Removes a case in mbedtls_asn1_named_data() where memcpy() could be
called with a null pointer and zero length. A test case is added for
this code path, to catch the undefined behavior when running tests with
UBSan.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
Motivated by CVE-2022-21449, to which we're not vulnerable, but we
didn't have a test for it. Now we do.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
MD2 and MD4 were declared as enabled (PSA_WANT_ALG_MD{2,4} defined) but not
actually implemented in the test driver (MBEDTLS_MD{2,4}_C) not defined. Fix
this inconsistency caued deterministic ECDSA tests using those hashes to
fail. Now MD2 and MD4 are consistently off and the offending test cases
don't run.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Validate the size macros directly from the output length in the test data,
rather than using the value returned by the library. This is equivalent
since the value returned by the library is checked to be identical.
Enforce that SIZE() <= MAX_SIZE(), in addition to length <= SIZE(). This is
stronger than the previous code which merely enforced length <= SIZE() and
length <= MAX_SIZE().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In PSA tests, don't try to exercise RC4 keys with other sizes. Do test that
attempts to use RC4 keys of other sizes fail with NOT_SUPPORTED (import does
work, which is not really useful, but removing import support would
technically break backward compatibility).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We test some configurations using drivers where the driver doesn't
support certain hash algorithms, but declares that it supports
compound algorithms that use those hashes. Until this is fixed,
in those configurations, don't try to actually perform operations.
The built-in implementation of asymmetric algorithms that use a
hash internally only dispatch to the internal md module, not to
PSA. Until this is supported, don't try to actually perform
operations when the operation is built-in and the hash isn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This both simplifies parsing a little, and suppresses warnings. Suppressing
warnings is both good and bad: on the one hand it resolves problems such as
https://github.com/Mbed-TLS/mbedtls/issues/5731, on the other hand it may
hide clues as to why lsof wouldn't be working as expected.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When ARC4 ciphersuites are compiled in, but removed from the default list,
requires_ciphersuite_enabled does not consider them to be enabled. Therefore
test cases for MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which must run in such
configurations, must not use requires_ciphersuite_enabled.
Instead, require the corresponding cryptographic mechanisms. In addition,
for the test case "RC4: both enabled", bypass the automatic ciphersuite
support detection based on force_ciphersuite= that would otherwise cause
this test case to be skipped. (This automatic detection doesn't cause the
negative tests to be skipped because it has an exception whenthe handshake
is supposed to fail.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
`PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, len) == aead_alg` when
`len == PSA_AEAD_TAG_LENGTH(aead_alg)`. So skip this case when testing
the printing of constants.
This fixes one test case due to the way arguments of
`PSA_ALG_AEAD_WITH_SHORTENED_TAG` are enumerated (all algorithms are tested
for a value of `len` which isn't problematic, and all values of `len` are
tested for one algorithm).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
There's nothing wrong with ECC keys on Brainpool curves,
but operations with them are very slow. So we only exercise them
with a single algorithm, not with all possible hashes. We do
exercise other curves with all algorithms so test coverage is
perfectly adequate like this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The PSA API does not use public key objects in key agreement
operations: it imports the public key as a formatted byte string.
So a public key object with a key agreement algorithm is not
a valid combination.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
RSA-OAEP requires the key to be larger than a function of the hash size.
Ideally such combinations would be detected as a key/algorithm
incompatibility. However key/algorithm compatibility is currently tested
between the key type and the algorithm without considering the key size, and
this is inconvenient to change. So as a workaround, dispense
OAEP-with-too-small-hash from exercising, without including it in the
automatic operation-failure test generation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't try to use {sign,verify}_message on algorithms that only support
{sign_verify}_hash. Normally exercise_key() tries all usage that is
supported by policy, however PSA_KEY_USAGE_{SIGN,VERIFY}_MESSAGE is implied
by PSA_KEY_USAGE_{SIGN,VERIFY}_HASH so it's impossible for the test data to
omit the _MESSAGE policies with hash-only algorithms.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't re-code the logic to determine a valid nonce length.
This fixes exercise_key() for PSA_ALG_CHACHA20_POLY1305, which was trying to
use a 16-byte nonce.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Mbed TLS doesn't support certain block cipher mode combinations. This
limitation should probably be lifted, but for now, test them as unsupported.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Reject algorithms of the form PSA_ALG_TRUNCATED_MAC(...) or
PSA_ALG_AEAD_WITH_SHORTENED_TAG(...) when the truncation length is invalid
or not accepted by policy in Mbed TLS.
This is done in KeyType.can_do, so in generate_psa_tests.py, keys will be
tested for operation failure with this algorithm if the algorithm is
rejected, and for storage if the algorithm is accepted.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The current macro collector only tried the minimum and maximum expressible
lengths for PSA_ALG_TRUNCATED_MAC and PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG.
This was good enough for psa_constant_names, but it's weak for exercising
keys, in particular because it doesn't include any valid AEAD tag length.
So cover more lengths.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Support ECB, which has no IV. The code also now supports arbitrary IV
lengths based on the algorithm and key type.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Only allow selected modes with 64-bit block ciphers (i.e. DES).
This removes some storage tests and creates corresponding op_fail tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In key read tests, add usage flags that are suitable for the key type and
algorithm. This way, the call to exercise_key() in the test not only checks
that exporting the key is possible, but also that operations on the key are
possible.
This triggers a number of failures in edge cases where the generator
generates combinations that are not valid, which will be fixed in subsequent
commits.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This currently makes all the descriptions unambiguous even when truncated at
66 characters, as the unit test framework does.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The output of generate_psa_tests.py is almost unchanged: the differences are
only spaces after commas (now consistently omitted).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When generating storage format tests, pass usage flags around as a list, and
format them as the last thing.
In Storagekey(), simplify the addition of implicit usage flags: this no
longer requires parsing.
The output is unchanged.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the generated storage format test cases, cover all supported
algorithms for each key type. This is a step towards exercising
the key with all the algorithms it supports; a subsequent commit
will generate a policy that permits the specified algorithms.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Use the new generic is_public method.
Impact on generated cases: there are new HMAC test cases for SIGN_HASH. It
was a bug that these test cases were previously not generated.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Ensure that the nominal run works properly, so that it's apparent that the
injected failure is responsible for the failure of the handshake.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
USE_PSA_DONE() already checks that there are no used key slots.
The call to TEST_ASSERT() wouldn't have worked properly on failure anyway,
since it would jump back to the exit label.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
For weistrass curves the pair is encoded as 0x04 || x || y.
Flipping one of the bits in the first byte should be a sure failure.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
