yuzu-mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-mirror/mbedtls.git synced 2025-12-06 07:12:32 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
25743 commits 89 branches 205 tags 114 MiB
Commit graph

11366 commits

Author SHA1 Message Date
Jerry Yu 8f81060517 Replace median with `middle 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:58:34 +08:00
Jerry Yu f0526a9ad0 fix grammar issue in comment 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:58:34 +08:00
Jerry Yu 49b4367eee fix comment issue 
The algorithm is not karatsuba multiplication.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:58:33 +08:00
Jerry Yu 1ac7f6b09d Improve readability 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:58:33 +08:00
Jerry Yu 132d0cb74d Add miss intrinsic by gcc-5.x 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:58:29 +08:00
Jerry Yu 2c26651938 Improve comments for key expansion 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:57:37 +08:00
Jerry Yu df87a12c81 Add GCM support 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-15 09:57:32 +08:00
Dave Rodgman e59c46e161
Merge pull request #7278 from daverodgman/aesce-macro-name-tidyup 2023-03-14 20:33:31 +00:00
Dave Rodgman 4a1d3beaee
Merge pull request #7229 from tom-cosgrove-arm/static-assert 2023-03-14 16:57:38 +00:00
Dave Rodgman db6ab247fc Improve macro naming 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-14 16:03:57 +00:00
Dave Rodgman 023c8853ac
Merge pull request #7203 from yuhaoth/pr/add-cpu-modifier-for-aesce 
Add CPU modifier for AESCE
 2023-03-14 15:58:57 +00:00
Tom Cosgrove 57f04b81a0 Have MBEDTLS_STATIC_ASSERT() match current development more closely 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-03-14 12:03:47 +00:00
Przemek Stekiel c0e6250ff9 Fix documentation and tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-14 11:49:36 +01:00
Gilles Peskine 215ecd0439
Merge pull request #7252 from daverodgman/enable_pkcs7 
Enable PKCS 7
 2023-03-14 10:39:50 +01:00
Jan Bruckner 151f64283f Add parsing for Record Size Limit extension in TLS 1.3 
Fixes #7007

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
 2023-03-14 08:41:25 +01:00
Jan Bruckner 5a3629b613 Fix debug print of encrypted extensions 
Perform debug print of encrypted extensions buffer only after the buffer length was checked successfully

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
 2023-03-14 08:41:25 +01:00
Jerry Yu ec9be84ae6 skip pragma when cpu modifier has been set 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-14 10:42:47 +08:00
Jerry Yu b28d55b242 fix wrong typo and indent issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-14 10:36:47 +08:00
Paul Elliott e4622a3436 Merge remote-tracking branch 'development/development' into development-restricted 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-03-13 17:49:32 +00:00
Przemek Stekiel fde112830f Code optimizations and documentation fixes 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-13 16:28:27 +01:00
Dave Rodgman efbc5f7322 Update wording in comments 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-13 12:15:49 +00:00
Dave Rodgman 756b028511
Merge pull request #7171 from daverodgman/pr5527 
Fix undefined behavior in ssl_read if buf parameter is NULL
 2023-03-13 10:46:29 +00:00
Jerry Yu 6f86c19d62 Improve readability for compiler version check 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 11:03:40 +08:00
Jerry Yu 02487a2123 Rename target option flag macro 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 10:19:35 +08:00
Jerry Yu 77a010e3b3 Remove the max version limitation for clang workaround 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 10:19:35 +08:00
Jerry Yu 490bf08dd9 fix comment issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 10:19:34 +08:00
Jerry Yu 7b4d9da08c fix wrong clang version check. 
Both inline assembly and intrinsic need pragma

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 10:19:34 +08:00
Jerry Yu ae129c3a20 Add new feature test macros 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 10:19:34 +08:00
Jerry Yu 48b999cd6e Add cpu modifiers for aesce.c 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-03-13 10:19:31 +08:00
Przemek Stekiel f309d6b7fb Fix peer user mismatch after rebase 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-12 16:59:28 +01:00
Przemek Stekiel 18cd6c908c Use local macros for j-pake slient/server strings 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-12 16:59:28 +01:00
Przemek Stekiel aa1834254e Fix code style 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-12 16:59:28 +01:00
Przemek Stekiel 09104b8712 rework psa_pake_set_role to be consistent with requirements and adapt tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-12 16:59:28 +01:00
Przemek Stekiel d7f6ad7bc8 Minor fixes (comments, cleanup) 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-12 16:59:28 +01:00
Gilles Peskine d0f9b0bacc Don't warn about Msan/Valgrind if AESNI isn't actually built 
The warning is only correct if the assembly code for AESNI is built, not if
MBEDTLS_AESNI_C is activated but MBEDTLS_HAVE_ASM is disabled or the target
architecture isn't x86_64.

This is a partial fix for #7236.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-03-10 22:28:25 +01:00
Gilles Peskine d4f31c87d1 Update bibliographic references 
There are new versions of the Intel whitepapers and they've moved.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-03-10 22:21:47 +01:00
Przemek Stekiel 55ceff6d2f Code optimization and style fixes 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-10 14:36:16 +01:00
Przemek Stekiel 4cd20313fe Use user/peer instead role in jpake TLS code 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-10 09:18:03 +01:00
Przemek Stekiel 1e7a927118 Add input getters for jpake user and peer 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-10 09:18:03 +01:00
Przemek Stekiel 26c909d587 Enable support for user/peer for JPAKE 
This is only partial support. Only 'client' and 'server' values are accepted for peer and user.
Remove support for role.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-10 09:18:02 +01:00
Gilles Peskine 4da92832b0
Merge pull request #7117 from valeriosetti/issue6862 
driver-only ECDSA: enable ECDSA-based TLS 1.2 key exchanges
 2023-03-09 20:49:44 +01:00
Dave Rodgman bf4016e5d5
Merge pull request #6567 from mprse/ecjpake-driver-dispatch 2023-03-09 19:23:05 +00:00
Przemek Stekiel 42510a91c4 Use for loop instead while loop 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-09 14:04:17 +01:00
Gabor Mezei e4710ae9ed
Add and fix comments 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-09 13:43:02 +01:00
Dave Rodgman 5e5aa4a4e6
Merge pull request #7218 from tom-cosgrove-arm/fix-typos-230307 
Fix typos in development prior to release
 2023-03-08 17:19:59 +00:00
Dave Rodgman 51b62ef23d
Merge pull request #7228 from tom-cosgrove-arm/fix-alignment.h-on-32-bit-systems 
Fix mbedtls_bswap64() on 32-bit systems
 2023-03-08 17:19:29 +00:00
Manuel Pégourié-Gonnard 913d9bb921
Merge pull request #7162 from valeriosetti/issue7055 
Legacy MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C dependencies in test_suite_psa_crypto
 2023-03-08 17:07:19 +01:00
Valerio Setti 75fba32cb3 ssl: use new macros for ECDSA capabilities 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-03-08 16:47:28 +01:00
Manuel Pégourié-Gonnard 289e5baa83
Merge pull request #7082 from valeriosetti/issue6861 
driver-only ECDSA: add ssl-opt.sh testing with testing parity
 2023-03-08 16:45:38 +01:00
Gabor Mezei d1f16b937e
Add documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-08 15:26:32 +01:00
Tom Cosgrove 6ef9bb3d74 Implement and use MBEDTLS_STATIC_ASSERT() 
Fixes #3693

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-03-08 14:19:51 +00:00
Tom Cosgrove bbe166e721 Fix mbedtls_bswap64() on 32-bit systems 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-03-08 13:23:24 +00:00
Gabor Mezei 716447ff32
Fix limb size calculation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-08 14:09:51 +01:00
Gabor Mezei ed1acf642c
Apply naming conventions 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-08 14:09:50 +01:00
Gabor Mezei 5221c04b92
Change the p256_raw fuction to be testable 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-08 14:09:50 +01:00
Gabor Mezei ab6ac91a0a
Extract Secp256r1 from the prototype 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-08 14:09:50 +01:00
Tom Cosgrove c15a2b949d Update the text about gcc5 support for Armv8 CE 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-03-08 12:55:48 +00:00
Przemek Stekiel 07c5ea348c Add check for buffer overflow and fix style. 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-08 13:31:19 +01:00
Valerio Setti 733de595e3 psa_crypto_rsa: remove PK_WRITE_C in psa_rsa_export_key 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-03-08 11:03:09 +01:00
Valerio Setti 73a218513b psa_crypto_rsa: add comment/explanation for residual PK_WRITE_C guard 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-03-08 11:03:09 +01:00
Przemek Stekiel 691e91adac Further pake code optimizations 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-08 09:54:00 +01:00
Gilles Peskine a2fc399f57
Merge pull request #6829 from AndrzejKurek/unify-psa-errors 
Unify PSA to Mbed TLS error translation
 2023-03-07 19:55:44 +01:00
Gilles Peskine 12e3c8e019
Merge pull request #7168 from mpg/use-md 
Use MD (not low-level hash interface) in X.509 and TLS
 2023-03-07 19:55:12 +01:00
Valerio Setti 2f1d967643 ssl: fix included pk header file 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-03-07 18:14:34 +01:00
Tom Cosgrove 503d71769c Enable explicit_bzero() on OpenBSD 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-03-07 12:51:11 +00:00
Tom Cosgrove 5c8505f061 Fix typos 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-03-07 11:39:52 +00:00
Janos Follath fe780a3c4b
Merge pull request #7184 from gabor-mezei-arm/6349_Secp224r1_fast_reduction 
Extract Secp224r1 fast reduction from the prototype
 2023-03-07 10:57:58 +00:00
Przemek Stekiel 57580f2539 Use proper enum types for pake state/sequence/step 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-07 10:50:09 +01:00
Przemek Stekiel 4aa99403f4 Fix configuration for accelerated jpake 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-07 10:50:09 +01:00
Przemek Stekiel 4dc83d40af Add check for pake operation buffer overflow 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-07 10:50:00 +01:00
Pengyu Lv 7b6299b49b ssl_cache: Add an interface to remove cache entry by session id 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-03-07 15:00:22 +08:00
Przemek Stekiel e3ef3a15cd Further pake code optimizations 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-06 17:24:32 +01:00
Gabor Mezei 97803abd2a
Update comment 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-06 16:32:16 +01:00
Manuel Pégourié-Gonnard 947cee18a1 Fix memory leak. 
The function reset_checksum() can be called more than once with the same
handshake context (this happens with DTLS clients, and perhaps in other
cases as well). When that happens, we need to free the old MD contexts
before setting them up again.

Note: the PSA path was already doing the right thing by calling abort,
we just needed to do the same on the MD path.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-03-06 11:59:59 +01:00
Manuel Pégourié-Gonnard 228a30d16c
Merge pull request #7120 from mpg/md-light 
Define "MD light" subset of MD
 2023-03-06 11:02:19 +01:00
Dave Rodgman 4693fd9e9e
Merge pull request #7173 from daverodgman/zeroize-platform 
Use platform-provided secure zeroization
 2023-03-06 09:16:12 +00:00
Pol Henarejos f61d6c0a2b
Merge branch 'development' into sha3 2023-03-04 00:03:06 +01:00
Dave Rodgman b0d96a23a9 Remove not-needed EABI exclusion 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-03 17:06:09 +00:00
Dave Rodgman 45cef61fa4
Merge branch 'development' into md-light 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-03 14:28:13 +00:00
Przemek Stekiel 57207711d8 Add MBEDTLS_ASN1_CHK_CLEANUP_ADD macro to be able to release memory on failure 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-03 12:58:29 +01:00
Przemek Stekiel 5a49d3cce3 Replace mbedtls_x509_san_node with mbedtls_x509_subject_alternative_name 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-03 12:58:11 +01:00
Przemek Stekiel f40de93b1a Remove redundant variable 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-03-03 12:58:10 +01:00
Andrzej Kurek 270b3f9790 Rename error_pair_t to mbedtls_error_pair_t 
Required by our coding standards.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-03-03 05:54:13 -05:00
Andrzej Kurek daf5b56b02 Translate to MD errors in ssl-tls.c 
With the introduction of #7047, ssl_tls.c uses 
mbedtls_md_error_from_psa. This complicates
the dependencies for compiling in psa_to_md_errors,
since now these should be ifdeffed also by
MBEDTLS_USE_PSA_CRYPTO followed by a series of or'ed
MBEDTLS_HAS_ALG_SHA_XXX_VIA_MD_OR_PSA_BASED_ON_USE_PSA.
Since this mechanism will be removed soon, we can simplify it to
just MBEDTLS_USE_PSA_CRYPTO.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-03-03 05:52:28 -05:00
Andrzej Kurek 747ab4ea5e Introduce error_pair_t to psa utils 
This way error handling can be written in a cleaner way.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-03-03 05:23:45 -05:00
Andrzej Kurek 138b30ac62 Add missing const qualifiers 
Also improve documentation
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-03-03 05:23:45 -05:00
Andrzej Kurek ba24138e0f Duplicate error logic in pk_wrap deprecated functions 
GCC 4.6+ complains if a deprecated function calls another.
Working around this universally would require a lot of
preprocessing, this seems to be an easier solution.
Copy mbedtls_pk_error_from_psa code without duplicates
instead of calling the function.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-03-03 05:23:45 -05:00
Andrzej Kurek 8a045ce5e6 Unify PSA to Mbed TLS error translation 
Move all error translation utilities to psa_util.c.
Introduce macros and functions to avoid having
a local copy of the error translating function in
each place.
Identify overlapping errors and introduce a
generic function.
Provide a single macro for all error translations
(unless one file needs a couple of different ones).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-03-03 05:23:44 -05:00
Gilles Peskine 6def41b146
Merge pull request #6932 from yuhaoth/pr/fix-arm64-host-build-and-illegal_instrucion-fail 
Replace CPU modifier check with file scope target cpu modifiers
 2023-03-02 15:36:41 +01:00
Dave Rodgman 528bfa640c Whitespace fix 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-02 13:54:43 +00:00
Gabor Mezei aeadc2d731
Apply naming convention 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-03-01 16:53:03 +01:00
Dave Rodgman 6d6a720603 Protect against possible macro redefinition warning 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-01 15:09:40 +00:00
Paul Elliott d1cddff71a
Merge pull request #7189 from daverodgman/armcc-fix 
Fix macro redefinition warning from armclang
 2023-03-01 11:59:26 +00:00
Gilles Peskine 802ff1b116
Merge pull request #7147 from paul-elliott-arm/interruptible_sign_hash_codestyle_drivers 
Remove driver entry points for psa_{get|set}_max_ops()
 2023-03-01 10:46:09 +01:00
Dave Rodgman 914c632646 Whitespace 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-03-01 09:30:14 +00:00
Gabor Mezei 620f0dc850
Fix for 32-bit 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-28 18:42:33 +01:00
Gabor Mezei 08a94953e1
Apply naming convention for p224 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-28 18:40:57 +01:00
Dave Rodgman e47899df20 Fix macro redefinition warning from armcc 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-28 17:39:03 +00:00
Gilles Peskine 7e677fa2c5
Merge pull request #6389 from gilles-peskine-arm/ecdsa-use-psa-without-pkwrite 
Remove pkwrite dependency in pk using PSA for ECDSA
 2023-02-28 18:17:16 +01:00
Gilles Peskine b52b788e55
Merge pull request #6895 from yuhaoth/pr/add-aes-with-armv8-crypto-extension 
Add AES with armv8 crypto extension
 2023-02-28 18:16:37 +01:00
Paul Elliott 6a459f5de5
Merge pull request #7143 from paul-elliott-arm/interruptible_sign_hash_codestyle_wipeout 
Update psa_wipe_output_buffer() and change name to psa_wipe_tag_output_buffer()
 2023-02-28 15:34:06 +00:00
Jerry Yu 608e1093de Improve comment about conflicts between aesce and sha512-crypto 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-28 12:50:00 +08:00
Paul Elliott 15d7d43904 Pacify Clang 15 
Changes for interruptible {sign|verify} hash were not merged at the time of the
previous clang 15 /retval fixes, thus this fixes code added at that time.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-27 17:25:57 +00:00
Gabor Mezei 5afb80e00a
Fix coding style issues 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-27 17:00:34 +01:00
Gabor Mezei 804cfd32ea
Follow the naming convention 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-27 16:50:09 +01:00
Gabor Mezei bf506361c4
Revert the illustration and remove unnecessary code 
This reverts commit 73e8553273.
Removes the second round of carry reduction from p224.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-27 16:37:32 +01:00
Gabor Mezei 73e8553273
Add comments to illustrate the second round of carry reduction is unnecessary 
The first round of carry reduction can not generate a carry thus the
secound round is not needed. The comments illustrating when the
carry is 1. The reduction is simmetric so the case when the carry is
-1 is similar.
The illustration is trying to calculate the input value starting with
setting the carry to 1 before the second round of the carry reduction.
It calculates backwords and tries to determine the value range of
each word. It ends up with a contradiction that A10 must have the
value of 0 and UINT32_MAX.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-27 16:32:42 +01:00
Gabor Mezei a835d20cde
Add documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-27 15:58:30 +01:00
Paul Elliott ac2251dad1
Merge pull request #7076 from mprse/parse_RFC822_name 
Add parsing of x509 RFC822 name + test
 2023-02-27 14:16:13 +00:00
Jerry Yu fc2e128fc9 Fix grammar issues and remove useless code 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-27 11:16:56 +08:00
Paul Elliott 7118d17df1 Pacify code style checker 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-26 16:57:05 +00:00
Dave Rodgman 096e72959b Fix case of include header for mingw 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-25 17:17:35 +00:00
Dave Rodgman f5e531a87b Fix code style 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-25 17:17:15 +00:00
Dave Rodgman 703f805f09 Improve explicit_bzero detection 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-25 15:19:52 +00:00
Dave Rodgman fe57a2e008 Remove newlib detection 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-25 14:16:34 +00:00
Dave Rodgman 82f3de55b2 tidy up brackets 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-25 14:08:22 +00:00
Dave Rodgman 828ec905db Improve explicit_bzero detection 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-25 13:32:26 +00:00
Dave Rodgman f0a0e43053 explicit_bzero is not available on arm-none-eabi 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 19:01:48 +00:00
Dave Rodgman a6fda16a41 Fix re-definition of __STDC_WANT_LIB_EXT1__ 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 19:00:38 +00:00
Dave Rodgman 8a7d26f12c Typo fix 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 18:19:24 +00:00
Paul Elliott dc42ca8a7e Use psa_wipe_tag_buffer() for MAC and aead code. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-24 18:11:59 +00:00
Dave Rodgman 8b6eded03d
Tidy-up comment 
Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 18:07:05 +00:00
Paul Elliott 7bc24cc512 Fix typos in documentation. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-24 18:04:16 +00:00
Dave Rodgman 4daca63734 Documentation 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 17:43:00 +00:00
Dave Rodgman f55182d2bf Use platform-provided secure zeroization call 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 17:42:43 +00:00
Dave Rodgman f68402565a Add corresponding fix for mbedtls_ssl_write 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 15:57:30 +00:00
ashesman 937d6d5eab Update library/ssl_msg.c 
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-24 15:57:14 +00:00
Ashley Duncan 358f94a71c Fixed undefined behavior in ssl_read if buf parameter is NULL. 
Signed-off-by: Ashley Duncan <ashes.man@gmail.com>
 2023-02-24 15:53:07 +00:00
Paul Elliott a16ce9f601 Remove driver entry points for {get|set}_max_ops(). 
Move the global variable to the PSA layer, and just set that when calling PSA
level functions.

Move the internal ecp set to before each ecp call.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-24 14:44:18 +00:00
Manuel Pégourié-Gonnard 02d55d5825 Rename some local variables 
The name sha512 might have made sense when it was an
mbedtls_sha512_context, but now it's weird to see things like

    mbedtls_md_setup(&sha512, ...MBEDTLS_MD_SHA384...);

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-24 13:31:33 +01:00
Manuel Pégourié-Gonnard f057ecfedf Use MD not low-level sha256/512 in TLS 
Same reasoning as in previous commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-24 13:30:55 +01:00
Manuel Pégourié-Gonnard 2cd751465c Use MD, not low-level SHA1, in X.509 
X.509 already depends on MD_C || USE_PSA_CRYPTO, and this is for the
!USE_PSA_CRYPTO branch, so we're free to use MD.

This change supports our ability to use MBEDTLS_MD_CAN_xxx macros
everywhere in the future, once they have been introduced.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-24 12:37:07 +01:00
Manuel Pégourié-Gonnard 0ac71c0d92 Make debug statement more portable 
There's little reason for accessing the hash implementation's internal
state, its output contains most of the same information.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-24 12:13:55 +01:00
Paul Elliott a3b625b0a1
Merge pull request #7098 from gilles-peskine-arm/retval-non-empty 
Pacify Clang 15 about empty \retval
 2023-02-24 09:10:53 +00:00
Przemek Stekiel d93de32267 Move to computation stage only on successfull setup 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-24 08:39:49 +01:00
Jerry Yu ba1e78f1c2 fix code style and comment issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-24 11:18:16 +08:00
Manuel Pégourié-Gonnard 1e57abd3ec Group MD_LIGHT and MD_C parts of md.c 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-23 20:45:26 +01:00
Przemek Stekiel 083745e097 Fix code style 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-23 17:28:23 +01:00
David Horstmann ce16474d91 Correct INT_MAX overflow check to UINT_MAX 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-23 13:50:48 +00:00
Manuel Pégourié-Gonnard 0d4152186d Make MBEDTLS_MD_LIGHT private for now. 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-23 13:02:13 +01:00
Ronald Cron 1aa6e8d6e9 Restore same PSK length enforcement 
Restore same PSK length enforcement in
conf_psk and set_hs_psk, whether the
negotiated protocol is TLS 1.2 or TLS 1.3.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-23 09:48:50 +01:00
Manuel Pégourié-Gonnard f78a10052c
Merge pull request #7047 from mpg/tls-hash-errors 
Handle errors from hash functions in TLS code
 2023-02-23 08:49:55 +01:00
Valerio Setti 1ad9ef2132 ssl: use new macros for ECDSA capabilities 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-23 08:15:09 +01:00
Jerry Yu 029e659bbb Return seconds when clock_gettime error 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-23 11:25:36 +08:00
Jerry Yu 947bf969e0 Improve readability of expansion size 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-23 11:07:57 +08:00
Jerry Yu fac5a54f8a fix code style issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-23 10:13:40 +08:00
David Horstmann 376e8df9d6 Clarify structure of parsing with comments: 
1. Parse through to get the required buffer length.
2. Having allocated a buffer, parse into the buffer.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 89d67bd472 Remove superfluous sizeof(unsigned char) 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 7cdfda12da Fixup: Correct signedness of val local variable 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 0f4ee418d8 Use return for errors only in oid_parse_number() 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 59400ffed5 Improve header docs and rename parameter 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 03329970de Correct error in processing of second component 
Root nodes 0 and 1 may have up to 40 children (0 - 39), not 39 children
(0 - 38) as previously thought.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 18ec9d7da1 Change some error codes to be more accurate 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 18:27:59 +00:00
David Horstmann 92337c0e62 Add function to parse an OID from a string 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-22 16:34:26 +00:00
Paul Elliott 59200a22aa Improve psa_wipe_output_buffer 
Change name and document to ensure suitability only for "tags" is explicit. Add
support for output size of zero in PSA_SUCCESS case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-22 14:15:31 +00:00
Janos Follath 406b9172ad
Merge pull request #7044 from minosgalanakis/bignum/6342_add_named_moduli_setup 
Bignum: Add named moduli setup
 2023-02-22 12:14:33 +00:00
Przemek Stekiel 5eff1033b6 Remove redundant checks for jpake alg 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel ce131bf5c5 PAKE driver: fix password releasing 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 80a8849903 Adapt conditional compilation flags for jpake alg 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel a54dc69fe0 mbedtls_psa_pake_setup: move driver password and alg init to the common part 
Also in the core part change stage to computation after return from psa_driver_wrapper_pake_setup() regardless of the result. At this point driver context is active even if init has failed.

Additionally handle deallocation of password on failure in mbedtls_psa_pake_setup(). The plan was to handle deallocation on core level by calling abort on failure.
Unfortunately in this case when mbedtls_psa_pake_setup() fails with an unsupported result the built-in implementation is executed (if available) and it will reallocate the password leading to the memory leak.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 6b64862ef7 Documentation fixes and code adaptation 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 251e86ae3f Adapt names to more suitable and fix conditional compilation flags 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 6d77830c6a Remove redundant code 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel dff21d3429 Move jpake role check to psa_pake_complete_inputs() 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 4fcc61eec0 Optimize psa_pake_ecjpake_setup() 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 849c35f8b4 Remove pake abort on failure from driver (handled by core) 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel e1d51bf3c9 Optimieze psa_pake_complete_inputs() 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 3e784d8981 PSA crypto pake: call abort on each failure 
Adapt driver hook counters in pake driver test.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel d69dca9fc4 Rework psa_pake_abort 
- Fix potential issue with freeing password
- Clean operation object even if psa_driver_wrapper_pake_abort fails
- Remove redundant code

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel f62b3bb087 Optimization of pake core functions 
Adapt pake test (passing NULL buffers is not allowed).
Passing the null buffer to psa_pake_output results in a hard fault.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 9dd2440c95 Change pake input: key_lifetime -> key attributes 
In the future key attributes will be available for opaque driver via psa_crypto_driver_pake_get_password_key().

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel d5d28a217f Use operation alg for locking key slot 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 1c3cfb4fb0 Introduce PSA_PAKE_OPERATION_STAGE_SETUP to optimize out alg checks 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel ff01bc496c Remove j-pake specific checks from psa_pake_setup 
mbedtls_psa_pake_setup has already check for PSA_PAKE_PRIMITIVE_TYPE_ECC primitive.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel dde6a910bb Optimize out psa_pake_computation_stage_t 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 5cbca790f7 Make usage of pake input getters 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 18620a3b1c Make copy of inputs on stack before passing to psa_driver_wrapper_pake_setup 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel ca8d2b2589 Add get-data functions for inputs + tests 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel 7b730175b3 Simplify psa_pake_computation_stage_s structure 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:32 +01:00
Przemek Stekiel b09c487546 Combine core pake computation stage(step,sequence,state) into single driver step 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:31 +01:00
Przemek Stekiel 9a5b812aa8 Cleanup the code 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:31 +01:00
Przemek Stekiel 2797d37424 Split handling of memory allocation for password between core and driver 
Driver is now responsible for creating its own copy of the password in the setup function.
After calling pake setup driver entry point core frees memory for password.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:31 +01:00
Przemek Stekiel e12ed36a6c Move JPAKE state machine logic from driver to core 
- Add `alg` and `computation_stage` to `psa_pake_operation_s`.
  Now when logic is moved to core information about `alg` is required.
  `computation_stage` is a structure that provides a union of computation stages for pake algorithms.
- Move the jpake operation logic from driver to core. This requires changing driver entry points for `psa_pake_output`/`psa_pake_input` functions and adding a `computation_stage` parameter. I'm not sure if this solution is correct. Now the driver can check the current computation stage and perform some action. For jpake drivers `step` parameter is now not used, but I think it needs to stay as it might be needed for other pake algorithms.
- Removed test that seems to be redundant as we can't be sure that operation is aborted after failure.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:31 +01:00
Przemek Stekiel be5e27b5ad Remove redundant code 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:31 +01:00
Przemek Stekiel ca67483b15 psa_crypto_pake.h: adapt function descriptions 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:30:31 +01:00
Przemek Stekiel 51eac53b93 Divide pake operation into two phases collecting inputs and computation. 
Functions that only set inputs do not have driver entry points.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:25:30 +01:00
Przemek Stekiel 061f6949fd Make psa_get_and_lock_key_slot_with_policy() static function 
psa_get_and_lock_key_slot_with_policy() becomes public temporarily as part of:
https://github.com/Mbed-TLS/mbedtls/pull/6608

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:25:30 +01:00
Przemek Stekiel 0c78180ee5 mbedtls_psa_pake_get_implicit_key: move psa_key_derivation_input_bytes call to upper layer 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:25:30 +01:00
Przemek Stekiel 6c7644150a Adapt pake impl for driver dispatch 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:25:30 +01:00
Przemek Stekiel 2e73649f9c Add pake psa crypto driver wrappers implementation 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-22 11:25:30 +01:00
Neil Armstrong 5ae609631e Move the common parameters check code out of the wrapper 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2023-02-22 11:25:30 +01:00
Neil Armstrong a7d08c3009 Add PSA PAKE api calling the PAKE wrappers 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2023-02-22 11:25:30 +01:00
Neil Armstrong 7da8c56b84 Add PSA PAKE wrappers 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2023-02-22 11:25:30 +01:00
Neil Armstrong 56b8d23ca1 Add mbedtls_ prefix to PSA PAKE over MbedTLS implementation 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2023-02-22 11:25:30 +01:00
Manuel Pégourié-Gonnard 63e33dd175 Fix unchecked return value 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-22 10:09:40 +01:00
Jerry Yu 3bfe133832 Improve readability 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-22 15:01:05 +08:00
Jerry Yu 3304c204ba Improve readabilities 
- Add more comments
- Adjust setkey_enc

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-22 14:37:11 +08:00
Jerry Yu 4d786a732b Fix regression issue for clang workaround. 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-22 11:01:07 +08:00
Gilles Peskine ffb92b0789
Merge pull request #7105 from davidhorstmann-arm/fix-oid-printing-bug 
Fix bugs in OID to string conversion
 2023-02-21 23:16:44 +01:00
Manuel Pégourié-Gonnard da7979bb91 Restore debug message removed by mistake 
Also while at it, fix debug level for existing DEBUG_RET: errors should
always be level 1.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard 8e176f747c Fix wrong return statement 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard 626aaed213 Fix unused variable warnings in some builds 
Found by depends.py MBEDTLS_SHA512_C

In principle, the case where neither SHA-256 nor SHA-384 are available
should never occur, as both TLS 1.2 and TLS 1.3 depend on one of those
being defined. However for now dependencies for TLS 1.2 are not as tight
as they should be; this will be fixed later and is tracked as #6441.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard 43cc127d3a Fix code style 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard e1a4caa934 Handle hash errors in calc_finished 
That's the last family of functions. All calls to mbedtls_sha* and
psa_hash_* in library/ssl_tls.c are now checked for errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard b9b564e64b Handle hash errors in calc_verify 
On top on some calls not being checked, the PSA path was missing a call
to abort() on errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard df94901566 Handle hash errors in update_checksum 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard b72ff498c9 Handle hash errors in reset_checksum 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard b8b07aa24a Handle errors from functions that now return int 
A few functions were changed from returning void to returning int three
commits ago. Make sure their callers check the return values.

This commits was basically a matter of declaring newly-int-returning
functions MBEDTLS_CHECK_RETURN_CRITICAL and then fixing the resulting
warnings. A few functions had to be made int in the process; they were
applied the same process as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard d7a7a23308 Use reset_checksum in reset_transcript_for_hrr 
This function was manually resetting just the hash that would be used;
it's simpler to just call the function that resets all hashes. This also
avoids calling low-level code from TLS 1.3.

While at it, remove the guards about SHA-256 || SHA-384 that were around
update_checksum, as they are redundant: update_checksum already has
appropriate guards (and TLS 1.3 already depends on one of those tow
hashes being present anyway).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard 537f231fd9 Split hash start out of handshake_params_init 
This part can fail, so it shouldn't be intermixed with the part that
can't fail and is there to ensure all structures are in a clean state,
should any error happen.

Fortunately, the part that should be split out already had a function
doing it: reset_checksum. Also, handshake_params_init had only one
calling site to update.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard 226aa15702 Make handshake hashing functions return int 
There are three family of functions: update_checksum, calc_verify,
calc_finished, that perform hashing operations and were returning void
so far. This is not correct, as hashing functions can return errors (for
example, on hardware failure when accelerated). Change them to return
int.

This commit just changes the types: for now the functions always return
0, and their return value is not checked; this will be fixed in the
next few commits.

There is a related function in TLS 1.3,
mbedtls_ssl_reset_transcript_for_hrr, which also handles hashes, and
already returns int but does not correctly check for errors from hashing
functions so far, it will also be handled in the next few commits.

There's a special case with handshake_params_init: _init functions
should return void, so we'll need to split out the part that can return
errors, see the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-21 15:39:12 +01:00
Gilles Peskine 250a5ac4cb
Merge pull request #7095 from paul-elliott-arm/interruptible_sign_hash_codestyle 
Implement PSA interruptible sign/verify hash
 2023-02-21 15:13:34 +01:00
Ronald Cron d89360b87b Fix and improve documentation, comments and logs 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-21 14:57:25 +01:00
Przemek Stekiel 18904acc93 Adapt the code to support SAN types: uniformResourceIdentifier, dNSName and IPAddress 
According to documentation OPCUA requires: uniformResourceIdentifier, dNSName and IPAddress
https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-21 13:42:39 +01:00
Hannes Tschofenig 6b108606fa Added ability to include the SubjectAltName extension to a CSR 
Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
 2023-02-21 13:42:39 +01:00
Dave Rodgman e42cedf256
Merge pull request #7077 from daverodgman/pkcs7-fixes-dm-rebased 
Pkcs7 fixes
 2023-02-21 11:53:30 +00:00
Gabor Mezei aef0f2de9f
Fix limb size calculation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-21 11:35:31 +01:00
Gabor Mezei e14b5bdba7
Change the ecp_mod_p224_raw to be testable 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-21 11:35:26 +01:00
Gabor Mezei 66f88a9d22
Extract Secp224r1 from the prototype 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-21 11:32:29 +01:00
Jerry Yu ba4ec24c79 fix code style failure 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-21 15:59:18 +08:00
Jerry Yu baae4012bf merge setkey_enc* functions 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-21 15:28:03 +08:00
Jerry Yu c8bcdc8b91 fix various issues 
- Improve some function names
- Improve comments
- improve readability

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-21 15:16:20 +08:00
Dave Rodgman a1b2bfff46 Add clarifying comments 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-20 14:45:09 +00:00
David Horstmann 5b5a0b618c Change error codes to more appropriate codes 
The more precise error codes are borrowed from the ASN1 module.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-20 14:24:12 +00:00
Przemek Stekiel 82d250d8b0 Use const char for names and adapt style 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-20 15:09:50 +01:00
Przemek Stekiel 5b9e4168cf Add rfc822Name support in mbedtls_x509_info_subject_alt_name + adapt test 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-20 15:09:50 +01:00
Przemek Stekiel ecee12f04f Add parsing of SAN: rfc822Name 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-02-20 15:09:50 +01:00
Minos Galanakis a30afe2216 ecp_curves: Minor refactoring. 
This patch introduces the following changes:
* Documentation for `mbedtls_ecp_modulus_setup()`
  moved to `ecp_invasive.h`.
* Added invalid modulus selector `MBEDTLS_ECP_MOD_NONE`.
* Adjusted negative tests to use invalid selectors.
* Reworded documentation.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-02-20 13:53:06 +00:00
Minos Galanakis dd556921c9 ecp_curves: Exposed mbedtls_ecp_modulus_setup() through ecp_invasive.h 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-02-20 13:50:41 +00:00
Minos Galanakis d2ca802329 ecp_curves: Added mbedtls_ecp_modulus_setup(). 
This patch introduces a new static method, responsible
for automatically initialising an modulus structure,
based on the curve id and a modulus type selector.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-02-20 13:49:46 +00:00
Janos Follath ec718afb41
Merge pull request #7051 from gabor-mezei-arm/6376_Secp521r1_fast_reduction 
Add a raw entry point to Secp521r1 fast reduction
 2023-02-20 13:03:12 +00:00
Ronald Cron 4bb6773640 tls13: Apply same preference rules for ciphersuites as for TLS 1.2 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-20 11:42:19 +01:00
Ronald Cron 0a1c504156 tls13: Fix session resumption with 384 bits PSKs 
MBEDTLS_PSK_MAX_LEN main purpose is to determine
a miximum size for the TLS 1.2 pre-master secret.

This is not relevant to TLS 1.3 thus disable in
TLS 1.3 case the check against MBEDTLS_PSK_MAX_LEN
when setting during the handshake the PSK through
mbedtls_ssl_set_hs_psk(). This fixes the session
resumption with 384 bits PSKs when MBEDTLS_PSK_MAX_LEN
is smaller than that.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-20 11:42:19 +01:00
Ronald Cron 25e9ec61f0 tls13: server: Select preferred cipher suite 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-20 11:42:19 +01:00
Ronald Cron fc7ae87ad4 tls13: server: Check ciphersuite list length parity once 
Check ciphersuite list length parity once,
mainly to enable the possibility of getting
out of the loop of the ciphersuites whenever
we want.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-20 11:42:19 +01:00
Ronald Cron 606671e06e tls13: server: Check mbedtls_ssl_set_hs_psk returned value 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-02-20 11:42:19 +01:00
Manuel Pégourié-Gonnard 718eb4f190
Merge pull request #7025 from AndrzejKurek/uri_san 
Add the uniformResourceIdentifier subtype for the subjectAltName
 2023-02-20 11:29:59 +01:00
Paul Elliott f8e5b56ad8 Fix get_num_ops internal code. 
Previously calling get_num_ops more than once would have ended up with ops
getting double counted, and not calling inbetween completes would have ended up
with ops getting missed. Fix this by moving this to where the work is actually
done, and add tests for double calls to get_num_ops().

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-19 18:55:10 +00:00
Manuel Pégourié-Gonnard b9b630d628 Define "light" subset of MD 
See docs/architecture/psa-migration/md-cipher-dispatch.md

Regarding testing, the no_md component was never very useful, as that's
not something people are likely to want to do: it was mostly useful as
executable documentation of what depends on MD. It's going to be even
less useful when more and more modules auto-enable MD_LIGHT or even
MD_C. So, recycle it to test the build with only MD_LIGHT, which is
something that might happen in practice, and is necessary to ensure that
the division is consistent.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-16 22:30:06 +01:00
Gabor Mezei ac70ad6576
Fix coding style 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-16 19:31:21 +01:00
Manuel Pégourié-Gonnard ba2412fd21 Remove internal function md_process() 
It was already marked as internal use only, and no longer used
internally. Also, it won't work when we dispatch to PSA.

Remove it before the MD_LIGHT split to avoid a corner case: it's
technically a hashing function, no HMAC or extra metadata, but we still
don't want it in MD_LIGHT really.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-02-16 18:44:46 +01:00
Dave Rodgman fc64352253 Adjust position of empty line 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-16 16:23:09 +00:00
Paul Elliott ba70ad4944 Add safety for keys larger than we currently support. 
Prevent buffer overflow with keys whos grp.nbits is greater than
PSA_VENDOR_ECC_MAX_CURVE_BITS.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-16 12:15:39 +00:00
Paul Elliott 93d9ca83ea Move num_ops ECP abstraction fully into internal implementation 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-16 12:15:39 +00:00
Andrzej Kurek 81b0b89a34 Clarify comments on subjectAltName types 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-02-16 06:55:10 -05:00
Jerry Yu a135deeece Move clang bug workaround to the head of file 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-16 17:56:33 +08:00
Jerry Yu 383cbf42a0 Add minimum version of sha256 for clang 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-16 15:16:43 +08:00
Jerry Yu 8ae6a0193c Add comments about gcc-5 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-16 15:16:20 +08:00
Jerry Yu 2f2c04956d Add GCC options pop 
Reduce the scope of target pragma to meet
behavior of clang.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-16 14:24:46 +08:00
Jerry Yu 92fc538a22 Add attribute popup 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-16 11:17:11 +08:00
Paul Elliott 2c9843f2a4 Make mbedtls_sa_ecp_load_public_part return psa_status_t 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 7ef174b285 Correct insufficient memory return documentation. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott a1c9409d88 Move structure init calls as early as possible 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott ebe225cf7b Move num ops update to only point where work can be done. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 53bb312054 Wipe output buffer even when INCOMPLETE is returned. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott c569fc268f Switch from nbits to pbits 
Correct coordinate size is grp.nbits, not grp.pbits.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 6d99f0c265 Fix errors in psa_wipe_output_buffer() doc comment. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 0290a76fc2 Fix buffer overflow with hashes larger than key size. 
Truncate input hashes to curve private key size as that is all that is required
for the internal implementation.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 724bd25f4b Fix missing mbedtls_mpi_free() on signing. 
After moving the MPIs used to output from the operation into the complete
function, I failed to move the accompanying free as well.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 84329464d5 Replace allocated hash buffer with array 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott e6145dc47f Add documentation comment to internal abort functions 
Explain the reasoning behind not clearing some variables.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott de1114c883 Fix {sign|verify}_get_num_ops 
Move the obfuscation of the internal library only returning a delta of ops done
into the driver wrapper, thus meaning driver wrapper and API call both return
absolute values of work done. Document the differences at the internal
implementation level.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 939bd9485d Move output buffer wiping code to seperate function. 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 1243f93cca Fix build fails with non ECDSA / restartable builds 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott eefe47292c Move loading of public part of ECP into function 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott c9774411d4 Ensure that operation is put into error state if error occurs 
If an error occurs, calling any function on the same operation should return
PSA_ERROR_BAD_STATE, and we were not honouring that for all errors. Add extra
failure tests to try and ratify this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott f9c91a7fb5 Store the hash, rather than the pointer 
For sign and verify, the pointer passed in to the hash is not guaranteed to
remain valid inbetween calls, thus we need to store the hash in the
operation. Added a test to ensure this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 813f9cdcbb Non ECDSA algorithms should return not supported 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 1bc59df92c Rename curve_bytes to coordinate_bytes 
Also remove unneeded instance from verify operation struct.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 096abc4dc0 Remove incorrect copied comment 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott e17a8fd9fd Remove unneeded warning from internal headers 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 4684525ae9 Remove unrequired mpis from sign operation struct 
These are only used at the output stage.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 6ee2408d26 Remove deterministic alg restriction on sign hash 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 068fe07740 Improve indentation of hash start functions 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 7cc4e816c1 Ensure max ops gets set regardless of having built-in implementation 
Set the psa level global anyway, regardless of having a built in
implementation, to match the set function. Also, ensure that value returned
is the same as value passed in, irregardless of internal implementation
requirements.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 59ad9457b6 Add {sign/verify}_hash_abort_internal 
Ensure that num_ops is cleared when manual abort is called, but obviously not
when an operation just completes, and test this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 296ede99c9 Fix issues with get_{sign/verify}_num_ops 
Move to accumulate ops in context rather than attempting to read straight out
of structures due to structure ops getting reset per operation, and also
issues with _abort clearing internal data. Fix usage of size_t in structures

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 588f8ed498 Add internal implementation 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Paul Elliott 2ba002cc2f Make ECDSA restartable sign and verify functions public 
Make public the versions of ECSDA sign and verify which return raw signatures
rather than returning ASN.1 encoded signatures, in order to use them for the
internal implemention of psa_sign/verify_hash_interruptible.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 23:34:29 +00:00
Gabor Mezei 7e6fcc1fbc
Update documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:19:09 +01:00
Gabor Mezei cf228706cd
Restrict input parameter size for ecp_mod_p521_raw 
The imput mpi parameter must have twice as many limbs as the modulus.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:19:08 +01:00
Gabor Mezei d10d429380
Stack usage optimization for mod_p521 
Instead of creating an mpi on the stack, reuse the unused part of the input mpi.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:51 +01:00
Janos Follath fe24e91a34
mod_p521: document reduction algorithm 
Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:50 +01:00
Janos Follath 666673e83f
modp521: apply naming conventions 
Apply the usual parameter name and align the local variables and
comments. This naming diverges from the standard notation, but this is
beneficial as our variable meanings diverge as well and the difference
can help avoiding confusion.

Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:50 +01:00
Janos Follath 13c3aa13af
Revert changes to mod_p521 flow 
It is not necessary to save the middle limb upfront as overwriting it is
the desired result: in the first step we are reducing modulo
2^{512+biL}.

Arguably, the original flow is more intuitive and easier to see the idea
behind it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:50 +01:00
Gabor Mezei 6bfbd36507
Fix coding style issues 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:49 +01:00
Gabor Mezei b62ad5d569
Rename function to follow naming convention 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:48 +01:00
Gabor Mezei b1c62caa1f
Add documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:13:48 +01:00
Gabor Mezei 2cb630edee
Change the ecp_mod_p521_raw to be testable 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:05:22 +01:00
Gabor Mezei 8450ab9c60
Fix Secp521r1 reduction 
The prototype calculated with wrong limb size and not taken into account
the overflow in the shared limb.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:03:03 +01:00
Gabor Mezei 42df16c84b
Extract Secp521r1 from the prototype 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-15 18:02:57 +01:00
David Horstmann f51851dc70 Change += to |= for clearer semantics 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-15 15:44:24 +00:00
Gilles Peskine e2a9f86755
Merge pull request #6971 from gabor-mezei-arm/6026_Secp192r1_fast_reduction 
Extract Secp192r1 fast reduction from the prototype
 2023-02-15 16:22:36 +01:00
David Horstmann 34b3f1b757 Make overflow checks more readable 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-15 13:46:53 +00:00
Paul Elliott 9fe12f666b PSA level initial implementation 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 12:13:17 +00:00
Paul Elliott 2d247923e5 Initial empty driver wrapper implementation 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-15 12:13:17 +00:00
David Horstmann 9c1887c4c7 Disallow overlong encoding when parsing OIDs 
OID subidentifiers are encoded as follow. For every byte:
* The top bit is 1 if there is another byte to come, 0 if this is the
last byte.
* The other 7 bits form 7 bits of the number. These groups of 7 are
concatenated together in big-endian order.

Overlong encodings are explicitly disallowed by the BER/DER/X690
specification. For example, the number 1 cannot be encoded as:

0x80 0x80 0x01

It must be encoded as:

0x01

Enforce this in Mbed TLS' OID DER-to-string parser.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-15 12:02:27 +00:00
Jerry Yu 64e5d4a2cd Replace error output with target pragma if possible 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-15 11:58:48 +08:00
Jerry Yu 35f2b26fd8 move cpu modifier flags check to source file 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-15 11:58:48 +08:00
Gilles Peskine edc6ae9578
Merge pull request #7090 from paul-elliott-arm/fix_iar_warnings_dev 
Fix IAR Warnings
 2023-02-14 20:01:00 +01:00
Gilles Peskine ed73355d2e Make \retval commands non-empty 
Pacify Clang >=15 which complained:
```
include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation]
 * \retval #PSA_SUCCESS
   ~~~~~~~~~~~~~~~~~~~^
```

This commit performs the following systematic replacement:
```
perl -i -0777 -p -e 's/([\\@])(retval +\S+)\n(?! *\*? *([^\n \\*\/]|\\[cp]\b))/$1$2 ${1}emptydescription\n/g' $(git ls-files '*.[hc]' '*.function' '*.jinja')
```
i.e. add an `\emptydescription` argument to `\retval` commands (or
`@retval`, which we don't normally used) that are followed by a single word,
unless the next line looks like it contains text which would be the
description.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-02-14 19:21:09 +01:00
David Horstmann c7f700c795 Fix incorrect printing of OIDs 
The first 2 components of an OID are combined together into the same
subidentifier via the formula:

subidentifier = (component1 * 40) + component2

The current code extracts component1 and component2 using division and
modulo as one would expect. However, there is a subtlety in the
specification[1]:

>This packing of the first two object identifier components recognizes
>that only three values are allocated from the root node, and at most
>39 subsequent values from nodes reached by X = 0 and X = 1.

If the root node (component1) is 2, the subsequent node (component2)
may be greater than 38. For example, the following are real OIDs:
* 2.40.0.25, UPU standard S25
* 2.49.0.0.826.0, Met Office
* 2.999, Allocated example OID

This has 2 implications that the current parsing code does not take
account of:
1. The second component may be > 39, so (subidentifier % 40) is not
correct in all circumstances.
2. The first subidentifier (containing the first 2 components) may be
more than one byte long. Currently we assume it is just 1 byte.

Improve parsing code to deal with these cases correctly.

[1] Rec. ITU-T X.690 (02/2021), 8.19.4

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-02-14 17:00:25 +00:00
Gabor Mezei 0b4b8e3c5e
Update documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-14 16:36:38 +01:00
Dave Rodgman 319a5675db
Merge pull request #7084 from daverodgman/sizemax-uintmax 
Assume SIZE_MAX >= INT_MAX, UINT_MAX
 2023-02-14 10:06:22 +00:00
Ronald Cron 70341c17b7
Merge pull request #6773 from yanrayw/6675-change-early_secrets-to-local 
TLS 1.3: Key Generation: Change tls13_early_secrets to local variable
 2023-02-14 09:03:32 +01:00
Paul Elliott 1748de160a Fix IAR Warnings 
IAR was warning that conditional execution could bypass initialisation of
variables, although those same variables were not used uninitialised.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-02-13 15:35:35 +00:00
Gabor Mezei a264831cff
Update documentation and add comments 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-13 16:29:05 +01:00
Andrzej Kurek 7a05fab716 Added the uniformResourceIdentifier subtype for the subjectAltName. 
Co-authored-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-02-13 10:03:07 -05:00
Manuel Pégourié-Gonnard d3d8c852a0
Merge pull request #6997 from valeriosetti/issue6858 
driver-only ECDSA: get testing parity in X.509
 2023-02-13 15:30:06 +01:00
Valerio Setti 178b5bdddf pk: move MBEDTLS_PK_CAN_ECDSA_SOME macro to pk.h and fix tests 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-13 11:15:06 +01:00
Jerry Yu b2783f66b5 fix typo issue 
The error message is wrong

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-13 18:03:25 +08:00
Dave Rodgman ab1f3c153a
Merge pull request #7081 from tom-cosgrove-arm/dont-use-lstrlenW 2023-02-10 20:50:07 +00:00
Dave Rodgman 4a5c9ee7f2 Remove redundant SIZE_MAX guards 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-10 16:03:44 +00:00
Gilles Peskine b8531c4b0b
Merge pull request #6882 from AndrzejKurek/x509_san_parsing_testing-dev 
X.509: Fix bug in SAN parsing and enhance negative testing
 2023-02-10 15:05:32 +01:00
Dave Rodgman f691268ee9 Add missing initialisers 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour 35598adb78 pkcs7: Check that hash algs are in digestAlgorithms 
Since only a single hash algorithm is currenlty supported, this avoids
having to perform hashing more than once.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour 6cfc469296 pkcs7: reject signatures with internal data 
A CMS signature can have internal data, but mbedTLS does not support
verifying such signatures.  Reject them during parsing.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour e373a254c4 pkcs7: do not store content type OIDs 
They will always be constant.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour 55d9df25ef Simple cleanup 
No change in behavior.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour 4ec8355795 Check for junk after SignedData 
There must not be any.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour aaf3c0028d pkcs7: do not store content type OID 
Since only one content type (signed data) is supported, storing the
content type just wastes memory.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
 2023-02-10 12:56:10 +00:00
Demi Marie Obenour 512818b1d2 pkcs7: check that content lengths fill whole buffer 
Otherwise invalid data could be accepted.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-10 12:56:10 +00:00
Dave Rodgman a22749e749
Merge pull request #6816 from nick-child-ibm/pkcs7_coverage 
Pkcs7 coverage
 2023-02-10 12:55:29 +00:00
Tom Cosgrove b96c309395 Don't use lstrlenW() on Windows 
The lstrlenW() function isn't available to UWP apps, and isn't necessary, since
when given -1, WideCharToMultiByte() will process the terminating null character
itself (and the length returned by the function includes this character).

Resolves #2994

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-02-10 12:52:13 +00:00
Ronald Cron 834e65d47f
Merge pull request #6499 from xkqian/tls13_write_end_of_early_data 
Tls13 write end of early data
 2023-02-10 11:08:22 +01:00
Dave Rodgman 78c6f40736
Fix code-style 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-09 09:21:14 +00:00
Nick Child 14f255f332 pkcs7: Remove unnecessary dependencies 
stdio, stdlib and string header files are not
used. Remove them.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2023-02-08 15:38:48 +00:00
Valerio Setti ce0caa3384 oid: fix comment in #endif 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:52:31 +01:00
Valerio Setti f972ce8d69 oid: replace ECDSA_C with new macros for ECDSA capabilities 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:52:31 +01:00
Valerio Setti 80d0798ae8 pk_wrap: use new macros for ECDSA capabilities 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:49:17 +01:00
Valerio Setti 5c032b5e1b pk_wrap: fix comment in ecdsa_verify_wrap 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:39:10 +01:00
Valerio Setti b761b15f06 fix code style 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:39:10 +01:00
Valerio Setti 1337a4f334 pk_wrap: use specific lengths for EC's private key and key-pair 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:39:10 +01:00
Valerio Setti 5bc52248ef pk_wrap: fix for DETERMINISTIC_ECDSA case in ecdsa_sign_wrap() 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-08 13:39:10 +01:00
Gilles Peskine 8a6022e948 Clean up header inclusions in pk_wrap.c 
To better reflect what the code relies on, limit the headers that are
included when MBEDTLS_USE_PSA_CRYPTO is disabled. Also stop including
"pkwrite.h" when it is no longer needed.

Include "mbedlts/platform_util.h" unconditionally. It was only included for
RSA ALT but was also used for MBEDTLS_USE_PSA_CRYPTO (the code worked
because other headers include "mbedtls/platform_util.h").

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-02-08 13:39:10 +01:00
Gilles Peskine 13caa94746 Don't use pk_write in ecdsa_sign_wrap with USE_PSA_CRYPTO 
Under MBEDTLS_USE_PSA_CRYPTO, ecdsa_sign_wrap() was calling
mbedtls_pk_write_key_der() to write a private key in SEC1 format, only to
then extract the part that represents the private value which is what
psa_import_key() actually wants. Instead, call an mpi function to directly
get the private key in the desired format.

This slightly reduces the code size and stack usage, and removes a
dependency on pk_write.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-02-08 13:39:10 +01:00
Gilles Peskine b4a87b07f8 Don't use pk_write in ecdsa_verify_wrap with USE_PSA_CRYPTO 
Under MBEDTLS_USE_PSA_CRYPTO, ecdsa_verify_wrap() was calling
mbedtls_pk_write_pubkey() to write a public key in the form of a
subjectPublicKey, only to then extract the part that represents the EC
point which psa_import_key() actually wants. Instead, call an ecp
function to directly get the public key in the desired format (just the
point).

This slightly reduces the code size and stack usage, and removes a
dependency on pk_write.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-02-08 13:39:10 +01:00
Pol Henarejos b3b220cbf8
Correct style. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2023-02-08 12:52:18 +01:00
Xiaokang Qian 0de0d863b6 Rebase code to restore reco-delay and fix some style issues 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 07:41:42 +00:00
Xiaokang Qian 8dc4ce76c7 Fix various coding style and comment issues 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 6b980011e5 Replace session_negotiate->ciphersuite with handshake->ciphersuite_info->id 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 53c4c27d35 Update the comment of ciphersuite check for early data 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 64bc9bc33d Add comments to describe the early data behavior-encrypt/rejected... 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian e04afdc44f Refine the condition of whether re-generate early keys 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian eb31cbc791 Share the hash check code between ticket and external psk 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 4ef8ba2938 Assign the ciphersuite in finalize_hrr{server_hello} 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian bb883244aa Remove useless comments of outbound switch 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 02f5e14073 Combine the alert check of selected_id and ciphercuite 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 934ce6f6a9 Rename the finalize_client{server}_hello() 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian ac4c625dea Add hash check of ciphersuite for ticket psk 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 6be8290aba Change to CCS after client hello only if we offer early data 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 7179f810f1 Restore the empty lines 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian b58462157e Refine the ciphersuite and select id check for early data 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 44051f6376 Refine the state change after write client hello 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 7892b6caad Refine the comment about generating early secrects in post server hello 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian bd0ab06d50 Skip CCS once we proposed early data even it is rejected 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian f6d8fd3d6b Improve the coding style of new lines 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:48 +00:00
Xiaokang Qian 79f77528f5 Move state change to finalize client hello 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 3f616c2493 Move selected_identity zero check to post_server_hello 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 1d8e86ce00 Get hash_alg by mbedtls_psa_translate_md 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian ea28a78384 Revert new field and check ciphersuite match when resume by exist info_id 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 4224244883 Improve coding styles and add comments 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 33ff868dca Fix various errors 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 43a83f247c Move the place where call set_outbound_transform to switch handshake key 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 907461319a Fix compile error and warnings 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian f10f474981 Check server selected cipher suite indicating a Hash associated with the PSK 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 592021aceb Add CCS after client hello in case of early data and comp mode 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian 303f82c5b9 Skip generating early secrets in some cases 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:47 +00:00
Xiaokang Qian b46275c7ec Add TLS1_3 guard to finalize_write_client_hello() to fix compile issue 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:47:43 +00:00
Xiaokang Qian 2a674937dd Pend a illeagal allert when selected_identity isn't 0 
Handshake should abort will illeagal parameter allert when
receiving early data extentions but the selected_identity
parsed from pre-share key isn't equal to 0.

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:46:48 +00:00
Xiaokang Qian 126929f825 Move early keys generation into mbedtls_ssl_tls13_finalize_write_client_hello 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:46:45 +00:00
Xiaokang Qian 19d4416a45 Refine code to remove finalize_write_end_of_early_data() 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian 7094f66879 Remove useless duplicted mbedtls_ssl_tls13_ticket_get_psk 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian 854db28bb7 Set hs_psk,ciphercuit_info and kex mode when writing pre-share key 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian 57a138d5c3 Update message log for end of early data test cases 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian 742578ca2c Remove end_of_early_data_coordinate() to align with exist style 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian bc75bc0c3a Switch to MBEDTLS_SSL_END_OF_EARLY_DATA as needed 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian c81a15a019 Change the comment format of end_of_early_data 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian 7ed30e59af Fix the issue that gnutls server doesn't support packet 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:44:00 +00:00
Xiaokang Qian 8804e6d0ac Put kex_exchange_mode in the guard of TLS13 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:59 +00:00
Xiaokang Qian da8402dde6 Switch outbound back to handshake key after end_of_early_data 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:59 +00:00
Xiaokang Qian bf09376bda Remove useless prepare_write_end_of_early_data 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:59 +00:00
Xiaokang Qian df6f52e2b2 Generate early key and switch outbound key to it after write client hello 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:59 +00:00
Xiaokang Qian d05ac5dfce Add extern apis mbedtls_ticket_get_psk. 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:59 +00:00
Xiaokang Qian 32af4fbbdb Set ciphersuite info and kex mode in set_session in re-connection 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:59 +00:00
Xiaokang Qian 34aab55aa7 Add prepare function to switch transform to early keys 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:58 +00:00
Xiaokang Qian 125afcb060 Add end-of-early-data write 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-02-08 05:43:58 +00:00
Pol Henarejos a6779287e8
Style. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2023-02-08 00:50:04 +01:00
Nick Child 3dafc6c3b3 pkcs7: Drop support for signature in contentInfo of signed data 
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.

Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
 - Demi Marie Obenour <demiobenour@gmail.com>
 - Dave Rodgman <dave.rodgman@arm.com>

Signed-off-by: Nick Child <nick.child@ibm.com>
 2023-02-07 20:04:52 +00:00
Pol Henarejos 4e747337ee
Merge branch 'development' into sha3 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2023-02-07 19:55:31 +01:00
Valerio Setti 5b16e9eabc pk_wrap: keep ECDSA_C for ECP_RESTARTABLE contexts 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 16:21:36 +01:00
Hanno Becker dae916b05f X.509: Add length consistency checks to x509_get_other_name() 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-02-07 05:24:32 -05:00
Hanno Becker 2a15a0c868 X.509: Remove red'n bounds checks and zeroiz'n in OtherName parsing 
- ASN.1 parsing functions check that length don't exceed buffer bounds,
  so checks `p + len > end` are redundant.
- If `p + len == end`, this is erroneous because we expect further fields,
  which is automatically caught by the next ASN.1 parsing call.

Hence, the two branches handling `p + len >= end` in x509_get_other_name()
can be removed.

Further, zeroization of the `other_name` structure isn't necessary
because it's not confidential (and it's also not performed on other
error conditions in this function).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-02-07 05:15:27 -05:00
Hanno Becker ae8f8c435c Fix X.509 SAN parsing 
Fixes #2838. See the issue description for more information.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
 2023-02-07 05:10:27 -05:00
Jerry Yu 2bb3d8101f Add en(de)crypt routine 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-07 17:11:53 +08:00
Jerry Yu e096da1af6 Add inverse key function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-07 17:11:52 +08:00
Jerry Yu 3f2fb71072 Add key expansion for encrypt 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-07 17:11:52 +08:00
Jerry Yu b95c776c43 Add linux runtime detection 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-07 17:11:52 +08:00
Jerry Yu 49231319fd Add empty aesce files 
For time being, we only support gcc and clang

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-02-07 17:11:52 +08:00
Valerio Setti 1cdddacc62 pk_wrap: use proper macros for sign and verify 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 08:02:23 +01:00
Valerio Setti 5c593af271 pk_wrap: fix comment on closing #endif 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 08:02:23 +01:00
Valerio Setti 24138d9f83 pk_wrap: re-use identical functions for eckey and ecdsa when possible 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 08:02:23 +01:00
Valerio Setti 7ca1318256 pk: add new symbol for generic ECDSA capability 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 08:02:23 +01:00
Valerio Setti 9e30dd882d removing a leftover printf from debug 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 08:02:23 +01:00
Valerio Setti ab363d9fe1 pk/pk_wrap: replace ECDSA_C with generic ECDSA capabilities' defines 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-02-07 08:02:23 +01:00
Gabor Mezei 63aae68b8f
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-02-06 16:24:08 +01:00
Gilles Peskine 0cfb08ddf1
Merge pull request #6922 from mprse/csr_v3 
Parsing v3 extensions from a CSR - v.2
 2023-02-03 16:41:11 +01:00
Gilles Peskine 80c552556a
Merge pull request #6791 from yanrayw/6675-change-some-key-generation-funcs-to-static 
TLS 1.3: Key Generation: change some key generation functions to static
 2023-02-03 11:56:35 +01:00
Yanray Wang f206c1493b Remove duplicate mbedtls_platform_zeroize for tls13_early_secrets 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-02-03 13:55:47 +08:00
Dave Rodgman 6dd757a8ba Fix use of sizeof without brackets 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-02-02 12:40:50 +00:00
Nick Child 282d50493a pkcs7: Remove duplicate oid condition 
MBEDTLS_OID_PKCS7_ENCRYPTED_DATA was listed twice in
the oid conditional. Remove one of them.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2023-02-01 18:32:55 +00:00
Gilles Peskine 24c6f49530
Merge pull request #7005 from tom-cosgrove-arm/fix-doxygen-typos-in-new-bignum 
Fix typos in doxygen commands in new bignum modules
 2023-02-01 19:05:04 +01:00
Gilles Peskine a193986aab
Merge pull request #6942 from ucko/2023a-bignum 
mbedtls_mpi_sub_abs: Skip memcpy when redundant (#6701).
 2023-02-01 11:36:25 +01:00
Tom Cosgrove 8a1f784ece Fix typos in doxygen commands in new bignum modules 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-02-01 08:43:54 +00:00
Yanray Wang a12cecbe47 Modify some comments in ssl_tls13_keys.c 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-02-01 14:29:51 +08:00
Nick Child 3bd17f2f58 pkcs7: Use end_issuer_and_sn where appropriate 
There were some areas where `end_signer` were being
used when it makes more sense to use `end_issuer_and_sn`,
as pointed out by demiobenour@gmail.com.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2023-01-31 20:42:26 +00:00
Gabor Mezei 2038ce976e
Rename function to follow naming convention 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-31 14:40:05 +01:00
Gabor Mezei 9b290b33e4
Add documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-31 14:40:05 +01:00
Gabor Mezei deece2bb65
Change the ecp_mod_p192_raw to be testable 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-31 14:40:05 +01:00
Gabor Mezei b5bba497fe
Extract Secp192r1 from the prototype 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-31 14:40:05 +01:00
Gilles Peskine f6b9823422
Merge pull request #6979 from daverodgman/const-time-asm-vol 
Inhibit compiler from optimising out const-time asm
 2023-01-31 11:28:45 +01:00
Gilles Peskine 470f10cfc5
Merge pull request #6941 from gabor-mezei-arm/6375_quasi-reduction_function 
Add function to fix quasi-reduction
 2023-01-31 11:25:25 +01:00
Nick Child ec81709516 pkcs7: Ensure all data in asn1 structure is accounted for 
Several PKCS7 invalid ASN1 Tests were failing due to extra
data bytes or incorrect content lengths going unnoticed. Make
the parser aware of possible malformed ASN1 data.

Signed-off-by: Nick Child <nick.child@ibm.com>
 2023-01-30 16:44:58 +00:00
Gabor Mezei db1607fa69
Remove unneeded include 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-30 16:27:48 +01:00
Manuel Pégourié-Gonnard aae61257d1
Merge pull request #6883 from valeriosetti/issue6843 
Improve X.509 cert writing serial number management
 2023-01-30 13:08:57 +01:00
Dave Rodgman 4610d4b7a6 Inhibit compiler from optimising out const-time asm 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-30 09:26:48 +00:00
Jerry Yu 947fd3d6ea Implement ms time with GetSystemTimeAsFile time. 
There's a potential race condition with calling time(NULL) after
GetSystemTime().

See
https://learn.microsoft.com/en-us/archive/msdn-magazine/2004/march/implementing-a-high-resolution-time-provider-for-windows

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-01-30 15:45:25 +08:00
Manuel Pégourié-Gonnard 169d9e6eb4
Merge pull request #6802 from gilles-peskine-arm/test_suite_psa_crypto_metadata-20221215 
Add metadata tests for CCM* and TLS1.2-ECJPAKE-to-PMS
 2023-01-27 10:05:00 +01:00
Przemek Stekiel 36ad5e7ab5 Fix code style 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-26 22:30:45 +01:00
Valerio Setti af4815c6a4 x509: replace/fix name of new function for setting serial 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-01-26 17:43:09 +01:00
Janos Follath 803638c023
Merge pull request #6939 from minosgalanakis/bignum/6027_hardcode_montgomery_moduli 
Bignum: hardcode montgomery moduli
 2023-01-25 16:51:11 +00:00
Przemek Stekiel 32e20919ac Remove redundant check and add comment to inform about processing of empty extensions 
Netscape Certificate Management System Administrator's Guide: Extension-Specific Policy Modules, Chapter 18: Extension-Specific Policy Modules, Netscape Certificate Type Extension Policy:
> The extension has no default value.

A bitstring with no flags set is still technically valid, as it will mean that the certificate has no designated purpose at the time of creation.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-25 16:20:25 +01:00
Gabor Mezei 9a66ab180c
Fix missing declarration 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-25 13:23:38 +01:00
Przemek Stekiel 94e21e153f Skip unsupported extensions 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-25 11:08:32 +01:00
Gilles Peskine 8296eabed6
Merge pull request #6957 from tom-cosgrove-arm/fix-spelling-of-doxygen-return 
Fix doxygen return parameter spelling
 2023-01-24 21:56:45 +01:00
Gilles Peskine 3b8623fe2c
Merge pull request #6903 from Mihir-Raj-Singh/Bignum_rename_mtoN 
Rename modulus input argument from m to N
 2023-01-24 21:48:54 +01:00
Gabor Mezei 627e5b1f91
Only enable fix_quasi_reduction when testing 
Avoid compiler error due to the fix_quasi_reduction function
is static and has not been used.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-24 18:13:24 +01:00
Przemek Stekiel a468768000 Dealocate memory for subject alt names 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 15:19:47 +01:00
Przemek Stekiel 86d1946164 Fix error codes returned on failures 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 11:20:10 +01:00
Przemek Stekiel cf6ff0fb43 Move common functions for crt/csr parsing to x509.c 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 10:57:19 +01:00
Przemek Stekiel db128f518c Allow empty ns_cert_type, key_usage while parsing certificates 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 10:57:19 +01:00
Przemek Stekiel 21c37288e5 Adapt function names 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 10:57:19 +01:00
Przemek Stekiel cbaf3167dd mbedtls_x509_csr_info: Add parsing code for v3 csr extensions 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 10:57:19 +01:00
Jens Alfke 2d9e359275 Parsing v3 extensions from a CSR 
A parsed CSR struct (`mbedtls_x509_csr`) now includes some of the
X.509v3 extensions included in the CSR -- the key usage, Netscape
cert-type, and Subject Alternative Names.

Author: Jens Alfke <jens@couchbase.com>

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
 2023-01-24 10:56:55 +01:00
Gabor Mezei a24fd06451
Update documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-23 19:10:26 +01:00
Gabor Mezei 9073f7dd3b
Remove unneeded check 
The fix_quasi_reduction function changed to static so checking the
invalid arguments are not needed anymore.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-23 19:05:37 +01:00
Gabor Mezei e81a2b85c9
Change the fix_quasi_reduction function to static 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-23 18:58:20 +01:00
Gabor Mezei aaa1d2a276
Move the quasi reduction fixing function to bignum_mod_raw 
Rename the function to 'fix_quasi_reduction' to better suite its functionality.
Also changed the name prefix to suite for the new module.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-23 18:55:57 +01:00
Tom Cosgrove 37dabd540b Fix doxygen return parameter spelling 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-01-23 16:57:26 +00:00
Minos Galanakis 8692ec8bc0 pkarse: Added pk_group_id_from_specified() documentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-01-23 10:33:06 +00:00
Dave Rodgman 7658b63390 Remove volatile from diff; add explanatory comment 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Dave Rodgman fa96026a0e Move definition of asm out of public header 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Dave Rodgman 7f376fa6fc Improve documentation 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Dave Rodgman b9cd19bc8c Prevent perf regressions in mbedtls_xor 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Dave Rodgman 051225d07a Address potential perf regression 
Ensure platforms that don't have an assembly implementation for
mbedtls_get_unaligned_volatile_uint32() don't experience a performance
regression.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Dave Rodgman 36dfc5a237 Improve efficiency of some constant time functions 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Dave Rodgman cb0f2c4491 Tidy-up - move asm #define into build_info.h 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-20 14:04:48 +00:00
Minos Galanakis c8e381ab1c pkarse: Update pk_group_id_from_specified() clean-up. 
This path updates the clean-up logic of to individually
free each of the the group's structure members
rather than invoke `mbedtls_ecp_group_free()`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-01-19 16:15:11 +00:00
Minos Galanakis e9fa7a74cd ecp_curves: Update pre-processor define guards for ecp_mpi_load(). 
This patch adjusts the logic, so that the method is included,
when the following components are enabled:

* MBEDTLS_ECP_DP_CURVE448_ENABLED
* MBEDTLS_ECP_DP_CURVE25519_ENABLED
* ECP_LOAD_GROUP

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-01-19 16:12:07 +00:00
Minos Galanakis d61dbd4df7 ecp_curves: Update mbedtls_ecp_group_free(). 
This patch updates the method to not free the `grp->P`
and `grp->N` structure members.

The contents of `P` and `N` are stored in static memory at
`curve448_p/n` and `curve25519p/n` and no longer dynamically
allocated.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-01-19 16:11:55 +00:00
Minos Galanakis 146fed9849 ecp_curves: Hardcode Montgomery const for curve448. 
This patch adds two embedded constants used by `ecp_use_curve448()`.
The method has been updated to read that into an mpi instead of
calculating it on the fly.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-01-19 16:11:50 +00:00
Minos Galanakis bececeb0b9 ecp_curves: Hardcod Montgomery const for curve25519 
This patch adds two embedded constants used by `ecp_use_curve25519()`.
The method has been updated to read that into an mpi instead of
calculating it on the fly.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-01-19 11:38:19 +00:00
Gilles Peskine bb3814c7a8 Reject key agreement chained with PSA_ALG_TLS12_ECJPAKE_TO_PMS 
The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
used on a shared secret from a key agreement since its input must be
an ECC public key. Reject this properly.

This is tested by test_suite_psa_crypto_op_fail.generated.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-01-19 12:11:23 +01:00
Aaron M. Ucko af67d2c1cf mbedtls_mpi_sub_abs: Skip memcpy when redundant (#6701). 
In some contexts, the output pointer may equal the first input
pointer, in which case copying is not only superfluous but results in
"Source and destination overlap in memcpy" errors from Valgrind (as I
observed in the context of ecp_double_jac) and a diagnostic message
from TrustInSoft Analyzer (as Pascal Cuoq reported in the context of
other ECP functions called by cert-app with a suitable certificate).

Signed-off-by: Aaron M. Ucko <ucko@ncbi.nlm.nih.gov>
 2023-01-17 11:52:22 -05:00
Gabor Mezei c83f792c18
Add documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-17 13:28:06 +01:00
Gabor Mezei 9684d4dc58
Add quasi-reduction function for ecp 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2023-01-17 13:16:46 +01:00
Mihir Raj Singh 432cacf5c2 bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_neg() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-17 11:25:26 +05:30
Mihir Raj Singh b0354c5b71 bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_from_mont_rep() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:11:18 +05:30
Mihir Raj Singh 37ece7292a bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_to_mont_rep() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:10:40 +05:30
Mihir Raj Singh 01e861ff9e bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_write() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:10:00 +05:30
Mihir Raj Singh cd17ff0354 bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_read() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:09:12 +05:30
Mihir Raj Singh a43290d556 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_write() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:08:17 +05:30
Mihir Raj Singh fdc314b6fe bignum_mod: Renamed m -> N in mbedtls_mpi_mod_read() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:06:16 +05:30
Mihir Raj Singh 928a07ba49 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_modulus_free 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:04:37 +05:30
Mihir Raj Singh f438ad1ab9 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_modulus_setup() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:03:06 +05:30
Mihir Raj Singh b6fa940fc4 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_modulus_init() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:02:04 +05:30
Mihir Raj Singh b13a58938a bignum_mod: Renamed m -> N in mbedtls_mpi_mod_residue_setup() 
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
 2023-01-16 23:01:25 +05:30
Pengyu Lv 9b84ea75de remove ssl_tls13_has_compat_ticket_flags 
This content of the function is moved to
ssl_tls13_has_configured_ticket.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-16 14:08:23 +08:00
Pengyu Lv e2f1dbf5ae update docs of ssl_client2 and improve code format 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-16 12:38:12 +08:00
Pengyu Lv 4938a566bf refine ticket_flags printing helper 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-16 11:28:49 +08:00
Pengyu Lv acecf9c95b make ticket_flags param types consistent 
When ticket_flags used as parameter, use unsigned int,
instead of uint8_t or mbedtls_ssl_tls13_ticket_flags.Also
remove the definition of mbedtls_ssl_tls13_ticket_flags.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-16 11:23:24 +08:00
Pengyu Lv 3643fdbab9 refine the state setting in tls13_handshake_wrapup 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:06:02 +08:00
Pengyu Lv ee455c01ce move ticket_flags debug helpers 
The debug helpers printing ticket_flags status are
moved to ssl_tls.c and ssl_debug_helpers.h.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:06:01 +08:00
Pengyu Lv 189465306d remove MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE error 
Return MBEDTLS_ERR_ERROR_GENERIC_ERROR when ticket_flags
are not compatible with advertised key exchange mode.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:06:00 +08:00
Pengyu Lv 80270b2151 rename ticket_flags helper functions to generic ones 
Ticket flags is quite generic and may make sense in the
future versions of TLS or even in TLS 1.2 with new
extensions. This change remane the ticket_flags helper
functions with more generic `mbedtls_ssl_session` prefix
instead of `mbedtls_ssl_tls13_session`.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:59 +08:00
Pengyu Lv a1aa31b8b1 fix review comments 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:58 +08:00
Pengyu Lv 1735ba30ea fix review comments 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:57 +08:00
Pengyu Lv 9eacb44a5e improve code format and readability 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:57 +08:00
Pengyu Lv 9356678047 filter the tickets with tls13_kex_mode on client side. 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:56 +08:00
Pengyu Lv e6487fe3c2 guard tls13_kex_modes related function calls with macro 
Handshake parameter field, tls13_kex_mode is only valid when
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED is set.
So, any functions / calls should be guarded by this macros.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:55 +08:00
Pengyu Lv 3eb49be6a8 move kex mode check in ticket_flags to psks_check_identity_match_ticket 
Move the kex mode check in ticket_flags to
ssl_tls13_offered_psks_check_identity_match_ticket and add new error
'MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE' to indicate the check
failure.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:55 +08:00
Pengyu Lv c7af2c4f8c tls13: send new session ticket only when client supports psk 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:54 +08:00
Pengyu Lv c55eeb682d tls13: check if the session ticket is compatible with key exchange modes 
The server check if the ticket_flags is compatible with the advertised
key exchange modes in Pre-Shared Key Exchange Modes extension. The
incompatible ticket should be mark as not matched.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:53 +08:00
Pengyu Lv 9f92695c8d tls13: set key exchange mode in ticket_flags on client/server 
Set the ticket_flags when:
  - server: preparing NST (new session ticket) message
  - client: postprocessing NST message

Clear the ticket_flags when:
  - server: preparing NST message
  - client: parsing NST message

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:53 +08:00
Pengyu Lv b7d50acb37 tls13: add helpers to manipulate ticket_flags 
Add helper functions to get/set/clear ticket_flags.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:52 +08:00
Pengyu Lv 5b8dcd2097 Add debug helper to print ticket_flags status 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-01-13 11:05:52 +08:00
Valerio Setti 856cec45eb test: x509: add more tests for checking certificate serial 
- added 2 new certificates: 1 for testing a serial which is full lenght
  and another one for a serial which starts with 0x80

- added also proper Makefile and openssl configuration file to generate
  these 2 new certificates

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-12 17:01:45 +01:00
Valerio Setti 4752aac11d x509: enhancement and fixes 
- enhance mbedtls_x509write_crt_set_serial(): avoid use of useless
  temporary buffer

- fix mbedtls_x509write_crt_der(): add an extra 0x00 byte at the
  beginning of serial if the MSb of serial is 1, as required from
  ASN.1

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-12 17:01:44 +01:00
Valerio Setti 746def5ade x509: renaming of buffer variables in new serial setting function 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-12 17:01:44 +01:00
Valerio Setti acf12fb744 x509: fix endianness and input data format for x509write_crt_set_serial_new 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-12 17:01:44 +01:00
Valerio Setti 5d164c4e23 fix: add missing deprecation guards 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-12 17:01:44 +01:00
Valerio Setti da0afcc2fb x509: remove direct dependency from BIGNUM_C 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-12 17:01:44 +01:00
Jerry Yu 38257491aa Add milliseconds time function 
We provide windows and posix implementation for it.
With MBEDTLS_PLATFORM_MS_TIME_ALT, user can provide
their own implementation.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-01-12 18:01:14 +08:00
Yanray Wang ef5ec8f5ba Rename static functions in ssl_tls13_keys.c 
As some static functions are only used inside ssl_tls13_keys.c,
the prefix mbedtls_ should be removed. Furthermore, code format is
also maintained to fix code style.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-01-12 15:11:03 +08:00
Yanray Wang 0540211078 Enhancement: change some functions to static in ssl_tls13_keys.c 
Since some functions are only used in ssl_tls13_keys.c not by any
other modules, those functions are changed to static.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-01-12 14:54:26 +08:00
Yanray Wang 16c895dff3 TLS1.3: zeroize tls13_early_secrets after its lifetime 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-01-12 14:27:06 +08:00
Yanray Wang bae9e74d39 Enhancement: change tls13_early_secrets to local variable 
Since tls13_early_secrets is only temperately used in the function,
there is no need to keep it in the handshake context.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-01-12 14:27:06 +08:00
Gilles Peskine 449bd8303e Switch to the new code style 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-01-11 14:50:10 +01:00
Gilles Peskine 03e99cf14d Remove redundant error code definitions 
We're including psa/crypto_values.h, which defines the necessary error
codes. Remove redundant definitions, which hurt because they need to be
styled in exactly the same way (same presence/absence of spaces between
tokens).

This completes the fix of https://github.com/Mbed-TLS/mbedtls/issues/6875.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-01-11 11:15:18 +01:00
Ronald Cron 83c5ad4873
Merge pull request #6787 from yuhaoth/pr/workaround-gnutls_anti_replay_fail 
TLS 1.3: EarlyData: Workaround anti replay fail from GnuTLS
 2023-01-11 09:05:36 +01:00
Gilles Peskine 0770efe4e1
Merge pull request #6888 from daverodgman/iar-bignum-warning 
Fix IAR warning
 2023-01-10 22:08:37 +01:00
Manuel Pégourié-Gonnard 28d4d43416
Merge pull request #6863 from valeriosetti/issue6830 
Remove uses of mbedtls_ecp_curve_info in TLS (with USE_PSA)
 2023-01-10 10:01:17 +01:00
Jerry Yu 3e60cada5d Improve comment and changlog 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-01-10 14:58:08 +08:00
Valerio Setti a0b97bc803 fix wrong type in debug message 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-09 19:10:32 +01:00
Valerio Setti 1e868ccbac fix several typos and extra blank spaces 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-09 17:59:46 +01:00
Valerio Setti 2b5d3ded1f remove remaining occurencies of mbedtls_ecc_group_to_psa() from TLS 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-09 11:04:52 +01:00
Jerry Yu bdb936b7a5 Workaround anti replay fail of GnuTLS 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-01-07 20:19:55 +08:00
Glenn Strauss 14db51224e Fix IAR warning 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-01-06 14:20:14 +00:00
Gilles Peskine cd0a565644
Merge pull request #6703 from yuhaoth/pr/tls13-misc-from-prototype 
TLS 1.3: Upstream misc fix from prototype
 2023-01-05 14:35:54 +01:00
David Horstmann bec95320ba Don't restyle end of file 
Move the *INDENT-ON* annotation to the end of the file so that
uncrustify does not restyle the later sections (since it introduces a
risk of future problems).

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-01-05 09:50:47 +00:00
David Horstmann cb3b6ae580 Disable code style correction for bignum assembly 
The inline assembly defined in bn_mul.h confuses code style parsing,
causing code style correction to fail. Disable code style correction for
the whole section gated by "#if defined(MBEDTLS_HAVE_ASM)" to prevent
this.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-01-04 17:50:08 +00:00
Valerio Setti 67419f0e11 tls: fix + save code size when DEBUG_C is not enabled 
Some PSA curves' symbols (PSA_WANT_) were not matching the corresponding
MBEDTLS_ECP_DP_. This was fixed together with the removal of extra code
when DEBUG_C is not enabled.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-04 17:36:00 +01:00
Valerio Setti 40d9ca907b tls: remove useless legacy function 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-04 16:08:04 +01:00
Valerio Setti 18c9fed857 tls: remove dependency from mbedtls_ecp_curve functions 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2023-01-03 13:03:34 +01:00
David Horstmann e3d8f31ba1 Workaround Uncrustify parsing of "asm" 
The following code:

 #ifndef asm
 #define asm __asm
 #endif

causes Uncrustify to stop correcting the rest of the file. This may be
due to parsing the "asm" keyword in the definition.

Work around this by wrapping the idiom in an *INDENT-OFF* comment
wherever it appears.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-01-03 11:07:09 +00:00
Manuel Pégourié-Gonnard 7a389ddc84
Merge pull request #6784 from valeriosetti/issue6702 
Make SHA224_C/SHA384_C independent from SHA256_C/SHA512_C
 2023-01-03 09:36:58 +01:00
Janos Follath b4b0bb737d
Merge pull request #5907 from mpg/use-psa-rsa-pss 
Use PSA more often in `pk_verify_ext()`
 2022-12-30 12:33:50 +00:00
Gilles Peskine b402e4bde1
Merge pull request #6595 from mfischer/lms_heap 
lms: Move merkle tree generation to heap allocation
 2022-12-23 18:29:04 +01:00
Valerio Setti 326cf46764 test: improved readability in sha self tests 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-23 14:57:18 +01:00
Manuel Pégourié-Gonnard 676766ff77
Merge pull request #6776 from gabor-mezei-arm/6222_bignum_mod_mul 
Bignum: Implement fixed width modular multiplication
 2022-12-23 10:39:30 +01:00
Manuel Pégourié-Gonnard 2fcb4c1d06
Merge pull request #6747 from gilles-peskine-arm/bignum-mod-random 
Bignum mod random
 2022-12-23 10:36:22 +01:00
Valerio Setti 543d00ef6f sha: remove SHA1 from ssl_cookie 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-22 14:27:34 +01:00
Manuel Pégourié-Gonnard 2510dd41bf
Merge pull request #6282 from gstrauss/sw_derive_y 
mbedtls_ecp_point_read_binary from compressed fmt
 2022-12-22 10:20:31 +01:00
Manuel Pégourié-Gonnard 4dacf58d6d Take advantage of now-public macro in pk.c 
Used to be private, hence the duplication, but that's been fixed in the
meantime, I guess we just missed this occurrence.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-12-21 09:50:17 +01:00
Manuel Pégourié-Gonnard 6958355a51 Use PSA Crypto more often in pk_verify_ext() 
See https://github.com/Mbed-TLS/mbedtls/issues/5277 - strategy 1.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-12-21 09:49:57 +01:00
Gilles Peskine e1d8326e90 Fix representation of mod-random output 
mbedtls_mpi_mod_raw_random() and mbedtls_mpi_mod_random() were producing
output in the Montgomery representation, instead of obeying the
representation chosen in the modulus structure. Fix this.

Duplicate the test cases for mod-random output to have separate test cases
for each representation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-20 20:28:02 +01:00
Gilles Peskine e655479528 Generalize representation handling in mbedtls_mpi_mod_read 
Call mbedtls_mpi_mod_raw_canonical_to_modulus_rep instead of assuming that
anything that isn't MBEDTLS_MPI_MOD_REP_MONTGOMERY is canonical.

mbedtls_mpi_mod_write should get the same treatment, but I'm holding off
until https://github.com/Mbed-TLS/mbedtls/issues/6679 is done.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-20 19:55:51 +01:00
Gilles Peskine eb2e77f617 Document modulus representation selectors 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-20 19:55:51 +01:00
Gilles Peskine 1e2a4d4089 Functions to convert raw residues to/from the modulus representation 
Test cases will be generated automatically by a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-20 19:55:51 +01:00
Gabor Mezei 496cd37bac
Use equality checking for NULL value 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-20 17:30:20 +01:00
Gabor Mezei 2840884c35
Typo 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-20 17:30:19 +01:00
Gabor Mezei 6a31b7252d
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-20 17:30:19 +01:00
Gabor Mezei 9db81e9cca
Add mod_mul function 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-20 17:30:13 +01:00
Glenn Strauss efde9d58de remove duplicated consecutive preproc directives 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-12-20 04:20:12 -05:00
Manuel Pégourié-Gonnard 8b6d14be8b Extract common code for computing X^3 + AX + B 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-12-20 04:17:03 -05:00
Glenn Strauss 452416121d move mbedtls_ecp_sw_derive_y after MPI_ECP_ macros 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-12-19 21:25:27 -05:00
Glenn Strauss fcabc28cfc use MPI_ECP_* macros in mbedtls_ecp_sw_derive_y() 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-12-19 21:24:50 -05:00
Gilles Peskine e162b4725c
Merge pull request #6777 from tom-cosgrove-arm/issue-6292-mod_inv 
Bignum: Implement high level fixed width modular inversion
 2022-12-17 13:26:02 +01:00
Gilles Peskine cf86d70162
Merge pull request #6742 from gabor-mezei-arm/6022_bignum_mod_raw_mul 
Bignum: Implement fixed width raw modular multiplication
 2022-12-17 13:25:43 +01:00
Tom Cosgrove f723754f6d Fix typos 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-16 16:10:36 +00:00
Glenn Strauss cbfd5e9db7 comment 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-12-16 11:03:41 -05:00
Glenn Strauss 369bfb94c5 comments and whitespace 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-12-16 10:49:04 -05:00
Gabor Mezei 210ea63d8b
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-16 16:35:24 +01:00
Valerio Setti e7221a21ad test: adjust depends.py to new SHA224/SHA384 changes 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-16 14:43:48 +01:00
Tom Cosgrove 342d00bc22 Oops, use mbedtls_free() not plain free() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-16 11:02:06 +00:00
Gilles Peskine b1eea02f74 Implement and test mbedtls_mpi_mod_random 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-16 10:13:29 +01:00
Gilles Peskine a57cf9813a Implement and test mbedtls_mpi_mod_raw_random 
In the basic/XXX=core test cases, use odd upper bounds, because the mod
version of random() only supports odd upper bounds (the upper bound is a
modulus and the mod modules only support odd moduli).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-16 10:13:29 +01:00
Manuel Pégourié-Gonnard 057b458583
Merge pull request #6766 from wernerlewis/bignum_mod_docs 
Bignum: document conventions for bignum mod and mod_raw
 2022-12-16 09:58:36 +01:00
Manuel Pégourié-Gonnard 5bf8629b2c
Merge pull request #6303 from gilles-peskine-arm/bignum-core-random 
Bignum: Implement mbedtls_mpi_core_random
 2022-12-16 09:58:07 +01:00
Gilles Peskine d1dd41f3fc
Merge pull request #6723 from mpg/restartable-vs-use-psa 
Document ECP_RESTARTABLE and make it compatible with USE_PSA
 2022-12-15 19:47:44 +01:00
Werner Lewis 6bb49ba121 Document const parameter conventions 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 17:04:43 +00:00
Tom Cosgrove b38c2ed3d9 Fix double space between words 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove d692ba4248 Note that (as usual) for mbedtls_mpi_mod_inv() residues must be associated with the modulus 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove a9e0f95903 Split mbedtls_mpi_mod_inv() into separate functions for mont/non-mont form 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove 4302d02fa8 Add mbedtls_mpi_mod_inv() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove 786848b5c5 Add low-level Montgomery conversion functions to bignum_core 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove 28ff92cc3a Add an explicit mbedtls_mpi_core_montmul_working_limbs() function 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove 30f3b4d601 Add mbedtls_mpi_core_check_zero_ct() and tests 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Tom Cosgrove e9ffb6c8e9 Fix mbedtls_platform_zeroize() call in mbedtls_mpi_mod_modulus_free() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-15 16:56:36 +00:00
Werner Lewis 756a34aadc Use lower case for p and r 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 14:53:43 +00:00
Werner Lewis 0f644f48e9 Add output initialization requirement 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 14:13:32 +00:00
Gilles Peskine 6b7ce968d2 Clarify some comments 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-15 15:04:33 +01:00
Gabor Mezei 95b754dfac
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-15 15:04:20 +01:00
Gabor Mezei 979d34ca7d
Add mod_raw_mul function 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-12-15 15:04:20 +01:00
Werner Lewis 214ae64349 Replace \p with \c for non-parameter code typeset 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:36:07 +00:00
Werner Lewis 1d89ebf548 Clarify all functions operate modulo N 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:35:41 +00:00
Werner Lewis a306886b3a Add modulus to parameter ordering 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:35:41 +00:00
Werner Lewis 2e70b9afef Reword bignum sizes section 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:35:41 +00:00
Werner Lewis 2bd263da1e Fix grammar and spelling 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:35:40 +00:00
Werner Lewis 945a165a3c Clarify output requirements 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:22:27 +00:00
Werner Lewis eac8be76d6 Remove unnecessary type comment 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 13:22:17 +00:00
Werner Lewis e1eb75dc99 Specify modulus constraints 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-15 12:27:56 +00:00
Manuel Pégourié-Gonnard 50faa55e4d
Merge pull request #6732 from wernerlewis/bignum_6019_mod_add 
Bignum: Implement mbedtls_mpi_mod_add()
 2022-12-15 11:39:24 +01:00
Dave Rodgman 01f6e61781
Merge pull request #986 from Mbed-TLS/merge-back-3.3.0-3 
Merge back 3.3.0 3
 2022-12-14 19:18:05 +00:00
Dave Rodgman ebef3562c3 Revert "Add generated files" 
This reverts commit c18d932705.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-12-14 19:14:00 +00:00
Dave Rodgman e90ed7d249 Bump versions for libmbedcrypto and libmbedtls 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-12-14 17:04:00 +00:00
Manuel Pégourié-Gonnard c98624af3c
Merge pull request #6680 from valeriosetti/issue6599 
Allow isolation of EC J-PAKE password when used in TLS
 2022-12-14 11:04:33 +01:00
Valerio Setti a3f99591f6 sha: make SHA-224 independent from SHA-256 
Using proper configuration options (i.e. MBEDTLS_SHA224_C and
MBEDTLS_SHA256_C) it is now possible to build SHA224 and SHA256
independently from each other.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-14 10:56:54 +01:00
Manuel Pégourié-Gonnard 4064a82802
Merge pull request #5600 from yuhaoth/pr/refactor-cookie-members-of-handshake 
Refactor cookie members of handshake
 2022-12-14 10:55:34 +01:00
Valerio Setti 898e7a3afe test: sha: test SHA384 and SHA512 separately 
This is meant to adapt to the new library design in which
SHA384 and SHA512 can be built independently from each other.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-14 10:50:54 +01:00
Werner Lewis eed01aabd3 Clarify wording in documentation 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-14 09:44:00 +00:00
Valerio Setti 43363f5962 sha: make SHA-384 independent from SHA-512 
Using proper configuration options (i.e. MBEDTLS_SHA384_C and
MBEDTLS_SHA512_C) it is now possible to build SHA384 and SHA512
independently from each other.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-14 08:53:23 +01:00
Manuel Pégourié-Gonnard 2b70a3f831
Merge pull request #6558 from lpy4105/6416-psa_macros_name_typo 
check_names: extend typo check to PSA macro/enum names
 2022-12-13 09:56:27 +01:00
Manuel Pégourié-Gonnard 48232ed2c1
Merge pull request #6743 from minosgalanakis/bignum/implement_modular_negation 
Bignum: Implement fixed width modular negation
 2022-12-13 09:54:38 +01:00
Bence Szépkúti f7641544ea Correct the fix for the PKCS 7 memory leak 
This corrects an issue in the origina fix in
4f01121f6e.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2022-12-12 21:59:03 +01:00
Dave Rodgman 8a05c069a5
Merge pull request #6751 from ZachFleck42/development 
Fix typo in `library/entropy.c`
 2022-12-12 16:30:54 +00:00
Werner Lewis 5e9d2e9019 Add conventions for bignum mod and mod_raw 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-12 14:00:25 +00:00
Manuel Pégourié-Gonnard a9ac61203b
Merge pull request #6666 from daverodgman/fast_unaligned 
Fast unaligned memory access macros
 2022-12-12 12:18:17 +01:00
Minos Galanakis 5e8443e6ef mbedtls_mpi_mod_raw_neg: Updated documentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-12-12 11:13:56 +00:00
Minos Galanakis 21fe8bdeac bignum_mod_raw: Added modular negation. 
This patch adds the `mpi_mod_raw_neg()` method.

Co-authored-by: Hanno Becker <hanno.becker@arm.com>
Co-authored-by: Minos Galanakis <minos.galanakis@arm.com>

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-12-12 11:13:56 +00:00
Valerio Setti 016f682796 tls: pake: small code refactoring for password setting functions 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-09 14:17:50 +01:00
Tom Cosgrove 5f09930017 Clarify use of temporary in mbedtls_mpi_mod_raw_inv_prime() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-09 10:58:15 +00:00
Dave Rodgman c18d932705 Add generated files 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-12-09 09:44:10 +00:00
Manuel Pégourié-Gonnard df0c73c308 Readability improvement in pk_wrap.c 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-12-09 10:09:34 +01:00
Manuel Pégourié-Gonnard 79ae7eb4d1 Use deterministic ECDSA in PSA when we do in legacy 
This fixes the two failing cases in test_suite_pk when ECP_RESTARTABLE
and USE_PSA_CRYPTO are both enabled. The two failing cases where

    ECDSA restartable sign/verify: ECDSA, max_ops=0 (disabled)
    ECDSA restartable sign/verify: ECKEY, max_ops=0 (disabled)

associated with test function pk_sign_verify_restart(). The failure was
caused by the interaction of several things that are each reasonable on
their own:

1. The test function relies on ECDSA restartable, which is reasonable as it
allows making sure that the generated signature is correct with a simple
memcmp().
2. The implementation of pk_sign_restartable() has a shortcut to
dispatch to the sign function (as opposed to sign_restartable) when
restart is disabled (max_ops == 0).
3. When USE_PSA is enabled, the sign function dispatches to PSA, which
so far always used ECDSA (non-deterministic) even when the non-PSA
version would use deterministic ECDSA.

This could be fixed by changing any of those. I chose (3) because I
think it makes sense that when PK dispatches to PSA instead of legacy
this should not change which version of ECDSA is selected.

OTOH, I think it makes sense to keep (2), because that means more
opportunities to dispatch to PSA.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-12-09 10:07:19 +01:00
Jerry Yu 0c2a738c23 fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-09 09:51:20 +08:00
Jerry Yu 141bbe7bee tls13: Adjust include files 
- remove duplicate and unused included
- Adjust the order to system, mbedtls global, local.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-09 09:51:20 +08:00
Jerry Yu ddda050604 tls13: Upstream various fix in prototype 
- Adjust max input_max_frag_len
- Guard transform_negotiate
- Adjust function position
- update comments
- fix wrong requirements

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-09 09:51:20 +08:00
Jerry Yu 2e19981e17 tls13: guards transform negotiate 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-09 09:51:20 +08:00
Valerio Setti eb3f788b03 tls: pake: do not destroy password key in TLS 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-08 18:42:58 +01:00
Dave Rodgman 48223bc19e Bump version to 3.3.0. No changes to .so versions. 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-12-08 14:43:19 +00:00
Dave Rodgman a5b2c52885 Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-3.3.0rc0-pr 2022-12-08 14:10:59 +00:00
Zachary Fleckenstein 73defe4da0 Fix typo in library/entropy.c 
Signed-off-by: Zachary Fleckenstein <ZachFleck42@Gmail.com>
 2022-12-08 07:28:29 -05:00
Tom Cosgrove 6129268fee Bignum: Implement mbedtls_mpi_mod_raw_inv_prime() and tests 
Fixes #6023.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-08 09:44:10 +00:00
Tom Cosgrove a7f0d7b029 mbedtls_mpi_core_exp_mod() ouuput may alias input A 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-08 08:46:28 +00:00
Valerio Setti ae7fe7ee53 tls: pake: avoid useless psa_pake_abort in setting opaque password 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-07 17:36:59 +01:00
Valerio Setti 70d1fa538a tls: pake: fix missing return values check 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-07 16:20:27 +01:00
Valerio Setti c689ed8633 tls: pake: minor adjustments 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-07 14:40:38 +01:00
Dave Rodgman 90af1a10ab
Merge pull request #6734 from daverodgman/fix_test_dep_spelling 
Fix spelling of test dependency
 2022-12-07 09:06:29 +00:00
Ronald Cron fbba0e9d75
Merge pull request #6537 from yuhaoth/pr/tls13-refactor-early-data-configuration-interface 
TLS 1.3: Refactor early data configuration interface.
 2022-12-07 09:42:12 +01:00
Janos Follath d45924d862
Merge pull request #6733 from tom-cosgrove-arm/issue-6293-mod_exp-memory 
Have mbedtls_mpi_core_exp_mod() take a temporary instead of allocating memory
 2022-12-07 08:32:31 +00:00
Janos Follath 1d26d976e8
Merge pull request #6731 from tom-cosgrove-arm/issue-6293-mod_exp 
Require input to mbedtls_mpi_core_exp_mod() to already be in Montgomery form
 2022-12-07 08:31:49 +00:00
Dave Rodgman 556e8a3219 Fix additional mis-spelling 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-12-06 16:31:25 +00:00
Dave Rodgman 92011eef34
Merge pull request #6717 from tom-cosgrove-arm/fix-typos-2212 
Fix typos prior to release
 2022-12-06 15:00:34 +00:00
Tom Cosgrove 0a0ddedfb7 Have mbedtls_mpi_core_exp_mod() take a temporary instead of allocating memory 
Last PR needed for #6293

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-06 14:37:18 +00:00
Werner Lewis e1b6b7c0ac Implement mbedtls_mpi_mod_add() 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-12-06 11:55:32 +00:00
Tom Cosgrove ecda186893 Require input to mbedtls_mpi_core_exp_mod() to already be in Montgomery form 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-06 10:46:30 +00:00
Jerry Yu 6ee56aa18f Add default values for conf->*early_data* 
- early_data default to disable
- max_early_data_size default to built-in value

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-06 18:00:47 +08:00
Jerry Yu 39da9857df remove limitation of max_early_data_size 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-06 16:58:36 +08:00
Jerry Yu 12c46bd14f fix various issues 
- disable reuse of max_early_data_size.
- make conf_early_data available for server.
- various comment issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-06 11:02:51 +08:00
Tom Cosgrove ed4f59eec3 Fix another typo where 'PSK' was 'PKS' 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-05 12:07:50 +00:00
Jerry Yu e01304f6d8 fix type conversion issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-05 19:58:46 +08:00
Jerry Yu ac5ca5a0ea Refactor cookie members of handshake struct 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-05 19:58:45 +08:00
Dave Rodgman acbb6dc364 Merge remote-tracking branch 'origin/development' into merge-dev 2022-12-05 10:59:23 +00:00
Tom Cosgrove 1797b05602 Fix typos prior to release 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-04 17:19:59 +00:00
Valerio Setti 757f359474 tls: pake: do not destroy key on errors while setting opaque password 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-02 11:07:11 +01:00
Gilles Peskine 70375b2028 Move mbedtls_mpi_core_random to the proper source file 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-01 23:46:26 +01:00
Gilles Peskine 78cf3bbf22 Bignum core: break mbedtls_mpi_core_random out of mbedtls_mpi_random 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-01 23:45:45 +01:00
Gilles Peskine 4a8c5cdfbf Bignum core: random: prototype 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-01 23:44:07 +01:00
Gilles Peskine 26be89b3f6 Bignum core: random: prepare to break out the core function 
Shuffle things around a bit inside mbedtls_mpi_random() in preparation for
breaking out mbedtls_mpi_core_random().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-01 23:06:43 +01:00
Gilles Peskine 8a32a75aa2 mbedtls_mpi_random: avoid local allocation 
Rewrite the minimum bound comparison to avoid a local allocation. This costs
a bit of code size, but saves RAM. This is in preparation for moving the
bulk of the function to the bignum_core module where allocation is not
permitted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-01 23:06:43 +01:00
Gilles Peskine 6f949ea67b New constant-flow function mbedtls_mpi_core_uint_le_mpi 
Compare a single-limb MPI with a multi-limb MPI. This is rather ad hoc, but
will be useful for mbedtls_mpi_core_random.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-12-01 23:06:43 +01:00
Jerry Yu cc4e007ff6 Add max_early_data_size to mbedtls_ssl_config 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-12-01 23:11:48 +08:00
Tom Cosgrove 62b20488f1 Implement mbedtls_mpi_mod_sub() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-12-01 14:27:37 +00:00
Valerio Setti 0944329036 tls: pake: add check for empty passwords in mbedtls_ssl_set_hs_ecjpake_password() 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-12-01 15:06:09 +01:00
Paul Elliott 266f79c136
Merge pull request #6426 from aditya-deshpande-arm/driver-wrapper-key-agreement 
Add driver dispatch layer for raw key agreement, along with test call for transparent drivers.
 2022-12-01 11:40:52 +00:00
Dave Rodgman 2dae4b3ef6 Support armcc builtin byteswap routine 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-30 15:18:39 +00:00
Dave Rodgman 2d0f27d0fc Make use of optimised bswap from ARIA 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-30 12:16:21 +00:00
Ronald Cron 7df787c019
Merge pull request #6538 from yuhaoth/pr/tls13-add-early-data-transform-computation 2022-11-30 09:56:00 +01:00
Gilles Peskine edaa17b350
Merge pull request #6547 from yanesca/extract_mod_exp_from_prototype 
Bignum: Extract mod exp from prototype
 2022-11-29 21:40:07 +01:00
Aditya Deshpande b6bc7524f9 Minor formatting fixes to address code review comments 
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
 2022-11-29 16:53:29 +00:00
Manuel Pégourié-Gonnard 0b9b560770
Merge pull request #6601 from valeriosetti/issue6502 
Avoid assumptions about implementation in EC J-PAKE tests
 2022-11-29 11:21:23 +01:00
Manuel Pégourié-Gonnard f9720cfa78
Merge pull request #6670 from gilles-peskine-arm/pkcs7-use-after-free-20221127 
PKCS7: Fix some memory management errors
 2022-11-29 11:17:27 +01:00
Manuel Pégourié-Gonnard ffc330fafa
Merge pull request #6264 from hannestschofenig/rfc9146_2 
CID update to RFC 9146
 2022-11-29 09:25:14 +01:00
Jerry Yu aec08b3f42 fix various format issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-29 15:19:27 +08:00
Janos Follath 97915c8685
Merge pull request #6619 from minosgalanakis/bignum/add_high_lv_IO_methods 
Bignum: Adding High level I/O methods
 2022-11-28 17:27:48 +00:00
Valerio Setti a9a97dca63 psa_pake: add support for opaque password 
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
 2022-11-28 18:26:16 +01:00
Dave Rodgman 6d23ff60dd Make use of optimised bswap from bignum 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-28 15:41:13 +00:00
Dave Rodgman f7f1f748e3 Support built-in byteswap routines from clang, gcc, MSVC 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-28 15:41:13 +00:00
Dave Rodgman a5110b0d79 Make use of efficient unaligned access functions 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-28 15:41:13 +00:00
Dave Rodgman 6298b24127 Add byteswap routines 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-28 15:41:13 +00:00
Dave Rodgman e5c42594e5 Add byte order detection macro 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-28 15:41:13 +00:00
Dave Rodgman a360e1987a Add efficent unaligned get/put functions 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-28 15:41:04 +00:00
Dave Rodgman d98ac8b75e Merge remote-tracking branch 'dave/fast_xor' into fast_unaligned 2022-11-28 15:06:25 +00:00
Janos Follath 1f8afa22a4 Bignum Mod: improve documentation and style 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-28 14:58:08 +00:00
Aditya Deshpande 1ac41dec09 Add test function for opaque driver (simply returns PSA_ERROR_NOT_SUPPORTED), and address other review comments. 
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
 2022-11-28 14:46:30 +00:00
Janos Follath 84bee4c492 mbedtls_mpi_mod_write: improve readability 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-28 10:27:14 +00:00
Jerry Yu 3d78e08ac0 erase early secrets and transcripts 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu a5db6c0ce3 fix coding style issues. 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu e31688b7fa fix comments issue 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu a8771839e8 Refactor make_traffic_keys 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu 3ce61ffca6 fix comments and function name issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu b094e124f2 fix various issues 
- Alignments
- comment words in doxygen paragraph

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu 91b560f38d Add compute early transform 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu 3d9b590f02 guards transform_earlydata 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Jerry Yu 84a6edac10 change signature of get_cipher_key_info 
- it is a static function. The name is not follow nameing ruler
- move the position.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-11-28 17:34:06 +08:00
Gilles Peskine 4f01121f6e Fix memory leak on error in pkcs7_get_signers_info_set 
mbedtls_x509_name allocates memory, which must be freed if there is a
subsequent error.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-27 22:02:10 +01:00
Gilles Peskine e7f8c616d0 Fix dangling freed pointer in pkcs7_free_signer_info 
This may have been a use-after-free, but I haven't worked out whether it was
a problem or not. Even if it turns out to have been ok, keeping invalid
pointers around is fragile.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-27 21:55:29 +01:00
Gilles Peskine 47a732635b Simplify control flow in PKCS7 functions 
Remove useless goto in several functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-27 21:55:29 +01:00
Gilles Peskine 290f01b3f5 Fix dangling freed pointer on error in pkcs7_get_signers_info_set 
This fixes a use-after-free in PKCS#7 parsing when the signer data is
malformed.

Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-27 21:55:29 +01:00
Janos Follath 6eb92c0410 Bignum Mod: improve documentation and style 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-26 17:34:37 +00:00
Janos Follath 8dfc8c41b7 mbedtls_mpi_mod_write: prevent data corruption 
The function wasn't converting back data to internal representation when
writing it out.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-26 15:39:02 +00:00
Janos Follath d7bb35257b mbedtls_mpi_mod_read/write: restrict pre-conditions 
Require equality for the number of limbs in the modulus and the residue.
This makes these functions consistent with residue_setup().

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-26 14:59:27 +00:00
Janos Follath 75b9f0fd2e mbedtls_mpi_mod_read/write: remove redundant checks 
The function isn't documented as accepting null pointer, and there's no
reason why it should be. Just let it dereference the pointer.

The null/zero checks are only marginally useful: they validate that m
and r are properly populated objects, not freshly initialized ones. For
that, it's enough to check that the pointers aren't null or that the
sizes aren't zero, we don't need to check both.

Also, use separate if statements for unrelated checks.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-26 14:28:50 +00:00
Gilles Peskine 89e31adbee Move mps modules to the correct library 
This is a private interface only, so it's an ABI change but not an API change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-26 14:18:45 +01:00
Gilles Peskine 898db6b8e5 Move ssl_debug_helpers_generated to the correct library 
This is a private interface only, so it's an ABI change but not an API change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-26 14:15:32 +01:00
Janos Follath ee530cc644 Bignum Mod: improve documentation 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath fc6fbb4e96 Bignum Mod: improve documentation 
Signed-off-by: Janos Follath <janos.follath@arm.com>

Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath 41427dee80 Bignum Mod: improve documentation 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath 91295d2b8f Bignum Mod: remove endianness from modulus 
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).

These are higher level concepts and are out of scope for Bignum and for
the modulus structure.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath 3e3fc91c33 Bignum Mod: pass endianness as a parameter 
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).

These are higher level concepts and are out of scope for Bignum and for
the modulus structure.

Passing endianness as a parameter is a step towards removing it from the
modulus structure.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath d3eed33709 Bignum Mod Raw: pass endianness as a parameter 
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).

These are higher level concepts and are out of scope for Bignum and for
the modulus structure.

Passing endianness as a parameter is a step towards removing it from the
modulus structure.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath 50cd4b842b Bignum Mod: Restrict residue setup 
In theory we could allow residues to have more allocated limbs than the
modulus, but we might or might not need it in the end.

Go for the simpler option for now and we can extend it later if we
really need it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath b62bad442e Bidnum Mod: fix check in setup 
We want to make sure that the value has at least as many limbs allocated
as the modulus as we need this to be able to do any operations in
constant time.

An invariant of the API is that the residue values are canonical, make
sure that the residue is compared to the entire modulus.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2022-11-25 17:55:00 +00:00
Minos Galanakis 8b375451c5 bignum_mod: Refactored mbedtls_mpi_mod_read/write() 
This patch adjusts the I/O methods and the tests.
Documentation has also been updated to be more clear.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-11-25 17:55:00 +00:00
Minos Galanakis aed832ac16 bignum_mod: Adjusted input checking for mbedtls_mpi_mod_residue_setup() 
This patch adjusts the logic of the size checking of the method,
and refactors the tests. Documentation has also been updated.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-11-25 17:55:00 +00:00
Minos Galanakis a17ad48e2d bignum_mod: Fixed an issue with input checking in mpi_mod_residue_setup 
This patch is inverting the input type checking logic in the method,
in order to ensure that residue < modulus.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-11-25 17:55:00 +00:00
Minos Galanakis 81f4b11010 bignum_mod: Added mbedtls_mpi_mod_read/write() IO functions 
This patch adds input and ouput fucntions in the `bignum_mod` layer.
The data will be automatically converted between Cannonical and
Montgomery representation if required.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2022-11-25 17:55:00 +00:00
Janos Follath 590ae5363d
Merge pull request #6656 from tom-cosgrove-arm/bignum_pr_6225-updated 
Bignum: add mod_raw_add
 2022-11-25 17:53:31 +00:00
Dave Rodgman a616afeae4 Remove redundant inline workarounds 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-25 17:11:45 +00:00
Dave Rodgman 5a1d00f03d Merge remote-tracking branch 'origin/development' into fast_xor 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-25 17:10:25 +00:00
Dave Rodgman bf9b23abf8
Merge pull request #6648 from gilles-peskine-arm/psa-ecb-null-0 
Fix NULL+0 undefined behavior in PSA crypto ECB
 2022-11-25 17:07:46 +00:00
Bence Szépkúti 6e85673e8d
Merge pull request #3431 from naynajain/development-pkcs7 
PKCS7 Parser - RFC 2315
 2022-11-25 15:55:46 +01:00
Janos Follath 505a228b7b
Merge pull request #6606 from gabor-mezei-arm/6222_bignum_low_level_subtraction 
Bignum: Add low level subtraction
 2022-11-25 13:27:23 +00:00
Gilles Peskine 7d23778178 Explain why p + n isn't good enough 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-25 13:34:59 +01:00
Gilles Peskine 5a34b36bbd Remove more now-redundant definitions of inline 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-25 13:26:44 +01:00
Dave Rodgman f1419dbbe8
Merge pull request #6381 from tom-cosgrove-arm/pr2164 
mbedtls: fix possible false success in mbedtls_cipher_check_tag()
 2022-11-25 10:55:10 +00:00
Manuel Pégourié-Gonnard 61336848a9 Fix bug when legacy CID is enabled but not used 
When legacy CID is enabled at compile time, but not used at runtime, we
would incorrectly skip the sequence number at the beginning of the AAD.

There was already two "else" branches for writing the sequence number
but none of them was taken in that particular case.

Simplify the structure of the code: with TLS 1.2 (we're already in that
branch), we always write the sequence number, unless we're using
standard CID.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-11-25 11:48:17 +01:00
Dave Rodgman 8f6583d836 Fix for MSVC unsupported #inline keyword 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-25 09:16:41 +00:00
Bence Szépkúti ae79fb2c2e Merge branch 'development' into pr3431 2022-11-25 03:12:43 +01:00
Dave Rodgman b8c4a0d940 Minor formatting tweaks 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 21:18:55 +00:00
Dave Rodgman 7a910a8be0 Minor formatting tweaks 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 21:17:40 +00:00
Dave Rodgman 875d2383d0 Improve documentation 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 20:43:15 +00:00
Dave Rodgman aaf69fd682 Fix missing newline 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 20:40:28 +00:00
Dave Rodgman c58858865b Fix off-by-one error 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 20:35:04 +00:00
Dave Rodgman 66433444fc Fix static inline linker issues 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 20:07:39 +00:00
Dave Rodgman 4b910c1ed1 Fix whitespace 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 19:44:52 +00:00
Dave Rodgman 069e7f462a Correct mixed up comments 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 19:37:26 +00:00
Dave Rodgman 96d61d14d8 Use memcpy for unaligned accesses 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 19:33:22 +00:00
Dave Rodgman fbc23225d6 Tidy up alignment-related code into separate header 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 18:07:37 +00:00
Tom Cosgrove abddad4af8 Add note about aliasing of operands for mbedtls_mpi_mod_raw_add() 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-11-24 16:22:43 +00:00
Werner Lewis e4c0a6c3ba Change cast to correct type 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-11-24 16:18:06 +00:00
Werner Lewis 1a277d9ad6 Replace comparison with XOR 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-11-24 16:18:06 +00:00
Werner Lewis d391b8ce61 Change types and move const before type 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-11-24 16:18:06 +00:00
Werner Lewis 9fa91ebcb9 Use modulus structure in mbedtls_mpi_mod_raw_add 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-11-24 16:18:06 +00:00
Werner Lewis 0eea827cbd Rename MPI_CORE(add_mod) to mbedtls_mpi_mod_raw_add 
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
 2022-11-24 16:18:06 +00:00
Hanno Becker a45b6fee91 Extract MPI_CORE(add_mod) from the prototype 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-11-24 16:17:49 +00:00
Dave Rodgman 6921959b83 Remove unused variable 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-24 09:27:15 +00:00
Ronald Cron 4cf77e99ab
Merge pull request #6621 from ronald-cron-arm/tls13-early-data-write 
TLS 1.3: Add definition of mbedtls_ssl_{write,read}_early_data
 2022-11-24 09:58:07 +01:00
Dave Rodgman 358c7d6eb0 Fix naming inconsistency 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 20:29:03 +00:00
Dave Rodgman dd3103e9e7 Tidy up UNALIGNED_UINT32_T macro 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 19:42:13 +00:00
Dave Rodgman e7cd137606 Define UNALIGNED_UINT32_PTR for unaligned access 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 19:14:26 +00:00
Dave Rodgman a6778013b4 Tidy up UBSan detection 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 17:17:30 +00:00
Dave Rodgman 468df317bf Fix MSVC support for inline keyword 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 16:56:35 +00:00
Dave Rodgman 1bab27f983 Prevent unaligned access under ASan builds 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 16:51:59 +00:00
Dave Rodgman 3c8eb7e990 Provide external definition of mbedtls_xor 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 14:50:03 +00:00
Dave Rodgman 63d114305f Whitespace cleanup 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 14:03:30 +00:00
Dave Rodgman f9a1c37bc8 Whitespace cleanup 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-11-23 14:02:00 +00:00
Gabor Mezei 02d2313829
Fix documentation 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-11-23 14:44:14 +01:00
Gabor Mezei 3411e949cd
Cas variable to proper type 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-11-23 14:44:13 +01:00
Gabor Mezei 4c7cf7d742
Add low level subtraction with modulus 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-11-23 14:44:07 +01:00
Janos Follath 531a871b88
Merge pull request #6235 from tom-cosgrove-arm/issue-6231-core-sub-int 
Bignum: extract core_sub_int from the prototype
 2022-11-23 13:32:02 +00:00
Ronald Cron 4a8c9e2cff tls13: Add definition of mbedtls_ssl_{write,read}_early_data 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-11-23 14:29:37 +01:00
Gilles Peskine 42649d9270 Fix NULL+0 undefined behavior in ECB encryption and decryption 
psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to
a null pointer when the cipher does not use an IV. This is undefined
behavior, although it works as naively expected on most platforms. This
can cause a crash with modern Clang+ASan (depending on compiler optimizations).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-11-23 14:16:52 +01:00
Manuel Pégourié-Gonnard ef25a99f20
Merge pull request #6533 from valeriosetti/issue5847 
Use PSA EC-JPAKE in TLS (1.2) - Part 2
 2022-11-23 13:27:30 +01:00
Ronald Cron 1d1d53622f
Merge pull request #6490 from xkqian/tls13_parse_early_data_indication_ee 
The internal CI merge job ran successfully.
 2022-11-23 12:31:25 +01:00
Ronald Cron cb0e680779
Merge pull request #6476 from yuhaoth/pr/fix-tls13-mbedtls_ssl_is_handshake_over 
TLS 1.3: Fix tls13 mbedtls ssl is handshake over
 2022-11-23 12:12:02 +01:00
Manuel Pégourié-Gonnard 660b396e41
Merge pull request #975 from yanesca/issue-946 
Fix RSA side channel
 2022-11-23 10:30:35 +01:00
Xiaokang Qian b157e915ad Move the early data status set afeter all of the extensions parse 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-11-23 08:12:26 +00:00
Xiaokang Qian e861ba01d4 Remove the duplicate early_data_status check 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2022-11-23 03:21:02 +00:00