The internal functions mbedtls_cipher_aead_{encrypt,decrypt} reject
unsupported algorithms, so there's no need for an additional check in
the legacy wrappers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make sure that if a buffer is allowed to be empty, a null pointer is
accepted if the buffer length is 0. This was already the case for most
but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}.
Make sure to pass NULL for an empty buffer in the tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
fix_negative allocates memory for its result. The calling site didn't
check the return value, so an out-of-memory error could lead to an
incorrect calculation. Fix this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a memory leak in mbedtls_mpi_sub_abs when the output parameter is
aliased to the second operand (X = A - X) and the result is negative.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The previous revision of guards around SHA_224 and SHA_384 were not
correct. This set of changes ensures the proper code is available
when SHA_224 and SHA_384 are enabled for use.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
This temporarily breaks all.sh '*deprecated*' (deprecated functions still used
in the library), which will be fix in the next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Work in progress: next step is to test it!
Extract the part that is common with non-ext version to a new internal
function. (We can't just use the non-ext version for that, as it's going to be
deprecated.)
Currently the NIST_KW part is somewhat duplicated between the ext
and non-ext versions, but that's OK because it will soon be removed from the
non-ext version.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
* development: (488 commits)
Fix removal of deprecated PSA constants
Use GitHub-compatible table formatting
Remove psa header files in uninstall part
Change function casting in `ssl_calc_finished_tls_sha384`
Fix GCC warning in `ssl_calc_finished_tls_sha384`
Add changelog entry file to `ChangeLog.d`
Fix GCC warning in `ssl_calc_finished_tls_sha384`
Fix GCC warning about `test_snprintf`
Fix mismatched function parameters (prototype/definition)
Fix build failure on gcc-11
Copyediting
Clarifications around key import
Fix copypasta
A variable is unused in some configurations
Rename test_driver_keygen to test_driver_key_management
Move "internal use" sentence attached to the wrong function
Added changelog
Plug in the entry point for public key export through driver
tests: psa: Reset key attributes where needed
Improve/fix documentation
...
Check that the exponent and modulus is below `MBEDTLS_MPI_MAX_BITS` before
performing a time expensive operation (modular exponentiation). This prevents
a potential DoS from Diffie-Hellman computations with extremely
large key sizes.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Removed unecessary checks on the ALG_SHA_224 and ALG_SHA_384 since
those are handled in config_psa.h by ensuring the correct _C is
included. Reformatted config_psa.h to be alphabetical and made the
assignments line up correctly for consistency. Fixed the guards
for ALG_SHA_224 and ALG_SHA_384 to be correct in the crypto library
source.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
This set of changes converts all the previous MBEDTLS_*_C guards in
the crypto library to use the new MBEDTLS_PSA_BUILTIN_ guards for
hash algorithms.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
With the addition of hash algorithms to crypto config there
are new dependencies for SHA224 and SHA384 that need to be confirmed
for those hashes to be used.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.
Regression test added (one of the client certs modified accordingly)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.
*_drbg_reseed_interval is now set in init() and free().
mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().
Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
Signed-off-by: gacquroff <gavina352@gmail.com>
The return values of the functions are updated in the documetation.
All possible return values are added including nested functions' return
values. The values which cannot be returned are removed.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
`finish_sha384_t` was made more generic by using `unsigned char*`
instead of `unsigned char[48]` as the second parameter.
This change tries to make the function casting more robust against
future improvements of gcc analysis.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
This commit fixes the same warning fixed by baeedbf9, but without
wasting RAM. By casting `mbedtls_sha512_finish_ret()`, `padbuf`
could be kept 48 bytes long without triggering any warnings.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
GCC 11 generated a warning because `padbuf` was too small to be
used as an argument for `mbedtls_sha512_finish_ret`. The `output`
parameter of `mbedtls_sha512_finish_ret` has the type
`unsigned char[64]`, but `padbuf` was only 48 bytes long.
Even though `ssl_calc_finished_tls_sha384` uses only 48 bytes for
the hash output, the size of `padbuf` was increased to 64 bytes.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
In GCC 11, parameters declared as arrays in function prototypes
cannot be declared as pointers in the function definition. The
same is true for the other way around.
The definition of `mbedtls_aes_cmac_prf_128` was changed to match
its public prototype in `cmac.h`. The type `output` was
`unsigned char *`, now is `unsigned char [16]`.
In `ssl_tls.c`, all the `ssl_calc_verify_*` variants now use pointers
for the output `hash` parameter. The array parameters were removed
because those functions must be compatible with the function pointer
`calc_verify` (defined in `ssl_internal.h`).
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
If the file is read correctly, but it contains data that isn't valid,
the crypto storage code returns PSA_ERROR_DATA_INVALID.
The PSA_ERROR_DATA_CORRUPT and PSA_ERROR_STORAGE_FAILURE error codes are
replaced with PSA_ERROR_DATA_INVALID, except in the ITS subsystem.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Support using HMAC_DRBG instead of CTR_DRBG in the PSA subsystem.
Use HMAC_DRBG if CTR_DRBG is available. Choose between SHA-256 and
SHA-512 based on availability.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Implement support for MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
For test purposes, write an implementation that uses libc rand().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Create a configuration option for autonomous random drivers, i.e. PSA
crypto drivers that provide a random generator, that have their own
entropy source and do not support injecting entropy from another
source.
This commit only creates the configuration option. Subsequent commits
will add the implementation and tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Create wrapper functions around calls to CTR_DRBG and around calls to
entropy+DRBG. This is in preparation for allowing alternative DRBG
implementations that use the Mbed TLS entropy module, or complete RNG
implementations that bypass the entropy module as well.
This is purely a refactoring commit. No behavior change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
