1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-26 00:37:41 +03:00
Commit Graph

1613 Commits

Author SHA1 Message Date
Gilles Peskine
04dfd70432 psa_cipher_decrypt: treat status and output length as sensitive
In `psa_cipher_decrypt()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_decrypt()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.

With this change, `psa_cipher_decrypt()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-09-08 12:22:39 +02:00
Gilles Peskine
3b380daedb psa_cipher_finish: treat status and output length as sensitive
In `psa_cipher_finish()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_finish()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.

With this change, `psa_cipher_finish()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-09-08 12:22:39 +02:00
Gilles Peskine
91b29a0bd9 Grammar in comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-13 11:53:31 +02:00
Gilles Peskine
bbec1c1d25 Initialize MAC context in internal functions for KDF
In functions that bypass the API functions and call the MAC driver wrapper
`psa_driver_wrapper_mac_sign_setup()` directly, make
sure to initialize the driver-specific part of the context. This is a union,
and initializing the union to `{0}` only guarantees that the first member of
the union is initialized, not necessarily the member used by the driver.
Most compilers do initialize the whole union to all-bits-zero, but some
don't. With compilers that don't, the lack of initialization caused failures
of the affected operations. This affected several key derivation operations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-07 18:42:33 +02:00
Gilles Peskine
a7a480bb81 Initialize driver context in setup functions
In API functions that set up a multipart or interruptible operation, make
sure to initialize the driver-specific part of the context. This is a union,
and initializing the union to `{0}` only guarantees that the first member of
the union is initialized, not necessarily the member used by the driver.
Most compilers do initialize the whole union to all-bits-zero, but some
don't. With compilers that don't, the lack of initialization caused failures
of built-in MAC, interruptible-sign and interruptible-verify. It could also
cause failures for other operations with third-party drivers: we promise
that drivers' setup entry points receive a zero-initialized operation
structure, but this promise was not kept.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-07 18:41:59 +02:00
Gilles Peskine
cdb37812e5 Update obsolete section title
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-04-25 18:48:36 +02:00
Minos Galanakis
dfc8e43614 Merge remote-tracking branch 'upstream/mbedtls-3.6' into pre-3.6.3-upstream-merge 2025-03-14 14:23:23 +00:00
Waleed Elmelegy
443908bc5d Replace zero by PSA_ALG_NONE in key derivation input functions
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-03-10 14:20:09 +00:00
Gilles Peskine
ce726b23fa Fix uninitialized variable
The of m_bytes value isn't actually used when it's uninitialized,
because *data is null, but that's very fragile.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-06 19:27:50 +01:00
Gilles Peskine
184cac1eb6 Zeroize temporary heap buffers used when deriving an ECC key
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-06 12:42:30 +01:00
Gilles Peskine
e847afd9ef Zeroize temporary heap buffers used in PSA operations
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-06 12:41:59 +01:00
Waleed Elmelegy
82cd324fd4 Fix code style for key derivation input function
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-03-03 15:04:17 +00:00
Waleed Elmelegy
72b391fe07 Fix psa_key_derivation_input_integer() not detecting bad state
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-03-03 12:37:02 +00:00
Gilles Peskine
abf9f1aaa5 PSA interruptible sign/verify: detect invalid curve family in start
Detect attempts to do ECDSA with a Montgomery curve in psa_sign_hash_start()
and psa_verify_hash_start(), whereas before start() would succeed and
complete() would fail. This avoids an inconsistency between psa_sign_hash()
and psa_sign_hash_start() that would be annoying to handle in
test_suite_psa_crypto_op_fail.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-01-09 18:42:14 +01:00
Gilles Peskine
8a8aa59f52 PSA interruptible sign/verify: detect unsupported mechanism in start
In particular, if interruptible ECDSA is supported but not the deterministic
variant, detect this in psa_sign_hash_start(), whereas before start() would
succeed and psa_sign_hash_complete() would fail. This avoids an
inconsistency between psa_sign_hash() and psa_sign_hash_start() that would
be annoying to handle in test_suite_psa_crypto_op_fail.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-21 09:48:35 +01:00
Gilles Peskine
808b541316 PSA sign/verify: more uniform error on an unsupported hash
Uniformly return PSA_ERROR_NOT_SUPPORTED if given an algorithm that includes
a hash, but that hash algorithm is not supported. This will make it easier
to have a uniform treatment of unsupported hashes in automatically generated
tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-19 17:36:07 +01:00
Valerio Setti
dbfb2ab4ea psa: zeroize static key buffer content when key slot is freed
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-10-22 13:31:19 +02:00
Valerio Setti
70fa89c1f9 psa-core: remove unnecessary element in psa_key_slot_t
Instead of checking for "in_use" to be true/false or "key.data"
to be not NULL, simply check that "key.bytes" is 0/not-0.
psa_allocate_buffer_to_slot() will update this value whenever
a new slot is allocated (for the fully static case "allocated"
actually mean "taken").

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-10-22 13:31:19 +02:00
Valerio Setti
8d4f15013f psa: allow to use static key buffers instead of dynamic ones
This helps reducing heap memory usage and, if heap memory is
not used anywhere else in an embedded device, it also reduces
code footprint since there is no need for heap management code
in this case.

A new build symbol is added for this purpose, named
MBEDTLS_PSA_STATIC_KEY_SLOTS. It's disabled by default so that
normal usage of Mbed TLS library is not affected.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-10-22 13:31:19 +02:00
Gilles Peskine
e8199f574c Dynamic key store: implementation
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, key slots are now organized in
multiple slices. The slices are allocated on demand, which allows the key
store to grow. The size of slices grows exponentially, which allows reaching
a large number of slots with a small (static) number of slices without too
much overhead.

Maintain a linked list of free slots in each slice. This way, allocating a
slot takes O(1) time unless a slice needs to be allocated.

In this commit, slices are only ever freed when deinitializing the key
store. This should be improved in the future to free empty slices.

To avoid growing the persistent key cache without control, the persistent
key cache has a fixed size (reusing MBEDTLS_PSA_KEY_SLOT_COUNT to avoid
creating yet another option).

When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled. no semantic change and
minimal changes to the code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-09 13:52:56 +02:00
Gilles Peskine
47ad2f7484 psa_key_slot_t: different fields in free vs occupied slots
Place some fields of psa_key_slot_t in a union, to prepare for a new field
in free slots that should not require extra memory.

For occupied slots, place only the registered_readers field in the union,
not other fields, to minimize textual changes. All fields could move to the
union except state (also needed in free slots) and attr (which must stay
first to reduce the code size, because it is accessed at many call sites).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-09 13:52:54 +02:00
Gilles Peskine
3b41e1d2a5 Merge pull request #9403 from gilles-peskine-arm/psa-keystore-dynamic-prep-3.6
Backport 3.6: prepare for dynamic key store
2024-08-09 08:00:03 +00:00
Gilles Peskine
4a85ff3997 Rename one more deprecated identifier
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-06 13:13:05 +02:00
Gilles Peskine
52504f8568 Rename internal function psa_key_production_parameters_are_default
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-06 13:13:05 +02:00
Gilles Peskine
f36d785188 Implement psa_generate_key_custom
Implement `psa_generate_key_custom()` and
`psa_key_derivation_output_key_custom()`. These functions replace
`psa_generate_key_ext()` and `psa_key_derivation_output_key_ext()`.
They have the same functionality, but a slightly different interface:
the `ext` functions use a structure with a flexible array member to pass
variable-length data, while the `custom` functions use a separate parameter.

Keep the `ext` functions for backward compatibility with Mbed TLS 3.6.0.
But make them a thin wrapper around the new `custom` functions.

Duplicate the test code and data. The test cases have to be duplicated
anyway, and the test functions are individually more readable this way.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-06 13:12:06 +02:00
Gilles Peskine
d72ad738bd Prevent mbedtls_psa_register_se_key with volatile keys
mbedtls_psa_register_se_key() is not usable with volatile keys, since there
is no way to return the implementation-chosen key identifier which would be
needed to use the key. Document this limitation. Reject an attempt to create
such an unusable key. Fixes #9253.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-07-17 12:21:21 +02:00
Gilles Peskine
b47c3b3111 psa_cipher_decrypt CCM*: fix rejection of messages shorter than 3 bytes
Credit to Cryptofuzz. Fixes #9314.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-07-03 09:42:35 +02:00
Gilles Peskine
51e96ad34c Merge pull request #9074 from Ryan-Everett-arm/8357-fix-3.6
Backport 3.6: Fix error handling for secure element keys in `psa_start_key_creation`
2024-05-02 16:06:09 +00:00
Ryan Everett
b5a20d3bc5 Fix error handling for secure element keys in psa_start_key_creation
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-04-30 11:17:04 +01:00
Paul Elliott
304766ffa8 Add early exit if zero length AEAD AD passed in.
With multipart AEAD, if we attempt to add zero length additional data,
then with the buffer sharing fixes this can now lead to undefined
behaviour when using gcm. Fix this by returning early, as there is
nothing to do if the input length is zero.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-04-26 19:20:45 +01:00
Minos Galanakis
b70f0fd9a9 Merge branch 'development' into 'development-restricted'
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-19 22:24:40 +00:00
Paul Elliott
b24e36d07b Add explanatory comment for init flags
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 16:25:48 +00:00
Paul Elliott
d35dce6e23 Add comments about RNG mutex requirements
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 16:06:20 +00:00
Paul Elliott
0db6a9033a Start subsystem IDs at 1 instead of 0
Catch potential invalid calls to init.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 16:06:20 +00:00
Paul Elliott
78279962d6 Fix minor style issues
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 13:34:01 +00:00
David Horstmann
4a48becdba Invert and rename config option
Replace MBEDTLS_PSA_COPY_CALLER_BUFFERS with inverse:
!MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. This ensures that buffer
protection is enabled by default without any change to the Mbed TLS
config file.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-14 14:47:48 +00:00
Gilles Peskine
91f7e07c63 Merge pull request #1196 from davidhorstmann-arm/buffer-sharing-merge
Update development-restricted after buffer-sharing work
2024-03-14 13:28:35 +01:00
Paul Elliott
47cee8e2ee Add mbedtls_psa_crypto_init_subsystem()
Internal only for now, but can be made external with some more
work. Break up psa_crypto_init into chunks to prevent deadlocks when
initialising RNG, likewise break up mbedtls_crypto_free() to stop having
to hold more than one mutex at a time.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-13 12:39:02 +00:00
Thomas Daubney
dca796b966 Remove further instance of LOCAL_OUTPUT_WITH_COPY
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-03-13 10:59:19 +00:00
Thomas Daubney
4bc77c402d Remove LOCAL_OUTPUT_ALLOC_WITH_COPY
It is no longer needed and should be removed.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-03-12 17:01:11 +00:00
Thomas Daubney
692fb3c11c Fix missing semicolon
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-03-12 16:20:41 +00:00
David Horstmann
c2ac51e0c6 Fix removed space in merge resolution
This space was mysteriously removed during the merge, restore it here.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-12 16:09:58 +00:00
David Horstmann
db90914232 Change goto exit into direct return
Fix errors in merge conflict resolution - change
psa_generate_random_internal() to return directly rather than jumping to
an exit label and restore the variable psa_status_t status.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-12 16:07:08 +00:00
Paul Elliott
358165246b Protect PSA drivers_initialized with mutex
Writes to this in psa_crypto_init() were again already covered.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-12 15:36:57 +00:00
Paul Elliott
8e15153637 Protect PSA global rng data with mutex.
Reads and writes of rng_state in psa_crypto_init() and psa_crypto_free()
were already covered by mutex.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-12 15:36:57 +00:00
Paul Elliott
600472b443 Protect PSA global initialized flag with mutex.
Unfortunately this requires holding the mutex for the entire
psa_crypto_init() function, as calling psa_crypto_free() from another
thread should block until init has ended, then run.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-12 15:36:57 +00:00
David Horstmann
93fa4e1b87 Merge branch 'development' into buffer-sharing-merge 2024-03-12 15:05:06 +00:00
David Horstmann
c5064c83a1 Do not attempt to wipe output buffer if it is NULL
If the output buffer is NULL, it either:

* Does not need wiping because it is zero-length.
* Has failed allocation of a copy.
* Has not yet been written to as a copy hasn't been allocated.

In any of these circumstances, we should not try to write the buffer,
so perform a NULL check before wiping it.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-11 17:02:03 +00:00
David Horstmann
0fea6a52b4 Add buffer copying to psa_verify_hash_start()
Protect input buffers to psa_verify_hash_start(), namely the hash and
signature parameters.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-11 15:56:13 +00:00
David Horstmann
4a523a608e Add buffer copying to psa_sign_hash_start/complete
Add buffer protection to:
* psa_sign_hash_start(), which takes an input buffer for the hash.
* psa_sign_hash_complete(), which takes an output buffer for the
  calculated signature.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-11 15:56:13 +00:00