Partial backport of "Update all except "Asymmetric cryptography" for
TF-PSA-Crypto", including only clarifications and the extra information
about migrating to `MBEDTLS_PSA_CRYPTO_CONFIG` that are also relevant in
3.6.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The program uses atoi() unconditionally, so it should include stdlib.h
unconditionally. Previously this happened to be indirectly included by
some other header (via pk.h via ssl.h) but we should not rely on that.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This has been the case for a while, but we forgot to update the readme.
Don't prominently label it a "reference" implementation. That implies that
it's a complete implementation, but it isn't: we do not intend to implement
every mechanism that the PSA specification has an encoding for. That also
tends to imply that it's for demonstration purposes and not ready for
production, but Mbed TLS is intended to be used in production.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Integrators in a client-server architecture need to provide this function on
the client side.
Fixesmbedtls/issues#10341.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `psa_cipher_decrypt()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_decrypt()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.
With this change, `psa_cipher_decrypt()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `psa_cipher_finish()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_finish()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.
With this change, `psa_cipher_finish()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Factor some common code for one-shot or multipart encryption/decryption into
auxiliary functions. No behavior change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The main goal is to validate that unpadding is constant-time, including
error reporting.
Use a separate test function, not annotations in the existing function, so
that the functional tests can run on any platform, and we know from test
outcomes where we have run the constant-time tests.
The tests can only be actually constant-time if AES is constant time, since
AES computations are part of what is checked. Thus this requires
hardware-accelerated AES. We can't run our AESNI (or AESCE?) code under
Msan (it doesn't detect when memory is written from assembly code), so these
tests can only be run with Valgrind.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
