Skip to content

Upgrade to Mbed TLS 2.21.0 and Mbed Crypto 3.1.0 #12767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 8, 2020
Merged

Upgrade to Mbed TLS 2.21.0 and Mbed Crypto 3.1.0 #12767

merged 4 commits into from
Apr 8, 2020

Conversation

Patater
Copy link
Contributor

@Patater Patater commented Apr 7, 2020

Summary of changes

Upgrade to Mbed TLS 2.21.0 and Mbed Crypto 3.1.0

Impact of changes

  • Security fix for https://nvd.nist.gov/vuln/detail/CVE-2019-18222, without dropping Mbed TLS features by reverting back to an older LTS version of Mbed TLS (2.16.x). This requires bumping the version of Mbed Crypto to 3.1.0, which brings along with it an API break in the experimental PSA APIs

Migration actions required

What behavior changes are being made?
For security and NIST SP 800-90A compliance reasons, CTR DRBG now grabs a nonce from the entropy source if needed to provide the maximum security strength. A previously unused-before-seeding member of the CTR DRBG context, mbedtls_ctr_drbg_context::reseed_counter, is used to hold the number of bytes the user has requested to include from the nonce via mbedtls_ctr_drbg_set_nonce_len(), or -1 to indicate that the entropy nonce length was not set explicitly. This means applications that were depending on a reseed_counter value of 0 to mean "not yet seeded" will need to instead handle errors from calls to mbedtls_ctr_drbg_seed().

What is being deprecated?
A few PSA Crypto asymmetric cryptography functions and macros, key usage definitions, and error code definitions have been renamed to better reflect their operation and to improve readability.

Why is this being deprecated?
The PSA Crypto API continues to develop as it heads towards its 1.0 release. Mbed Crypto 3.0.0d0 implements more of PSA Crypto 1.0b3 than was implemented in Mbed Crypto 2.x, and this brings along some API deprecations.

Mbed Crypto includes backwards compatibility macros (by way of psa/crypto_compat.h) to provide source-level backwards compatibility, although it's recommended to stop using the deprecated APIs as soon as you are able to.

Migration
To avoid using deprecated APIs, users of PSA Crypto should update to the new version of API.

Old New
psa_asymmetric_sign() psa_sign_hash()
psa_asymmetric_verify() psa_verify_hash()
PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE() PSA_SIGNATURE_MAX_SIZE()
PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE() PSA_SIGN_OUTPUT_SIZE()
PSA_KEY_USAGE_SIGN PSA_KEY_USAGE_SIGN_HASH
PSA_KEY_USAGE_VERIFY PSA_KEY_USAGE_VERIFY_HASH
PSA_ERROR_UNKNOWN_ERROR PSA_ERROR_GENERIC_ERROR
PSA_ERROR_OCCUPIED_SLOT PSA_ERROR_ALREADY_EXISTS
PSA_ERROR_EMPTY_SLOT PSA_ERROR_DOES_NOT_EXIST
PSA_ERROR_INSUFFICIENT_CAPACITY PSA_ERROR_INSUFFICIENT_DATA
PSA_ERROR_TAMPERING_DETECTED PSA_ERROR_CORRUPTION_DETECTED

Documentation

Pull request type 

[] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[X] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results 

[] No Tests required for this change (E.g docs only update)
[X] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Reviewers

CC @andypowers

Patater added 3 commits April 7, 2020 09:57
@Patater
tls: Upgrade to Mbed TLS 2.20.0
ec898fb
@Patater
crypto: Upgrade to Mbed Crypto 3.1.0
8eef39b
@Patater
crypto: Update the service for Mbed Crypto 3.x
7ed3f9c 
Update Mbed OS's PSA Crypto service to work with Mbed Crypto 3.x.

- psa_asymmetric_verify() is now called psa_verify_hash().
- psa_asymmetric_sign() is now called psa_sign_hash().

Compatibilty wrappers are provided via crypto_compat.h for source-level
backwards compatibility.
@Patater
Copy link
Contributor Author

Patater commented Apr 7, 2020

Note that this includes the commit "crypto: Update the service for Mbed Crypto 3.x " from #12150

@mergify mergify bot added the needs: work label Apr 7, 2020
@0xc0170
Copy link
Contributor

0xc0170 commented Apr 7, 2020

Please review events failures in Travis

[Error] attest_crypto_keys.c@54,9: duplicate case value
[Error] attest_crypto_keys.c@51,9: previously used here
[Error] attest_crypto_keys.c@57,9: duplicate case value
[Error] attest_crypto_keys.c@51,9: previously used here
[Error] attest_crypto_keys.c@63,9: duplicate case value
[Error] attest_crypto_keys.c@60,9: previously used here
[ERROR] ./components/TARGET_PSA/services/attestation/COMPONENT_PSA_SRV_IMPL/attest_crypto_keys.c: In function 'get_curve':
./components/TARGET_PSA/services/attestation/COMPONENT_PSA_SRV_IMPL/attest_crypto_keys.c:54:9: error: duplicate case value

@Patater
Copy link
Contributor Author

Patater commented Apr 7, 2020

Updated with "crypto: Use updated ECC curve macros" commit, to use new ECC curve macros instead of old ones.

@ciarmcom ciarmcom requested review from andypowers and a team April 7, 2020 11:00
@ciarmcom
Copy link
Member

ciarmcom commented Apr 7, 2020

@Patater, thank you for your changes.
@andypowers @ARMmbed/mbed-os-maintainers please review.

@mbed-ci
Copy link

mbed-ci commented Apr 7, 2020

Test run: FAILED

Summary: 3 of 3 test jobs failed
Build number : 1
Build artifacts

Failed test jobs:

  • jenkins-ci/mbed-os-ci_build-GCC_ARM-lts
  • jenkins-ci/mbed-os-ci_build-ARM-lts
  • jenkins-ci/mbed-os-ci_unittests-lts

@0xc0170
Copy link
Contributor

0xc0170 commented Apr 7, 2020

Please ignore lts jobs here , will be restarted

@0xc0170
Copy link
Contributor

0xc0170 commented Apr 8, 2020

started new CI job

@mbed-ci
Copy link

mbed-ci commented Apr 8, 2020

Test run: FAILED

Summary: 1 of 3 test jobs failed
Build number : 2
Build artifacts

Failed test jobs:

  • jenkins-ci/mbed-os-ci_build-ARM-lts

@0xc0170
Copy link
Contributor

0xc0170 commented Apr 8, 2020

Ci restarted

@mbed-ci
Copy link

mbed-ci commented Apr 8, 2020

Test run: FAILED

Summary: 1 of 10 test jobs failed
Build number : 3
Build artifacts

Failed test jobs:

  • jenkins-ci/mbed-os-ci_example-test-lts

@0xc0170
Copy link
Contributor

0xc0170 commented Apr 8, 2020

example restarted

@0xc0170
Copy link
Contributor

0xc0170 commented Apr 8, 2020

@adbridge @andypowers @bulislaw Please review and approve for 5.15.2

@0xc0170 0xc0170 requested a review from bulislaw April 8, 2020 10:28
andypowers
andypowers approved these changes Apr 8, 2020
View reviewed changes
Copy link
Collaborator

@andypowers andypowers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@0xc0170 0xc0170 merged commit 64b10f4 into ARMmbed:mbed-os-5.15 Apr 8, 2020
@mergify mergify bot removed the ready for merge label Apr 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xc0170 0xc0170 0xc0170 approved these changes

@andypowers andypowers andypowers approved these changes

@bulislaw bulislaw Awaiting requested review from bulislaw

Assignees
No one assigned
Labels
BREAKING-CHANGE release-version: 5.15.2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Patater @0xc0170 @ciarmcom @mbed-ci @andypowers @dgreen-arm