1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-24 13:32:59 +03:00
Commit Graph

276 Commits

Author SHA1 Message Date
Gilles Peskine
a4c01dd6e9 Merge pull request #7991 from sarveshb14/fix/psa_rsa_signature_using_large_stack
rsa_signature: Use heap memory to allocate DER encoded RSA private key
2023-08-16 09:23:29 +00:00
Dave Rodgman
1d4d944e19 Merge pull request #7933 from tom-cosgrove-arm/add-mbedtls_zeroize_and_free
Provide and use internal function mbedtls_zeroize_and_free()
2023-08-03 12:56:21 +00:00
Sarvesh Bodakhe
430a4f3968 rsa_signature: Use heap memory to allocate DER encoded RSA private key
'mbedtls_pk_psa_rsa_sign_ext' function allocates a buffer of maximum
size 5679 bytes (MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES) on the stack to store
DER encoded private key. This increased stack usage significantly for
RSA signature operations when MBEDTLS_PSA_CRYPTO_C is defined.

This issue was discovered when adding support for EAP-TLS 1.3 (rfc9190).

Signed-off-by: Sarvesh Bodakhe <sarvesh.bodakhe@espressif.com>
2023-07-27 14:51:25 +05:30
Tom Cosgrove
ca8c61b815 Provide and use internal function mbedtls_zeroize_and_free()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-07-17 15:17:40 +01:00
Valerio Setti
f6d4dfb745 library: replace PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY symbols with proper ones
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-11 14:06:00 +02:00
Manuel Pégourié-Gonnard
2be8c63af7 Create psa_util_internal.h
Most functions in psa_util.h are going to end up there (except those
that can be static in one file), but I wanted to have separate commits
for file creation and moving code around, so for now the new file's
pretty empty but that will change in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
Valerio Setti
35d1dacd82 pk_wrap: fix: always clear buffer holding private key in eckey_check_pair_psa
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-30 18:04:16 +02:00
Valerio Setti
38913c16b0 pk_wrap: do not support opaque EC keys when !PK_HAVE_ECC_KEYS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-30 16:18:33 +02:00
Valerio Setti
88a3aeed9f pk_wrap: use PK_HAVE_ECC_KEYS as guard for ecdsa_opaque_check_pair_wrap
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 15:01:10 +02:00
Valerio Setti
d9d74c285b pk_wrap: guard all ECDSA function with MBEDTLS_PK_HAVE_ECC_KEYS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 15:00:02 +02:00
Valerio Setti
4d1daf8f8d pk_wrap: minor fixes for guards
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:27 +02:00
Valerio Setti
97976e3e4c pk_wrap: always fill all the fields of the pk_info structures
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:27 +02:00
Valerio Setti
76d0f9637c pk: uniform naming of functions and structures in pk/pk_wrap
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:27 +02:00
Valerio Setti
884c1ec1f5 pk_wrap: share code for selecting the psa_alg in ECDSA sign
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:27 +02:00
Valerio Setti
574a00b576 pk_wrap: minor reorganization for opaque keys
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
5c26b30d9e pk_wrap: add missing labels to #else and #endif
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
bb7603a28f pk_wrap: optimize eckey_check_pair()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
f69514a7d8 pk_wrap: name all the fields of the pk_info structs
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
e77307738d pk_wrap: add support for ECDSA verify for opaque keys
This commit also add tests to verify the functionality

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
ed7d6af670 pk_wrap: optimize code for ECDSA verify
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
4657f10bdb pk_wrap: optimize code for ECDSA sign
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-29 14:33:26 +02:00
Valerio Setti
81d75127ba library: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-19 19:24:05 +02:00
Valerio Setti
8bb5763a85 library: replace deprecated symbols with temporary _LEGACY ones
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-16 12:23:55 +02:00
Manuel Pégourié-Gonnard
02b10d8266 Add missing include
Fix build failures with config full

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
6076f4124a Remove hash_info.[ch]
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
Manuel Pégourié-Gonnard
2d6d993662 Use MD<->PSA functions from MD light
As usual, just a search-and-replace plus:

1. Removing things from hash_info.[ch]
2. Adding new auto-enable MD_LIGHT in build-info.h
3. Including md_psa.h where needed

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-06-06 10:33:54 +02:00
valerio
eab9a85f4c pk_wrap: add support for key pair check for EC opaque keys
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-06-05 11:05:40 +02:00
Valerio Setti
9efa8c4d14 pk: fix eckey_check_pair_psa
The problem was that the private key ID was destroyed even when
MBEDTLS_PK_USE_PSA_EC_DATA was enabled and of course this was
not correct.
At the same time the code has been slighlty reorganized to make
it more readable.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-23 15:12:07 +02:00
Valerio Setti
ae8c628edb pk: improve sign, check_pair and wrap_as_opaque functions with new format
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-23 15:12:07 +02:00
Valerio Setti
b536126183 pk: manage allocate and free space when working with PSA private key
Allocation does not need to perform any action since the priv_id field
is already present on the pk_context.
Free should destroy the key. Of course this is true only if the key
is not opaque (because in that case it's the user responsibility
to do so).

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-23 15:12:07 +02:00
Valerio Setti
8a6225062a pk: move PSA error translation macros to internal header
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-23 15:12:07 +02:00
Valerio Setti
a7cb845705 pk: add checks for the returned ECC family
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-22 18:39:43 +02:00
Valerio Setti
f57007dd1e pk: fixing and improving comments
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-19 13:54:39 +02:00
Valerio Setti
c1541cb3c7 pk: minor fixes (guards and a wrong assignment)
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-17 19:23:02 +02:00
Valerio Setti
a1b8af6869 pkwrap: update ECDSA verify and EC pair check to use the new public key
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-17 15:34:57 +02:00
Valerio Setti
4f387ef277 pk: use better naming for the new key ID field
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-05 10:59:32 +02:00
Valerio Setti
048cd44f77 pk: fix library code for using the new opaque key solution
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-05 10:59:32 +02:00
Valerio Setti
e00954d0ed pk: store opaque key ID directly in the pk_context structure
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-05 10:57:26 +02:00
valerio
38992cb833 pk: pass pk_context pointer to wrappers intead of void one
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-04-20 12:02:34 +02:00
Valerio Setti
3f8d23eaef pk_wrap: fix guards in eckey_check_pair to only include 1 option at build time
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
0d2980f117 pk: adapt to new ECP_LIGHT symbol
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Valerio Setti
1df94f841b pk: fix return codes' precedence and code style
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-07 11:04:32 +02:00
Valerio Setti
9d65f0ef12 pk_wrap: simplify prototype of eckey_check_pair_psa()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-07 08:53:17 +02:00
Valerio Setti
f286664069 pk_wrap: minor code optimizations
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-07 08:37:46 +02:00
Valerio Setti
8eb552647f pk_wrap: fix sizing for private key buffer
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-04 10:20:53 +02:00
Valerio Setti
0fe1ee27e5 pk: add an alternative function for checking private/public key pairs
Instead of using the legacy mbedtls_ecp_check_pub_priv() function which
was based on ECP math, we add a new option named eckey_check_pair_psa()
which takes advantage of PSA.
Of course, this is available when MBEDTLS_USE_PSA_CRYPTO in enabled.

Tests were also fixed accordingly.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-03 15:00:21 +02:00
Andrzej Kurek
ba24138e0f Duplicate error logic in pk_wrap deprecated functions
GCC 4.6+ complains if a deprecated function calls another.
Working around this universally would require a lot of
preprocessing, this seems to be an easier solution.
Copy mbedtls_pk_error_from_psa code without duplicates
instead of calling the function.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-03 05:23:45 -05:00
Andrzej Kurek
8a045ce5e6 Unify PSA to Mbed TLS error translation
Move all error translation utilities to psa_util.c.
Introduce macros and functions to avoid having
a local copy of the error translating function in
each place.
Identify overlapping errors and introduce a
generic function.
Provide a single macro for all error translations
(unless one file needs a couple of different ones).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-03 05:23:44 -05:00
Gilles Peskine
7e677fa2c5 Merge pull request #6389 from gilles-peskine-arm/ecdsa-use-psa-without-pkwrite
Remove pkwrite dependency in pk using PSA for ECDSA
2023-02-28 18:17:16 +01:00
Dave Rodgman
4a5c9ee7f2 Remove redundant SIZE_MAX guards
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-10 16:03:44 +00:00