secp224k1 is the one with 225-bit private keys.
The consequences of this mistake were:
* We emitted positive test cases for hypothetical SECP_R1_225 and
SECP_K1_224 curves, which were never executed.
* We emitted useless not-supported test cases for SECP_R1_225 and SECP_K1_224.
* We were missing positive test cases for SECP_R1_224 in automatically
generated tests.
* We were missing not-supported test cases for SECP_R1_224 and SECP_K1_225.
Thus this didn't cause test failures, but it caused missing test coverage
and some never-executed test cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix // comments stopping on 'n' instead of newlines. Also allow
backslash-newline in // comments.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Any timing variance dependant on the output of this function enables a
Bleichenbacher attack. It is extremely difficult to use safely.
In the Marvin attack paper
(https://people.redhat.com/~hkario/marvin/marvin-attack-paper.pdf) the
author suggests that implementations of PKCS 1.5 decryption that don't
include a countermeasure should be considered inherently dangerous.
They suggest that all libraries implement the same countermeasure, as
implementing different countermeasures across libraries enables the
Bleichenbacher attack as well.
This is extremely fragile and therefore we don't implement it. The use
of PKCS 1.5 in Mbed TLS implements the countermeasures recommended in
the TLS standard (7.4.7.1 of RFC 5246) and is not vulnerable.
Add a warning to PKCS 1.5 decryption to warn users about this.
Signed-off-by: Janos Follath <janos.follath@arm.com>
So far we needed it only locally here, but we will need calculating RR
for safe unblinding in RSA as well.
Signed-off-by: Janos Follath <janos.follath@arm.com>
`psa_collect_statuses.py` runs `make RECORD_PSA_STATUS_COVERAGE_LOG=1`,
which builds with `RECORD_PSA_STATUS_COVERAGE_LOG`. In this mode, the build
includes wrappers for PSA functions, which conflict with the newly
introduced wrappers that are enabled whenever `MBEDTLS_TEST_HOOKS` is
enabled. In the future, the collect-statuses mechanism should use the new
generic wrapper mechanism. For the time being, keep the old wrappers and
avoid the new wrappers when doing the collect-statuses build.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For now, only instrument the one function for which buffer copying has been
implemented, namely `psa_cipher_encrypt`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Code in unit tests (`tests/suites/*.function`) and in test support
code (`tests/src/**.c`) will now go through the wrapper functions when they
call a PSA API function and `MBEDTLS_TEST_HOOKS` is enabled.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Commit files generated by `tests/scripts/generate_psa_wrappers.py`. As of
this commit, the new code is neither useful (the wrappers just call the
underlying functions) nor used (the wrapper functions are not called from
anywhere). This will change in subsequent commits.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The new script `tests/scripts/generate_psa_wrappers.py` generates the
implementation of wrapper functions for PSA API functions, as well as a
header that defines macros that redirect calls to the wrapper functions. By
default, the wrapper functions just call the underlying library function.
With `--log`, the wrapper functions log the arguments and return values.
This commit only introduces the new script. Subsequent commits will
integrate the wrappers in the build.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The Base class generates trivial wrappers that just call the underlying
function. It is meant as a base class to construct useful wrapper generators.
The Logging class generates wrappers that can log the inputs and outputs to
a function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make sure the ctx variable in function mbedtls_timing_self_test is initialized properly, to avoid build
failures with -O3 e.g. on ppc64el
cd /<<PKGBUILDDIR>>/obj-powerpc64le-linux-gnu/library && /usr/bin/cc -I/<<PKGBUILDDIR>>/include -I/<<PKGBUILDDIR>>/library -g -O3 -Werror=implicit-function-declaration -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -D__DEB_CANARY_CFLAGS_428fca9bc1921c25c5121f9da7815cde__ -fno-omit-frame-pointer -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/mbedtls-2.28.6-1 -D__DEB_CANARY_CPPFLAGS_428fca9bc1921c25c5121f9da7815cde__ -Wdate-time -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wwrite-strings -Wformat=2 -Wno-format-nonliteral -Wvla -Wlogical-op -Wshadow -Wformat-signedness -Wformat-overflow=2 -Wformat-truncation -Werror -Wmissing-declarations -Wmissing-prototypes -MD -MT library/CMakeFiles/mbedcrypto_static.dir/xtea.c.o -MF CMakeFiles/mbedcrypto_static.dir/xtea.c.o.d -o CMakeFiles/mbedcrypto_static.dir/xtea.c.o -c /<<PKGBUILDDIR>>/library/xtea.c
In function ‘mbedtls_timing_get_delay’,
inlined from ‘mbedtls_timing_self_test’ at /<<PKGBUILDDIR>>/library/timing.c:427:13:
/<<PKGBUILDDIR>>/library/timing.c:334:12: error: ‘ctx.fin_ms’ may be used uninitialized [-Werror=maybe-uninitialized]
334 | if (ctx->fin_ms == 0) {
| ~~~^~~~~~~~
/<<PKGBUILDDIR>>/library/timing.c: In function ‘mbedtls_timing_self_test’:
/<<PKGBUILDDIR>>/library/timing.c:402:34: note: ‘ctx’ declared here
402 | mbedtls_timing_delay_context ctx;
| ^~~
In function ‘mbedtls_timing_get_delay’,
inlined from ‘mbedtls_timing_self_test’ at /<<PKGBUILDDIR>>/library/timing.c:427:13:
/<<PKGBUILDDIR>>/library/timing.c:344:26: error: ‘ctx.int_ms’ may be used uninitialized [-Werror=maybe-uninitialized]
344 | if (elapsed_ms >= ctx->int_ms) {
| ~~~^~~~~~~~
/<<PKGBUILDDIR>>/library/timing.c: In function ‘mbedtls_timing_self_test’:
/<<PKGBUILDDIR>>/library/timing.c:402:34: note: ‘ctx’ declared here
402 | mbedtls_timing_delay_context ctx;
| ^~~
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org>
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Add MBEDTLS_PSA_COPY_CALLER_BUFFERS to query_config.c,
version_features.c and mbedTLS.vcxproj via their respective scripts.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Make sure that we don't enable memory poisoning when
MBEDTLS_PSA_COPY_CALLER_BUFFERS is disabled.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Specifically:
* Move the creation of the pointer to the copied buffer into the
DECLARE() macro, to solve warnings about potentially skipping
initialization.
* Reorder the arguments of the FREE() macro - having a different order
made it confusing, so keep the order the same throughout.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
