Commit Graph

5563 Commits

Author SHA1 Message Date
Gilles Peskine
84b8fc8213 Use psa_hash_compute in psa_hmac_setup_internal 2020-01-30 12:27:14 +01:00
Gilles Peskine
0a749c8fa3 Implement and test psa_hash_compute, psa_hash_compare 2020-01-30 12:27:12 +01:00
Manuel Pégourié-Gonnard
f712e163b0
Merge pull request #179 from mpg/sha512-no-sha384
Add option to build SHA-512 without SHA-384
2020-01-30 10:32:20 +01:00
Janos Follath
8b38978b85
Merge pull request #349 from gilles-peskine-arm/coverity-20200115-crypto
Fix minor defects found by Coverity
2020-01-29 15:05:11 +00:00
Manuel Pégourié-Gonnard
74ca84a7a9 Fix some whitespace issues 2020-01-29 09:46:49 +01:00
Manuel Pégourié-Gonnard
358462df85
Merge pull request #354 from mpg/fix-ecdsa-pointer-inc
Fix incrementing pointer instead of value
2020-01-28 09:26:28 +01:00
Manuel Pégourié-Gonnard
ee4ba54d8d Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-01-24 12:11:56 +01:00
Manuel Pégourié-Gonnard
2b9b780ac0 Rename internal macro for consistency
Other modules have similar internal macros using _LENGTH in the name.
2020-01-24 11:01:02 +01:00
Manuel Pégourié-Gonnard
b7f7092f57 Remove preprocessor directive for consistency
Other cases in this switch statement aren't guarded either.
2020-01-24 10:59:08 +01:00
Janos Follath
2e9f108fbd Bump version to Mbed TLS 2.20.0 2020-01-21 14:08:26 +00:00
Gilles Peskine
a2bdcb9e3a Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-01-21 15:02:14 +01:00
Janos Follath
d27a88438f Merge branch 'development' into development-restricted 2020-01-15 15:55:11 +00:00
Manuel Pégourié-Gonnard
2d88549c6b Improve readability of macro in selftest 2020-01-07 10:17:35 +01:00
Manuel Pégourié-Gonnard
0b9db441c8 Make optional parameter validation more precise 2020-01-07 10:14:54 +01:00
Manuel Pégourié-Gonnard
792b16d83b Make more code paths conditional in psa_crypto.c 2020-01-07 10:13:18 +01:00
Manuel Pégourié-Gonnard
d602084cde Implement NO_SHA384 in MD layer and PSA 2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
39ea19a35c Adapt sha512 selftest to NO_SHA384 option 2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
3df4e60561 Implement SHA512_NO_SHA384 in sha512 module
Saves 140 bytes on sha512.o, measured with:

arm-none-eabi-gcc -Wall -Wextra -Iinclude -Os -mcpu=cortex-m0plus -mthumb -c library/sha512.c && arm-none-eabi-size sha512.o

arm-none-eabi-gcc (GNU Tools for Arm Embedded Processors 7-2018-q2-update) 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]

Todo:
- fix selftest
- fix dependencies in test suites
- implement in MD layer
2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
ad6cb11461 Declare new config.h option MBEDTLS_SHA512_NO_SHA384 2020-01-06 11:40:23 +01:00
Gilles Peskine
180850a229
Merge pull request #291 from gilles-peskine-arm/ctr_drbg-test_aes_128
Test MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
2019-12-20 10:43:44 +01:00
Jaeden Amero
795c6bab62
Merge pull request #323 from yanesca/iotcrypt-942-initialise-return-values
Initialise return values to an error
2019-12-19 10:24:22 +00:00
Gilles Peskine
4cd3277656 Factor common code of psa_import_ec_{public,private}_key 2019-12-12 09:00:27 +01:00
Gilles Peskine
81f7909497
Merge pull request #325 from gilles-peskine-arm/psa-sign_hash
Rename psa_asymmetric_{sign_verify} to psa_{sign,verify}_hash
2019-12-06 10:10:14 +01:00
Janos Follath
24eed8d2d2 Initialise return values to an error
Initialising the return values to and error is best practice and makes
the library more robust.
2019-12-03 16:07:18 +00:00
Janos Follath
a13b905d8d Map the new Mbed TLS error value in PSA 2019-12-03 16:03:11 +00:00
Janos Follath
60f6b64b8f Add two error codes to the Error module
One of the error codes was already reserved, this commit just makes it
explicit. The other one is a new error code for initializing return
values in the library: `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` should
not be returned by the library. If it is returned, then it is surely a
bug in the library or somebody is tampering with the device.
2019-12-03 16:01:06 +00:00
Jaeden Amero
ba9fff2433
Merge pull request #283 from ARMmbed/dev/gilles-peskine-arm/ctr_drbg-aes_fail-crypto
Uncaught AES failure in CTR_DRBG
2019-11-28 15:02:00 +00:00
Gilles Peskine
7bb1a7e0bf
Merge pull request #307 from msopiha-linaro/development
Add ASN.1 ENUMERATED tag support
2019-11-28 10:20:18 +01:00
Gilles Peskine
afaee1cacf Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.

Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
2019-11-28 10:03:08 +01:00
Gilles Peskine
8f4df81506
Merge pull request #293 from gilles-peskine-arm/entropy-min
Always gather MBEDTLS_ENTROPY_BLOCK_SIZE bytes of entropy
2019-11-26 18:43:45 +01:00
Gilles Peskine
89d8c5c447 Rename some signature-related identifiers
Rename some macros and functions related to signature which are
changing as part of the addition of psa_sign_message and
psa_verify_message.

perl -i -pe '%t = (
PSA_KEY_USAGE_SIGN => PSA_KEY_USAGE_SIGN_HASH,
PSA_KEY_USAGE_VERIFY => PSA_KEY_USAGE_VERIFY_HASH,
PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE => PSA_SIGNATURE_MAX_SIZE,
PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE => PSA_SIGN_OUTPUT_SIZE,
psa_asymmetric_sign => psa_sign_hash,
psa_asymmetric_verify => psa_verify_hash,
); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files . ':!:**/crypto_compat.h')
2019-11-26 18:20:59 +01:00
Gilles Peskine
02e79a4e43 MBEDTLS_CTR_DRBG_USE_128_BIT_KEY: add selftest data
In the CTR_DRBG module, add selftest data for when
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.

I generated the test data by running our own code. This is ok because
we have other tests that ensure that the algorithm is implemented
correctly.

This makes programs/self/selftest pass when
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
2019-11-21 13:49:20 +01:00
Gilles Peskine
87ef0c24af Merge branch 'development' into development-restricted 2019-11-20 20:09:34 +01:00
Gilles Peskine
2e6cbcd931
Merge pull request #308 from tempesta-tech/ak-mpi_div_mpi-opt
Small performance improvement of mbedtls_mpi_div_mpi()
2019-11-19 11:32:29 +01:00
Gilles Peskine
9afbfdc833 Merge remote-tracking branch 'myfork-public/development' into merge-crypto-development-20191115
First deal with deleted files.

* Files deleted by us: keep them deleted.
* Files deleted by them, whether modified by us or not: keep our version.

```
git rm $(git status -s | sed -n 's/^DU //p')
git reset -- $(git status -s | sed -n 's/^D  //p')
git checkout -- $(git status -s | sed -n 's/^ D //p')
git add -- $(git status -s | sed -n 's/^UD //p')
```

Individual files with conflicts:

* `3rdparty/everest/library/Hacl_Curve25519_joined.c`: spurious conflict because git mistakenly identified this file as a rename. Keep our version.
* `README.md`: conflict due to their change in a paragraph that doesn't exist in our version. Keep our version of this paragraph.
* `docs/architecture/Makefile`: near-identical additions. Adapt the definition of `all_markdown` and include the clean target.
* `doxygen/input/docs_mainpage.h`: conflict in the version number. Keep our version number.
* `include/mbedtls/config.h`: two delete/modify conflicts. Keep the removed chunks out.
* `library/CMakeLists.txt`: discard all their changes as they are not relevant.
* `library/Makefile`:
    * Discard the added chunk about the crypto submodule starting with `INCLUDING_FROM_MBEDTLS:=1`.
    * delete/modify: keep the removed chunk out.
    * library build: This is almost delete/modify. Their changes are mostly not applicable. Do keep the `libmbedcrypto.$(DLEXT): | libmbedcrypto.a` order dependency.
    * `.c.o`: `-o` was added on both sides but in a different place. Change to their place.
* `library/error.c`: to be regenerated.
* `library/version_features.c`: to be regenerated.
* `programs/Makefile`: Most of the changes are not relevant. The one relevant change is in the `clean` target for Windows; adapt it by removing `/S` from our version.
* `programs/test/query_config.c`: to be regenerated.
* `scripts/config.py`: added in parallel on both sides. Keep our version.
* `scripts/footprint.sh`: parallel changes. Keep our version.
* `scripts/generate_visualc_files.pl`: one delete/modify conflict. Keep the removed chunks out.
* `tests/Makefile`: discard all of their changes.
* `tests/scripts/all.sh`:
    * `pre_initialize_variables` add `append_outcome`: add it.
    * `pre_initialize_variables` add `ASAN_CFLAGS`: already there, keep our version.
    * `pre_parse_command_line` add `--no-append-outcome`: add it.
    * `pre_parse_command_line` add `--outcome-file`: add it.
    * `pre_print_configuration`: add `MBEDTLS_TEST_OUTCOME_FILE`.
    * Several changes in SSL-specific components: keep our version without them.
    * Several changes where `config.pl` was changed to `config.py` and there was an adjacent difference: keep our version.
    * Changes regarding the inclusion of `MBEDTLS_MEMORY_xxx`: ignore them here, they will be normalized in a subsequent commit.
    * `component_test_full_cmake_gcc_asan`: add it without the TLS tests.
    * `component_test_no_use_psa_crypto_full_cmake_asan`: keep the fixed `msg`, discard other changes.
    * `component_test_memory_buffer_allocator_backtrace`, `component_test_memory_buffer_allocator`: add them without the TLS tests.
    * `component_test_m32_everest`: added in parallel on both sides. Keep our version.
* `tests/scripts/check-names.sh`, `tests/scripts/list-enum-consts.pl`, `tests/scripts/list-identifiers.sh`, ``tests/scripts/list-macros.sh`: discard all of their changes.
* `tests/scripts/test-ref-configs.pl`: the change in the conflict is not relevant, so keep our version there.
* `visualc/VS2010/*.vcxproj`: to be regenerated.

Regenerate files:

```
scripts/generate_visualc_files.pl
git add visualc/VS2010/*.vcxproj
scripts/generate_errors.pl
git add library/error.c
scripts/generate_features.pl
git add library/version_features.c
scripts/generate_query_config.pl
git add programs/test/query_config.c
```

Rejected changes in non-conflicting files:

* `CMakeLists.txt`: discard their addition which has already been side-ported.
* `doxygen/mbedtls.doxyfile`: keep the version number change. Discard the changes related to `../crypto` paths.

Keep the following changes after examination:

* `.travis.yml`: all of their changes are relevant.
* `include/mbedtls/error.h`: do keep their changes. Even though Crypto doesn't use TLS errors, it must not encroach on TLS's allocated numbers.
* `tests/scripts/check-test-cases.py`: keep the code dealing with `ssl-opt.sh`. It works correctly when the file is not present.
2019-11-15 11:47:14 +01:00
Jaeden Amero
df8185eae3
Merge pull request #2923 from Patater/reduce-ram-pem-csr
x509write_csr: Reduce stack usage of mbedtls_x509write_csr_pem()
2019-11-14 16:39:48 +00:00
Gilles Peskine
b9b5f493d3
Merge pull request #2920 from gilles-peskine-arm/pk_signature_max_size-tls
Use MBEDTLS_PK_SIGNATURE_MAX_SIZE
2019-11-14 10:22:32 +01:00
Gilles Peskine
bf88780e64 Use MBEDTLS_PK_SIGNATURE_MAX_SIZE in X.509
Use the constant that is now provided by the crypto submodule instead
of rolling our own definition which is not correct in all cases.
2019-11-13 15:32:11 +01:00
Jaeden Amero
6ffac75995 x509write_csr: Reduce stack usage of mbedtls_x509write_csr_pem()
Using 4096 bytes of stack for the temporary buffer used for holding a
throw-away DER-formatted CSR limits the portability of generating
certificate signing requests to only devices with lots of stack space.
To increase portability, use the mbedtls_pem_write_buffer() in-place
capability instead, using the same buffer for input and output. This
works since the DER encoding for some given data is always smaller than
that same data PEM-encoded.

PEM format is desirable to use even on stack-constrained devices as the
format is easy to work with (for example, copy-pasting from a tiny
device's serial console output, for CSRs generated on tiny devices
without the private key leaving said tiny device).
2019-11-13 14:29:38 +00:00
Gilles Peskine
f0d87001d0
Merge pull request #315 from gilles-peskine-arm/pk_signature_max_size
Define MBEDTLS_PK_SIGNATURE_MAX_SIZE
2019-11-13 12:13:57 +01:00
Gilles Peskine
5bcb24b56e Fix output buffer length check in pk_opaque_sign_wrap 2019-11-13 10:57:59 +01:00
Gilles Peskine
7a9899f1bd
Merge pull request #284 from gilles-peskine-arm/bk-warning-fixes-crypto
Fix some possibly-undefined variable warnings
2019-11-12 19:45:13 +01:00
Gilles Peskine
cb0101ff33
Merge pull request #298 from gilles-peskine-arm/config-symmetric-only
Test a build without any asymmetric cryptography
2019-11-12 19:37:13 +01:00
Gilles Peskine
f48d6f2320 Add sanity checks for the mbedtls_pk_sign output size
mbedtls_pk_sign does not take the size of its output buffer as a
parameter. We guarantee that MBEDTLS_PK_SIGNATURE_MAX_SIZE is enough.
For RSA and ECDSA signatures made in software, this is ensured by the
way MBEDTLS_PK_SIGNATURE_MAX_SIZE is defined at compile time. For
signatures made through RSA-alt and PSA, this is not guaranteed
robustly at compile time, but we can test it at runtime, so do that.
2019-11-12 13:21:53 +01:00
Gilles Peskine
a428ced165
Merge pull request #277 from k-stachowiak/check-array-index-range
Check array index range in GCM multiplication
2019-11-12 13:18:47 +01:00
Gilles Peskine
e80c7e49e7
Merge pull request #278 from ARMmbed/dev/yanesca/iotcrypt-767-ecdsa-timing-side-channel
ECDSA timing side channel due to non-constant-time integer comparison
2019-11-12 11:44:13 +01:00
Jaeden Amero
90bc6b8143
Merge pull request #281 from AndrzejKurek/IOTCRYPT-968-zeroize-aes-variables
Zeroize local AES variables before exiting the function
2019-11-12 10:38:20 +00:00
Gilles Peskine
95b9f601fd
Merge pull request #280 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix
ECDSA: Fix side channel vulnerability
2019-11-12 11:34:39 +01:00
Andrzej Kurek
96ae5cd087 Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
2019-11-12 03:05:51 -05:00
Gilles Peskine
2ad5e45de6
Merge pull request #314 from gilles-peskine-arm/pkwrite_ECPrivateKey_size-crypto
Fix pk_write with EC key to use a constant size for the private value
2019-11-08 19:30:51 +01:00