21 16:17:35 +02:00
XiaokangQian bee71453b2 Improve the buffer pointer check in write pre_shared key 
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
XiaokangQian 3ad67bf4e3 Rename functions and add test messages 
Change-Id: Iab51b031ae82d7b2d384de708858be64be75f9ed
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
XiaokangQian 7c12d31813 Refine comments for psk related code 
Change-Id: Iff5c176bb902919abc8d4fb78a185aa68704a791
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
XiaokangQian 8698195566 Address comments of various issues 
Improve comments
Change coding style
Rename functions

Change-Id: Ia111aef303932cfeee693431c3d48f90342b32e5
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
XiaokangQian adab9a6440 Fix transcript issues and add cases against openssl 
Change-Id: I496674bdb79f074368f11beaa604ce17a3062bc3
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
XiaokangQian 008d2bf80b Address comments in psk client review 
Improve comments
Refine cipher suite related code in psk
Refine get_psk_offered()

Change-Id: Ic3b0b5f86eb1e71f11bb499961aa8494284f1840
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
XiaokangQian eb69aee6af Add psk code to tls13 client side 
Change-Id: I222b2c9d393889448e5e6ad06638536b54edb703
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-07-21 15:30:04 +02:00
Manuel Pégourié-Gonnard 73692b7537 Rework macros expressing dependencies 
Fix usage with sed:

s/MBEDTLS_OR_PSA_WANT_\([A-Z_0-9]*\)/MBEDTLS_HAS_\1_VIA_LOWLEVEL_OR_PSA/
s/MBEDTLS_USE_PSA_WANT_\([A-Z_0-9]*\)/MBEDTLS_HAS_\1_VIA_MD_OR_PSA_BASED_ON_USE_PSA/

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-21 12:11:53 +02:00
Jerry Yu 96a2e368dc TLS 1.3: Add pre-shared-key multiple psk parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 18:00:13 +08:00
Jerry Yu 6119715e05 Change type cast to size_t 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:28:02 +08:00
Jerry Yu 1c9247cff4 TLS 1.3: Add pre_share_key last ext check 
From RFC, pre_share_key must be the last one.
Add check for it. And with/without psk, it should
be check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu 352cd7db59 fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu daf375aa8b fix issues of check_binder_match 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu bb852029f4 fix naming issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu 6e74a7e3c7 Add check return flags 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu 997549353e fix various code format issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu 032b15ce5e Add write selected_identity 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu 1c105560b4 add offered psks parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Jerry Yu 6dcd18d55b export hdr checksum function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 16:19:50 +08:00
Ronald Cron bc817bac76 TLS 1.3: Limit scope of tls13_kex_modes handshake field 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-21 09:43:53 +02:00
Jerry Yu fca4d579a4 fix various issues 
- unnecessary comments
- format issue
- improve readability

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-21 10:37:48 +08:00
Ronald Cron 799077177b TLS 1.3: Use selected key exchange mode field 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-20 17:49:58 +02:00
Ronald Cron 853854958f TLS 1.3: Add selected key exchange mode field 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-20 17:49:22 +02:00
Ronald Cron 7f9ccfeccc TLS 1.3: Remove unnecessary key exchange mode check 
If there is a PSK involved in the key exchange
and thus no certificate we do not go through the
MBEDTLS_SSL_CERTIFICATE_REQUEST state thus there
is no reason to check that in the coordination
function of that state.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-20 17:47:23 +02:00
Ronald Cron 2d8b7ac898 TLS 1.3: Fix selected key exchange mode check 
ECDHE operations have to be done in
ephemeral and PSK-ephemeral key exchange
mode, not just ephemeral key exhange mode.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-20 17:46:58 +02:00
Dave Rodgman fa40b02da3 Remove use of lstat 
lstat is not available on some platforms (e.g. Ubuntu 16.04). In this
particular case stat is sufficient.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-07-20 16:10:33 +01:00
Jerry Yu 6cb4fcd1a5 Remove key exchange mode check. 
This change does not meet RFC requirements.
It should be revert after key exchange mode issue
fixed

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 22:41:00 +08:00
Jerry Yu e67bef4aba Add tls13 write new session ticket 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 22:41:00 +08:00
Jerry Yu 251a12e942 Add dummy session save 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 22:40:59 +08:00
Dave Rodgman 7085aa42ee
Merge pull request #5896 from wernerlewis/aes_shallow_copy 
Refactor AES context to be shallow-copyable
 2022-07-20 15:16:37 +01:00
Dave Rodgman 103f8b6506 Spelling and grammar improvements 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-07-20 14:37:08 +01:00
Dave Rodgman 935154ef04 Don't increase failure count for dangling symlinks 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-07-20 14:37:07 +01:00
Eduardo Silva e1bfffc4f6 x509_crt: handle properly broken links when looking for certificates 
On non-windows environments, when loading certificates from a given
path through mbedtls_x509_crt_parse_path() function, if a symbolic
link is found and is broken (meaning the target file don't exists),
the function is returning MBEDTLS_ERR_X509_FILE_IO_ERROR which is
not honoring the default behavior of just skip the bad certificate file
and increase the counter of wrong files.

The problem have been raised many times in our open source project
called Fluent Bit which depends on MbedTLS:

https://github.com/fluent/fluent-bit/issues/843#issuecomment-486388209

The expected behavior is that if a simple certificate cannot be processed,
it should just be skipped.

This patch implements a workaround with lstat(2) and stat(2) to determinate
first if the entry found in the directory is a symbolic link or not, if is
a simbolic link, do a proper stat(2) for the target file, otherwise process
normally. Upon find a broken symbolic link it will increase the counter of
not processed certificates.

Signed-off-by: Eduardo Silva <eduardo@treaure-data.com>
 2022-07-20 14:36:12 +01:00
Jerry Yu 3afdf36de7 Add hash length check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 18:12:08 +08:00
Jerry Yu 0a430c8aaf Rename resumption_key and the hardcode len 
`resumption_key` is better name.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu b14413804a Remove ticket_flags 
It should be added later.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu 08aed4def9 fix comments and time_t type issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu a0446a0344 Add check_return flag 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu 4e6c42a533 fix various issues 
- wrong typo
- unnecessary comments/debug code
- wrong location

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu cb3b1396f3 move resume psk ticket computation to end 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu af2c0c8dd6 fix various comment/format issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu a357cf4d4c Rename new_session_ticket state 
Both client and server side use
`MBEDTLS_SSL_NEW_SESSION_TICKET` now

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu f8a4994ec7 Add tls13 new session ticket parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu c62ae5f539 Add new session ticket message check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Jerry Yu a270f67340 Add tls13 session fields 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-20 11:07:29 +08:00
Manuel Pégourié-Gonnard d82a9edc63 Rm now-duplicate helper function 
Again, the guards are slightly different, let's see in the CI if this
causes any trouble.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-18 21:28:38 +02:00
Manuel Pégourié-Gonnard 130fa4d376 Rm local helper now that a global one is available 
There is a small difference: the global function only works for hashes
that are included in the build, while the old one worked for all hashes
regardless of whether they were enabled or not.

We'll see in the CI is this causes any issues.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-18 21:28:38 +02:00
Manuel Pégourié-Gonnard abac037a7b Migrate from old inline to new actual function. 
This is mostly:

    sed -i 's/mbedtls_psa_translate_md/mbedtls_hash_info_psa_from_md/' \
    library/*.c tests/suites/*.function

This should be good for code size as the old inline function was used
from 10 translation units inside the library, so we have 10 copies at
least.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-18 21:28:38 +02:00
Manuel Pégourié-Gonnard 4772884133 New internal module for managing hash information 
Using static inline functions is bad for code size; the function from
md_internal.h was already used from 3 different C files, so already was
copied at least 3 times in the library, and this would only get worse
over time.

Use actual functions, and also share the actual data between them.

Provide a consistent set of operations. Conversion to/from
human-readable string was omitted for now but could be added later if
needed.

In the future, this can be used to replace other similar (inline)
functions that are currently scattered, including (but perhaps not
limited to):
- mbedtls_psa_translate_md() from psa_util.h
- mbedtls_md_info_from_psa() (indirectly) from psa_crypto_hash.h
- get_md_alg_from_psa() from psa_crypto_rsa.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-18 21:28:38 +02:00
Peter Korsgaard c0546e351f bn_mul.h: fix x86 PIC inline ASM compilation with GCC < 5 
Fixes #1910

With ebx added to the MULADDC_STOP clobber list to fix #1550, the inline
assembly fails to build with GCC < 5 in PIC mode with the following error:

include/mbedtls/bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’

This is because older GCC versions treated the x86 ebx register (which is
used for the GOT) as a fixed reserved register when building as PIC.

This is fixed by an improved register allocator in GCC 5+.  From the release
notes:

Register allocation improvements: Reuse of the PIC hard register, instead of
using a fixed register, was implemented on x86/x86-64 targets.  This
improves generated PIC code performance as more hard registers can be used.

https://www.gnu.org/software/gcc/gcc-5/changes.html

As a workaround, detect this situation and disable the inline assembly,
similar to the MULADDC_CANNOT_USE_R7 logic.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 2022-07-18 17:31:13 +01:00
Manuel Pégourié-Gonnard 1c402a4217 Remove macro that's no longer used 
It was only used in test_suite_pk which was fixed to no longer compute
hashes in a temporary buffer.

Also, it's not entirely clear is this macro was really a good idea:
perhaps it's better for each user to have an explicit #if
defined(MBEDTSL_USE_PSA_CRYPTO) and use either MBEDTLS_MD_MAX_SIZE or
PSA_HASH_MAX_SIZE in each branch of that #if.

So, removing it for the time being.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-18 12:49:19 +02:00
Ronald Cron d5b1eb51db
Merge pull request #6078 from yuhaoth/pr/add-tls13-paser-psk-kex-mode-ext 
TLS 1.3: PSK: Add parser of psk kex mode ext on server side
 2022-07-18 11:34:24 +02:00
Hanno Becker 907a367b50 Remove explicit width suffixes from Arm bignum assembly 
Within the M-profile of the Arm architecture, some instructions
admit both a 16-bit and a 32-bit encoding. For those instructions,
some assemblers support the use of the .n (narrow) and .w (wide)
suffixes to force a choice of instruction encoding width.
Forcing the size of encodings may be useful to ensure alignment
of code, which can have a significant performance impact on some
microarchitectures.

It is for this reason that a previous commit introduced explicit
.w suffixes into what was believed to be M-profile only assembly
in library/bn_mul.h.

This change, however, introduced two issues:
- First, the assembly block in question is used also for Armv7-A
  systems, on which the .n/.w distinction is not meaningful
  (all instructions are 32-bit).
- Second, compiler support for .n/.w suffixes appears patchy,
  leading to compilation failures even when building for M-profile
  targets.

This commit removes the .w annotations in order to restore working
code, deferring controlled re-introduction for the sake of performance.

Fixes #6089.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
 2022-07-15 12:00:58 +01:00
Manuel Pégourié-Gonnard f88b1b5375 Introduce MBEDTLS_OR_PSA_WANT_xxx helper macros 
Currently just replacing existing uses, but the real point of having
these conditions as a single macro is that we'll be able to use them in
tests case dependencies, see next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-15 12:08:14 +02:00
Jerry Yu 854dd9e23f fix comment issue 
Co-authored-by: Xiaokang Qian <53458466+xkqian@users.noreply.github.com>
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-15 14:38:38 +08:00
Jerry Yu 299e31f10e fix various issue 
- remove unused test case
- add alert message
- improve readabitlity

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-13 23:06:36 +08:00
Paul Elliott af4b90db3f Revert "Add missing library/psa_crypto_driver_wrappers.c" 
This reverts commit c2a9387110

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-12 11:30:17 +01:00
Paul Elliott 81c69b547a Revert "Revert "Revert "Add generated files for 3.2.0 release""" 
This reverts commit 185d24ba0e.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-12 11:29:34 +01:00
Jerry Yu e19e3b9eb8 Add psk_key_exchange_modes parser 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-12 09:53:35 +00:00
Paul Elliott cd08ba0326 Bump version to 3.2.1 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-12 10:51:55 +01:00
Dave Rodgman c2a9387110 Add missing library/psa_crypto_driver_wrappers.c 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-07-12 10:51:55 +01:00
Dave Rodgman 185d24ba0e Revert "Revert "Add generated files for 3.2.0 release"" 
This reverts commit 7adb8cbc0e.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-12 10:51:44 +01:00
Manuel Pégourié-Gonnard 043c8c5de8 Add USE_PSA version of PK test functions 
While at it, also fix buffer size for functions that already depend on
USE_PSA: it should be PSA_HASH_MAX_SIZE for functions that always use
PSA, and the new macro MBEDTLS_USE_PSA_MD_MAX_SIZE for functions that
use it or not depending on USE_PSA.

The only case where MBEDTLS_MD_MAX_SIZE is OK is when the function
always uses MD - currently this is the case with
pk_sign_verify_restart() as it is incompatible with USE_PSA anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard 5508673832 Add helper macros for dependencies based on USE_PSA 
For now in an internal header as it's the safest option and that way we
can change whenever we want.

Later on if we think the macros can be useful to applications as well then we
can move them to a public location.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard 3f4778995e Rm dependency on MD in psa_crypto_rsa.c 
The previous commit made the PKCS#1v1.5 part of rsa.c independent from
md.c, but there was still a dependency in the corresponding part in PSA.
This commit removes it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard fe2b9b5397 Make mbedtls_oid_get_md_alg() always available 
This is a step towards building with RSA PKCS#1v1.5 without MD.

Also loosen guards around oid data: the OID definitions clearly don't
depend on our software implementation.

We could simply have no dependency as this is just data. But for the
sake of code size, let's have some guards so that people who don't use
MD5, SHA1 or RIPEMD160 don't have to pay the price for them.

Note: this is used for RSA (PKCS#v1.5) signatures among other things, an
area that is not influenced by USE_PSA, so the guards should not depend
on it either.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard f493f2ad1d Use md_internal_get_size() in rsa.c 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard 3356b89b64 Add missing guard around call to MD 
PKCS#1 v1.5 mostly does not need hash operations. This is a first step
towards allowing builds with PKCS#1 v1.5 only (no v2.1) without MD.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard a370e06e30 Avoid dependency of PK on MD 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard d8a298e1fc Add internal MD size getter 
Modules / tests that only need to get the size of a hash from its type,
without actually computing a hash, need not depend on MD_C.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-12 11:11:18 +02:00
Paul Elliott 7adb8cbc0e Revert "Add generated files for 3.2.0 release" 
This reverts commit cb21f2eab3.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-11 18:18:30 +01:00
Paul Elliott cb21f2eab3 Add generated files for 3.2.0 release 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-11 13:56:01 +01:00
Paul Elliott 20362cd1ca Bump library and so versions for 3.2.0 release 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-11 13:56:01 +01:00
Paul Elliott f518f81d41 Ensure return for mbedtls_ssl_write_alpn_ext() is checked 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-11 12:37:47 +01:00
Ronald Cron ce7d76e2ee Merge remote-tracking branch 'mbedtls-restricted/development-restricted' into mbedtls-3.2.0rc0-pr 2022-07-11 10:22:37 +02:00
Paul Elliott 6e80e09bd1
Merge pull request #5915 from AndrzejKurek/cid-resumption-clash 
Fix DTLS 1.2 session resumption
 2022-07-06 15:03:36 +01:00
Andrzej Kurek 21b50808cd Clarify the need for calling mbedtls_ssl_derive_keys after extension parsing 
Use a more straightforward condition to note that session resumption
is happening.
Co-authored-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-07-06 03:26:55 -04:00
Werner Lewis c1999d5746 Add fallback when rk unaligned with padlock 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-07-05 11:55:15 +01:00
Andrzej Kurek 92d7417d89 Formatting fixes 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-07-04 10:21:59 -04:00
Paul Elliott 072d2b094d Add pem_free() to other error paths in pk_parse_public_key() 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-04 06:49:26 -04:00
Leonid Rozenboim 116f50cd96 Fix resource leaks 
These potential leaks were flagged by the Coverity static analyzer.

Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
 2022-07-04 06:49:26 -04:00
Manuel Pégourié-Gonnard 4d7af2aee0
Merge pull request #5835 from superna9999/5831-tls-1-2-ciphersuite-selection 
Permissions 2a: TLS 1.2 ciphersuite selection
 2022-07-04 12:37:02 +02:00
Paul Elliott 41aa808a56
Merge pull request #952 from gilles-peskine-arm/stdio_buffering-setbuf 
Turn off stdio buffering with setbuf()
 2022-07-04 10:12:22 +01:00
Ronald Cron 0e39ece23f
Merge pull request #5916 from yuhaoth/pr/tls13-refactor-get-sig-alg-from-pk 
Refactor signature algorithm chooser
 2022-07-04 09:10:08 +02:00
Paul Elliott bae7a1a5a6
Merge pull request #5620 from gstrauss/dn_hints 
Add accessors to config DN hints for cert request
 2022-07-01 17:23:14 +01:00
Paul Elliott c466ec2e73 Fix code formatting 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-01 16:43:25 +01:00
Neil Armstrong 971f30d917 Fix mbedtls_ssl_get_ciphersuite_sig_alg() by returning MBEDTLS_PK_NONE for MBEDTLS_KEY_EXCHANGE_RSA 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-07-01 16:23:50 +02:00
Manuel Pégourié-Gonnard 8b8a1610f7
Merge pull request #936 from paul-elliott-arm/fix_tls_record_size_check 
Fix the wrong variable being used for TLS record size checks
 2022-07-01 12:29:48 +02:00
Jerry Yu 52b7d923fe fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-01 18:12:44 +08:00
Neil Armstrong 96eceb8022 Refine mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg() when USE_PSA_CRYPTO is selected 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 18:05:05 +02:00
Gilles Peskine da0913ba6b Call setbuf when reading or writing files: library 
After opening a file containing sensitive data, call mbedtls_setbuf() to
disable buffering. This way, we don't expose sensitive data to a memory
disclosure vulnerability in a buffer outside our control.

This commit adds a call to mbedtls_setbuf() after each call to fopen(),
except:
* In ctr_drbg.c, in load_file(), because this is only used for DH parameters
  and they are not confidential data.
* In psa_its_file.c, in psa_its_remove(), because the file is only opened
  to check its existence, we don't read data from it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 17:03:40 +02:00
Gilles Peskine 6497b5a1d1 Add setbuf platform function 
Add a platform function mbedtls_setbuf(), defaulting to setbuf().

The intent is to allow disabling stdio buffering when reading or writing
files with sensitive data, because this exposes the sensitive data to a
subsequent memory disclosure vulnerability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 17:01:40 +02:00
Ronald Cron cb67e1a890
Merge pull request #5917 from gilles-peskine-arm/asn1write-0-fix 
Improve ASN.1 write tests
 2022-06-30 15:42:16 +02:00
Paul Elliott f6a56cf5ff
Merge pull request #939 from ronald-cron-arm/tls13-add-missing-overread-check 
TLS 1.3: Add missing overread check
 2022-06-29 17:01:14 +01:00
Werner Lewis 7656a373b6 Reformat AES changes for readability 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-06-29 16:17:50 +01:00
Werner Lewis dd76ef359d Refactor AES context to be shallow-copyable 
Replace RK pointer in AES context with a buffer offset, to allow
shallow copying. Fixes #2147.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-06-29 16:17:50 +01:00
Dave Rodgman 5b50f38f92
Merge pull request #934 from gilles-peskine-arm/mpi-0-mod-2 
Fix null pointer dereference in mpi_mod_int(0, 2)
 2022-06-29 15:02:59 +01:00
Jerry Yu 2fe6c638e2 remove supported check from parse sig algs 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:20:17 +08:00
Jerry Yu 959e5e030b fix format issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:20:17 +08:00
Jerry Yu 660cb4209c Remove pkcs1 from key cert and sig alg map 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:20:17 +08:00
Jerry Yu 71b18844ff fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:19:49 +08:00
Jerry Yu 9d3e2fa372 Add negative tests 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:19:06 +08:00
Manuel Pégourié-Gonnard 2f244c43b4
Merge pull request #5980 from mprse/md_dep_fix 
Remove MD dependencies from mbedtls_x509_sig_alg_gets(), ssl_tls13_parse_certificate_verify()
 2022-06-29 10:18:41 +02:00
Jerry Yu c2e0493e6e Add rsa_pkcs1 for cert sig match 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:18:31 +08:00
Jerry Yu cc5391048e fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:18:30 +08:00
Jerry Yu ee28e7a21d add tests for select sig alg 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:17:06 +08:00
Jerry Yu aebaaaf527 add debug messages 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:09 +08:00
Jerry Yu 430db6b6ff Remove hack fix for server hybrid issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:09 +08:00
Jerry Yu a1255e6b8c fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:09 +08:00
Jerry Yu 9bb3ee436b Revert rsa_pss_rsae_* support for tls12 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:08 +08:00
Jerry Yu 53f5c15155 Add debug message 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:08 +08:00
Jerry Yu 80dd5db808 Remove pkcs1 from certificate verify. 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:08 +08:00
Jerry Yu d4a71a57a8 Add tls12 algorithms in hybrid mode client hello 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:08 +08:00
Jerry Yu 5ef71f2723 remove rsa_pkcs1_* from tls13 support list 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:08 +08:00
Jerry Yu f085678879 remove unnecessary check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:07 +08:00
Jerry Yu 6272c4d4aa Revert unnecessary space change 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:07 +08:00
Jerry Yu 96ee23eb88 fix tls12 openssl/gnutls server fail 
To test version negotiation with tls12 OpenSSL/GnuTLS server, If
`rsa_pss_rsae_*` were sent to server before `rsa_pkcs_*`, server
will return `rsa_pss_rsae_*` as key exchange sig alg. OpenSSL/GnuTLS
can work with this case. mbedTLS will fail due to `rsa_pss_rsae_*`
unsupported.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:07 +08:00
Jerry Yu ba5e379697 Revert order of default sig_algs 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:07 +08:00
Jerry Yu 3f71ca0941 Remove rsa_pss_rsae_* from tls12 sig_algs 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:07 +08:00
Jerry Yu 0c6be8f863 move big function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:07 +08:00
Jerry Yu 3896ac6e5b fix ordered sig algs fail for openssl 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:06 +08:00
Jerry Yu f3b46b5082 Add debug message 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:16:05 +08:00
Jerry Yu d099cf0325 fix unused variable issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:47 +08:00
Jerry Yu f55886a217 fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:46 +08:00
Jerry Yu 6babfee178 remove out of scope codes 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:46 +08:00
Jerry Yu fb526693c1 Rename sig_alg cert_key check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:45 +08:00
Jerry Yu f0cda410a4 remove default sig_hashes 
And add pss_rsae_* sig_algs to fix
`Handshake TLS 1.3` test fails, which
is part of `test_suite_ssl`

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:45 +08:00
Jerry Yu 7ab7f2b184 Remove pkcs1 from certificate_verify 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:44 +08:00
Jerry Yu 08524c55f9 remove pkcs1_* support 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:44 +08:00
Jerry Yu 0ebce95785 create tls12/tls13 sig alg support check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:43 +08:00
Jerry Yu f249ef7821 refactor get sig algo from pk 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-06-29 16:13:40 +08:00
Ronald Cron 7898fd456a
Merge pull request #5970 from gabor-mezei-arm/5229_Send_dummy_change_cipher_spec_records_from_server 
TLS 1.3 server: Send dummy change_cipher_spec records

The internal CI PR-merge job ran successfully thus good to go.
 2022-06-29 09:47:49 +02:00
Glenn Strauss bd10c4e2af Test accessors to config DN hints for cert request 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-06-29 02:54:28 -04:00
Gilles Peskine d86abf2392
Merge pull request #5861 from wernerlewis/csr_subject_comma 
Fix output of commas and other special characters in X509 DN values
 2022-06-28 21:00:49 +02:00
Glenn Strauss 999ef70b27 Add accessors to config DN hints for cert request 
mbedtls_ssl_conf_dn_hints()
mbedtls_ssl_set_hs_dn_hints()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-06-28 12:43:59 -04:00
Neil Armstrong 9f1176a793 Move preferred_hash_for_sig_alg() check after ssl_pick_cert() and check if hash alg is supported with mbedtls_pk_can_do_ext() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-28 18:12:17 +02:00
Neil Armstrong 9f4606e6d2 Rename mbedtls_ssl_get_ciphersuite_sig_pk_ext_XXX in mbedtls_ssl_get_ciphersuite_sig_pk_ext_XXX() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-28 18:12:17 +02:00
Neil Armstrong 0c9c10a401 Introduce mbedtls_ssl_get_ciphersuite_sig_pk_ext_alg() and use it in ssl_pick_cert() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-28 18:10:48 +02:00
Gabor Mezei f7044eaec8
Fix name 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-28 16:01:49 +02:00
Ronald Cron e99ec7cb6a
Merge pull request #5908 from ronald-cron-arm/tls13-fixes-doc 
TLS 1.3: Fixes and add documentation
Validated by the internal CI, no need to wait for the Open CI.
 2022-06-28 12:16:17 +02:00
Gabor Mezei 96ae926572
Typo 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-28 11:56:26 +02:00
Gabor Mezei 5471912269
Move switching to handshake transform after sending CCS record 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-28 11:56:26 +02:00
Gabor Mezei 05ebf3be74
Revert "Do not encrypt CCS records" 
This reverts commit 96ec831385.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-28 11:55:35 +02:00
Przemek Stekiel 4dc874453e ssl_tls13_parse_certificate_verify(): optimize the code 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-28 11:05:42 +02:00
Manuel Pégourié-Gonnard 273453f126
Merge pull request #5983 from gstrauss/inline-mbedtls_x509_dn_get_next 
Inline mbedtls_x509_dn_get_next() in x509.h
 2022-06-28 10:13:58 +02:00
Ronald Cron 11b5332ffc tls13: Fix certificate extension size write 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:21:13 +02:00
Ronald Cron 81a334fc02 tls13: Fix buffer overread checks in ssl_tls13_parse_alpn_ext() 
Some coding style alignement as well.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:21:13 +02:00
Ronald Cron 7b8404608a tls13: Rename ssl_tls13_write_hello_retry_request_coordinate 
Rename ssl_tls13_write_hello_retry_request_coordinate to
ssl_tls13_prepare_hello_retry_request as it is more
aligned with what the function does.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:21:13 +02:00
Ronald Cron fb508b8f21 tls13: Move state changes up to state main handler 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:21:13 +02:00
Ronald Cron 63dc463ed6 tls13: Simplify switch to the inbound handshake keys on server side 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:21:13 +02:00
Ronald Cron 5afb904022 tls13: Move out of place handshake field reset 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron 828aff6ead tls13: Rename server_hello_coordinate to preprocess_server_hello 
Rename server_hello_coordinate to preprocess_server_hello
as it is more aligned with what the function does.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron db5dfa1f1c tls13: Move ServerHello fetch to the ServerHello top handler 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron 9d6a545714 tls13: Re-organize EncryptedExtensions message parsing code 
Align the organization of the EncryptedExtensions
message parsing code with the organization of the
other message parsing codes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron 154d1b68d6 tls13: Fix wrong usage of MBEDTLS_SSL_CHK_BUF(_READ)_PTR macros 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron c80835943c tls13: Fix pointer calculation before space check 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron 2827106199 tls13: Add missing buffer overread check 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-28 09:18:42 +02:00
Ronald Cron b94854f8e3
Merge pull request #5973 from ronald-cron-arm/tls13-misc-tests 
TLS 1.3: Enable and add tests
 2022-06-28 09:15:17 +02:00
Glenn Strauss 01d2f52a32 Inline mbedtls_x509_dn_get_next() in x509.h 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-06-27 14:20:07 -04:00
Dave Rodgman f5b7082f6e
Merge pull request #5811 from polhenarejos/bug_x448 
Fix order value for curve x448
 2022-06-27 13:47:24 +01:00
Werner Lewis 9b0e940135 Fix case where final special char exceeds buffer 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-06-27 12:01:22 +01:00
Przemek Stekiel 9e30fc94f3 Remove redundant spaces 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-27 12:48:35 +02:00
Werner Lewis b33dacdb50 Fix parsing of special chars in X509 DN values 
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-06-27 11:19:50 +01:00
Przemek Stekiel 6a5e01858f ssl_tls13_parse_certificate_verify(): remove md dependency 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-27 11:53:13 +02:00
Przemek Stekiel 6230d0d398 mbedtls_x509_sig_alg_gets(): remove md dependency 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-27 11:19:04 +02:00
Ronald Cron cf600bc07c Comment fixes 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-27 09:28:49 +02:00
Ronald Cron 2b1a43c101 tls13: Add missing overread check in Certificate msg parsing. 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-27 09:28:49 +02:00
Ronald Cron ad8c17b9c6 tls: Add overread/overwrite check failure tracking 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-27 09:28:49 +02:00
Ronald Cron e3dac4aaa1 tls13: Add Certificate msg parsing tests with invalid vector lengths 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-27 09:28:42 +02:00
Ronald Cron 07040bb179
Merge pull request #5951 from xkqian/tls13_add_alpn 
Add ALPN extension to the server side
 2022-06-27 08:33:03 +02:00
Ronald Cron 9738a8d0fd
Merge pull request #943 from ronald-cron-arm/tls13-fix-key-usage-checks 
TLS 1.3: Fix certificate key usage checks
 2022-06-27 08:32:17 +02:00
Paul Elliott 668b31f210 Fix the wrong variable being used for TLS record size checks 
Fix an issue whereby a variable was used to check the size of incoming
TLS records against the configured maximum prior to it being set to the
right value.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-06-24 20:09:37 +01:00
Ronald Cron 1938588e80 tls13: Align some debug messages with TLS 1.2 ones 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-24 12:06:46 +02:00
XiaokangQian 0b776e282a Change some comments for alpn 
Change-Id: Idf066e94cede9d26aa41d632c3a81dafcee38587
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-24 09:04:59 +00:00
Manuel Pégourié-Gonnard 93a7f7d7f8
Merge pull request #5954 from wernerlewis/x509_next_merged 
Add mbedtls_x509_dn_get_next function
 2022-06-24 09:59:22 +02:00
XiaokangQian 95d5f549f1 Fix coding styles 
Change-Id: I0ac8ddab13767b0188112dfbbdb2264d36ed230a
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-24 05:42:15 +00:00
Przemek Stekiel 1b0ebdf363 Zeroize hkdf_label buffer 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-23 09:22:49 +02:00
Przemek Stekiel 38ab400dc4 Adapt code to be consistent with the existing code 
- init status to error
- use simple assignment to status
- fix code style (spaces)

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-23 09:05:40 +02:00
XiaokangQian c740345c5b Adress review comments 
Change Code styles
Add test cases

Change-Id: I022bfc66fe509fe767319c4fe5f2541ee05e96fd
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-23 03:24:12 +00:00
Gabor Mezei 96ec831385
Do not encrypt CCS records 
According to the TLS 1.3 standard the CCS records must be unencrypted.

When a record is not encrypted the counter, used in the dynamic IV
creation, is not incremented.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-22 17:07:21 +02:00
Gabor Mezei 7b39bf178e
Send dummy change_cipher_spec records from TLS 1.3 server 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-22 17:07:21 +02:00
XiaokangQian acb3992251 Add ALPN extension to the server side 
CustomizedGitHooks: yes
Change-Id: I6fe1516963e7b5727710872ee91fea7fc51d2776
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-22 06:34:58 +00:00
Przemek Stekiel d5ae365b97 Use PSA HKDF-Extrat/Expand algs instead mbedtls_psa_hkdf_extract(), mbedtls_psa_hkdf_xpand() 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-21 07:22:33 +02:00
Przemek Stekiel 88e7101d03 Remove mbedtls_psa_hkdf_extract(), mbedtls_psa_hkdf_expand() 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-21 07:22:33 +02:00
Manuel Pégourié-Gonnard a82a8b9f4b Mark internal int SSL functions CHECK_RETURN_CRITICAL 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-06-20 21:12:55 +02:00
Manuel Pégourié-Gonnard a3115dc0e6 Mark static int SSL functions CHECK_RETURN_CRITICAL 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-06-20 21:12:52 +02:00
Manuel Pégourié-Gonnard 66b0d61718 Add comments when can_do() is safe to use 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-06-20 21:12:29 +02:00
Manuel Pégourié-Gonnard b64fb62ead Fix unchecked return value from internal function 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-06-20 21:12:29 +02:00
Gilles Peskine e0469b5908
Merge pull request #931 from AndrzejKurek/clihlo_cookie_pxy_fix 
Add a client hello cookie_len overflow test
 2022-06-20 19:35:54 +02:00
Gilles Peskine 36aeb7f163
Merge pull request #5834 from mprse/HKDF_1 
HKDF 1: PSA: implement HKDF_Expand and HKDF_Extract algorithms
 2022-06-20 15:27:46 +02:00
Werner Lewis b3acb053fb Add mbedtls_x509_dn_get_next function 
Allow iteration through relative DNs when X509 name contains multi-
value RDNs.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-06-17 16:40:55 +01:00
Ronald Cron 30c5a2520e tls13: Fix certificate key usage checks 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-17 08:49:52 +02:00
Ronald Cron ca3c6a5698
Merge pull request #5817 from xkqian/tls13_add_server_name 
Tls13 add server name
 2022-06-16 08:30:09 +02:00
Andrzej Kurek 755ddff25c Fix print format in a debug message 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-15 07:32:02 -04:00
Andrzej Kurek cbe14ec967 Improve variable extracting operations by using MBEDTLS_GET macros 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-15 07:17:28 -04:00
XiaokangQian 75fe8c7e54 Change place of ssl_tls13_check_ephemeral_key_exchange 
Change-Id: Id49172f7375e2a0771ad1216fb7eead808f0db3e
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-15 09:42:45 +00:00
XiaokangQian fb665a8452 Adress the comments about styles and pick_cert 
Change-Id: Iee89a27aaea6ebc8eb01c6c9985487f081ef7343
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-15 03:57:21 +00:00
Andrzej Kurek 7cf872557a Rearrange the session resumption code 
Previously, the transforms were populated before extension
parsing, which resulted in the client rejecting a server
hello that contained a connection ID.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-14 08:26:19 -04:00
Przemek Stekiel 69c4679b22 Adapt macro name to meet requested criteria: MBEDTLS_PSA_BUILTIN_ALG_ANY_HKDF->BUILTIN_ALG_ANY_HKDF 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-14 11:13:32 +02:00
XiaokangQian 07aad0710c Refine function name ssl_tls13_pick_key_cert 
Change-Id: I821e1485d9cfcca88fa3e18d345766ea48c64250
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-14 05:35:09 +00:00
XiaokangQian 81802f43a2 Select certificate base on the received signature list 
Change-Id: Ife707db7fcfdb1e761ba86804cbf5dd766a5ee33
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-13 03:58:06 +00:00
Gilles Peskine 321a08944b Fix bug whereby 0 was written as 0200 rather than 020100 
0200 is not just non-DER, it's completely invalid, since there has to be a
sign bit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-10 20:13:33 +02:00
Gilles Peskine ae25bb043c Fix null pointer dereference in mpi_mod_int(0, 2) 
Fix a null pointer dereference when performing some operations on zero
represented with 0 limbs: mbedtls_mpi_mod_int() dividing by 2, or
mbedtls_mpi_write_string() in base 2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-09 19:32:46 +02:00
Przemek Stekiel 75fe3fb1d7 psa_crypto.c: add MBEDTLS_PSA_BUILTIN_ALG_ANY_HKDF macro to limit number of #if conditions 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2022-06-09 14:44:55 +02:00
Andrzej Kurek b58cf0d172 Split a debug message into two - for clarity 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-08 11:53:59 -04:00
Andrzej Kurek 078e9bcda6 Add the mbedtls prefix to ssl_check_dtls_clihlo_cookie 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-08 11:47:33 -04:00
Dave Rodgman 11930699f1
Merge pull request #5827 from wernerlewis/time_utc 
Use ASN1 UTC tags for dates before 2000
 2022-06-08 13:54:19 +01:00
Paul Elliott 5f2bc754d6
Merge pull request #5792 from yuhaoth/pr/add-tls13-moving-state-tests 
Pr/add-tls13-moving-state-tests
 2022-06-08 13:39:52 +01:00
Manuel Pégourié-Gonnard 3a833271aa
Merge pull request #5727 from SiliconLabs/feature/PSEC-3207-TLS13-hashing-HMAC-to-PSA 
Feature psec-3207 move TLS13 hashing and hmac to psa
 2022-06-08 11:53:35 +02:00
XiaokangQian 96287d98d8 Remove the certificate key check against the received signature 
Change-Id: I07d8d46c58dec499f96cb7307fc0af15149d9df7
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-08 08:37:53 +00:00
pespacek d9aaf768b5 Fixing CI complains. 
Signed-off-by: pespacek <peter.spacek@silabs.com>
 2022-06-08 09:44:11 +02:00
XiaokangQian 9850fa8e8d Refine ssl_tls13_pick_cert() 
Change-Id: I5448095e280d8968b20ade8b304d139e399e54f1
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-08 07:02:41 +00:00
pespacek b06acd734b Fixing PSA return status 
Signed-off-by: pespacek <peter.spacek@silabs.com>
 2022-06-07 13:07:21 +02:00
XiaokangQian 23c5be6b94 Enable SNI test for both tls12 and tls13 
Change-Id: Iae5c39668db7caa1a59d7e67f226a5286d91db22
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
 2022-06-07 09:43:13 +00:00
Ronald Cron 209cae9c42 tls13: server: Fix state update in CLIENT_CERTIFICATE 
The state should be updated only if the handler
returns in success.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-06-07 10:58:22 +02:00
pespacek 670913f4dc Fixing return value for ssl_tls13_write_certificate_body() 
Signed-off-by: pespacek <peter.spacek@silabs.com>
 2022-06-07 10:53:39 +02:00
Andrzej Kurek cfb01948c8 Add cookie parsing tests to test_suite_ssl 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-06 15:29:15 -04:00
Andrzej Kurek c8183cc492 Add missing sid_len in calculations of cookie sizes 
This could lead to a potential buffer overread with small
MBEDTLS_SSL_IN_CONTENT_LEN.
Change the bound calculations so that it is apparent
what lengths and sizes are used.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2022-06-06 15:28:56 -04:00