Commit Graph

16691 Commits

Author SHA1 Message Date
Werner Lewis
12ddae870c Fix memcpy() UB in mbedtls_asn1_named_data()
Removes a case in mbedtls_asn1_named_data() where memcpy() could be
called with a null pointer and zero length. A test case is added for
this code path, to catch the undefined behavior when running tests with
UBSan.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-05-04 12:23:26 +01:00
Gilles Peskine
585a412129
Merge pull request #5760 from tom-daubney-arm/2-28_correct_x509_flag_parse_tests
[Backport 2.28] Set flag to proper value in x509 parse tests
2022-04-28 18:27:41 +02:00
Gilles Peskine
9aa892b833
Merge pull request #5754 from gilles-peskine-arm/psa-storage-format-test-exercise-2.28
Backport 2.28: PSA storage format: exercise key
2022-04-28 18:20:09 +02:00
Gilles Peskine
f87d84361c
Merge pull request #5740 from gilles-peskine-arm/psa-crypto-config-file-2.28
Backport 2.28: Support alternative MBEDTLS_PSA_CRYPTO_CONFIG_FILE
2022-04-28 18:17:45 +02:00
Gilles Peskine
4d6070ca6d
Merge pull request #5778 from mpg/doc-allowed-pks-2.28
[Backport 2.28] Fix documentation of allowed_pks field in mbedtls_x509_crt_profile
2022-04-28 18:13:52 +02:00
Gilles Peskine
238f976ad1 Note that MBEDTLS_CONFIG_FILE can't be defined inside the config file
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-26 18:13:01 +02:00
Gilles Peskine
8290976801 Fix references to mbedtls_config.h
These were a mistake when backporting the change from the development
branch, where mbedtls/config.h has been renamed to mbedtls/mbedtls_config.h.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-26 18:10:11 +02:00
Manuel Pégourié-Gonnard
2b28e4ecee Clarify wording of documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-25 11:57:09 +02:00
Hanno Becker
c61543dc71 Adapt ChangeLog
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-25 11:57:09 +02:00
Hanno Becker
f501cb57a5 Clarify documentation of mbedtls_x509_crt_profile
This commit fixes #1992: The documentation of mbedtls_x509_crt_profile
previously stated that the bitfield `allowed_pks` defined which signature
algorithms shall be allowed in CRT chains. In actual fact, however,
the field also applies to guard the public key of the end entity
certificate.

This commit changes the documentation to state that `allowed_pks`
applies to the public keys of all CRTs in the provided chain.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-25 11:57:09 +02:00
Gilles Peskine
500e48f095 Consistently use "ARC4" in PSA docs and comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-25 09:49:39 +02:00
Gilles Peskine
988391d1cb
Merge pull request #5769 from mpg/ecdsa-range-test-2.28
[Backport 2.28]  Expand negative coverage of ECDSA verification
2022-04-22 16:43:41 +02:00
Gilles Peskine
8e9e1f6819
Merge pull request #5744 from mpg/benchmark-ecc-heap-2.28
[backport 2.28]  Improve benchmarking of ECC heap usage
2022-04-22 16:43:04 +02:00
Manuel Pégourié-Gonnard
5aeb61ccb4 Improve readability and relevance of values
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-22 10:38:38 +02:00
Manuel Pégourié-Gonnard
bcaba030ec Expand negative coverage of ECDSA verification
Motivated by CVE-2022-21449, to which we're not vulnerable, but we
didn't have a test for it. Now we do.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-22 10:38:38 +02:00
Gilles Peskine
35de7b013a
Merge pull request #5741 from gilles-peskine-arm/depends-curves-positive-only-2.28
Backport 2.28: Don't test with all-but-one elliptic curves
2022-04-21 12:34:47 +02:00
Gilles Peskine
f7a101af3c
Merge pull request #5730 from gilles-peskine-arm/ssl-opt-auto-psk-2.28
Backport 2.28: Run ssl-opt.sh in more reduced configurations
2022-04-21 12:03:43 +02:00
Gilles Peskine
b973ae43db Use MAX_SIZE macros instead of hard-coding IV/nonce max size
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:14:52 +02:00
Gilles Peskine
b534759e19 Remove redundant initialization of iv_length
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:14:30 +02:00
Gilles Peskine
62de767b27 test_psa_crypto_config_accel_ecdsa: disable obsolete hashes
MD2 and MD4 were declared as enabled (PSA_WANT_ALG_MD{2,4} defined) but not
actually implemented in the test driver (MBEDTLS_MD{2,4}_C) not defined. Fix
this inconsistency caued deterministic ECDSA tests using those hashes to
fail. Now MD2 and MD4 are consistently off and the offending test cases
don't run.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:05:16 +02:00
Thomas Daubney
b84f8d4e88 Corrects flag set in tests
Corrects flag value from 0xFFFFFFF to 0xFFFFFFFF in
x509 parse tests.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2022-04-21 08:35:29 +01:00
Gilles Peskine
784e65b7e2 Add RC4 positive test
Only 128-bit keys are supported.

Test data from RFC 6229.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
4da5a85f80 cipher_alg_without_iv: also test multipart operations
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
69d9817a66 cipher_alg_without_iv: generalized to also do decryption
Test set_iv/generate_iv after decrypt_setup. Test successful decryption.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
5f50420dc8 cipher_encrypt_alg_without_iv: validate size macros independently
Validate the size macros directly from the output length in the test data,
rather than using the value returned by the library. This is equivalent
since the value returned by the library is checked to be identical.

Enforce that SIZE() <= MAX_SIZE(), in addition to length <= SIZE(). This is
stronger than the previous code which merely enforced length <= SIZE() and
length <= MAX_SIZE().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
4a83c1047f Fix RC4 multipart PSA
RC4 doesn't take an IV.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
c768600de7 Mbed TLS supports RC4 only with 128-bit keys
In PSA tests, don't try to exercise RC4 keys with other sizes. Do test that
attempts to use RC4 keys of other sizes fail with NOT_SUPPORTED (import does
work, which is not really useful, but removing import support would
technically break backward compatibility).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
ce78c9600f Rename and document mac_or_tag_lengths -> permitted_truncations
No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
b8bd61a6ed No need to recalculate iv_length
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
913c01f978 Fix digits in octal constant
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
65bc92a425 Don't try to perform operations when driver support is lacking
We test some configurations using drivers where the driver doesn't
support certain hash algorithms, but declares that it supports
compound algorithms that use those hashes. Until this is fixed,
in those configurations, don't try to actually perform operations.

The built-in implementation of asymmetric algorithms that use a
hash internally only dispatch to the internal md module, not to
PSA. Until this is supported, don't try to actually perform
operations when the operation is built-in and the hash isn't.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-20 20:58:04 +02:00
Gilles Peskine
6e8a4b87ea
Merge pull request #5747 from AndrzejKurek/raw-key-agreement-fail-2-28
Backport 2.28: Add a test for a raw key agreement failure
2022-04-19 14:00:34 +02:00
Gilles Peskine
36019d5182 Use terse output from lsof
This both simplifies parsing a little, and suppresses warnings. Suppressing
warnings is both good and bad: on the one hand it resolves problems such as
https://github.com/Mbed-TLS/mbedtls/issues/5731, on the other hand it may
hide clues as to why lsof wouldn't be working as expected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:21:38 +02:00
Gilles Peskine
e8133cbecc test_cmake_out_of_source: validate that ssl-opt passed
If the ssl-opt test case was skipped, the test was ineffective.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:21:38 +02:00
Gilles Peskine
719a652834 Fix REMOVE_ARC4 test case dependencies
When ARC4 ciphersuites are compiled in, but removed from the default list,
requires_ciphersuite_enabled does not consider them to be enabled. Therefore
test cases for MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which must run in such
configurations, must not use requires_ciphersuite_enabled.

Instead, require the corresponding cryptographic mechanisms. In addition,
for the test case "RC4: both enabled", bypass the automatic ciphersuite
support detection based on force_ciphersuite= that would otherwise cause
this test case to be skipped. (This automatic detection doesn't cause the
negative tests to be skipped because it has an exception whenthe handshake
is supposed to fail.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 20:10:37 +02:00
Gilles Peskine
041388af2a Short-tag AEAD with the nominal length are encoded as nominal AEAD
`PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, len) == aead_alg` when
`len == PSA_AEAD_TAG_LENGTH(aead_alg)`. So skip this case when testing
the printing of constants.

This fixes one test case due to the way arguments of
`PSA_ALG_AEAD_WITH_SHORTENED_TAG` are enumerated (all algorithms are tested
for a value of `len` which isn't problematic, and all values of `len` are
tested for one algorithm).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
9d3706fb7f exercise_key: support combined key agreement+derivation algorithms
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
8ddced5b1b Only exercise Brainpool curve keys on one algorithm
There's nothing wrong with ECC keys on Brainpool curves,
but operations with them are very slow. So we only exercise them
with a single algorithm, not with all possible hashes. We do
exercise other curves with all algorithms so test coverage is
perfectly adequate like this.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
cb451702b4 Public keys can't be used as private-key inputs to key agreement
The PSA API does not use public key objects in key agreement
operations: it imports the public key as a formatted byte string.
So a public key object with a key agreement algorithm is not
a valid combination.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
32611243d4 Don't exercise OAEP with small key and large hash
RSA-OAEP requires the key to be larger than a function of the hash size.
Ideally such combinations would be detected as a key/algorithm
incompatibility. However key/algorithm compatibility is currently tested
between the key type and the algorithm without considering the key size, and
this is inconvenient to change. So as a workaround, dispense
OAEP-with-too-small-hash from exercising, without including it in the
automatic operation-failure test generation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
275ecde2ca exercise_key: signature: detect function/algorithm incompatibility
Don't try to use {sign,verify}_message on algorithms that only support
{sign_verify}_hash. Normally exercise_key() tries all usage that is
supported by policy, however PSA_KEY_USAGE_{SIGN,VERIFY}_MESSAGE is implied
by PSA_KEY_USAGE_{SIGN,VERIFY}_HASH so it's impossible for the test data to
omit the _MESSAGE policies with hash-only algorithms.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
743972cd56 Use PSA_AEAD_NONCE_LENGTH when exercising AEAD keys
Don't re-code the logic to determine a valid nonce length.

This fixes exercise_key() for PSA_ALG_CHACHA20_POLY1305, which was trying to
use a 16-byte nonce.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
b3e87b6ab1 psa_crypto does not support XTS
The cipher module implements XTS, and the PSA API specifies XTS, but the PSA
implementation does not support XTS. It requires double-size keys, which
psa_crypto does not currently support.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
ae93ee6ddc Reject block cipher modes that are not implemented in Mbed TLS
Mbed TLS doesn't support certain block cipher mode combinations. This
limitation should probably be lifted, but for now, test them as unsupported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
b0537ba3b9 Reject invalid MAC and AEAD truncations
Reject algorithms of the form PSA_ALG_TRUNCATED_MAC(...) or
PSA_ALG_AEAD_WITH_SHORTENED_TAG(...) when the truncation length is invalid
or not accepted by policy in Mbed TLS.

This is done in KeyType.can_do, so in generate_psa_tests.py, keys will be
tested for operation failure with this algorithm if the algorithm is
rejected, and for storage if the algorithm is accepted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
d36ed48f19 Fix invalid argument enumeration when there are >=3 arguments
This bug had no impact since currently no macro has more than 2 arguments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
c77f16b356 Test more truncated MAC and short AEAD tag lengths
The current macro collector only tried the minimum and maximum expressible
lengths for PSA_ALG_TRUNCATED_MAC and PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG.
This was good enough for psa_constant_names, but it's weak for exercising
keys, in particular because it doesn't include any valid AEAD tag length.
So cover more lengths.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
8f3aad2ed4 exercise_key: support modes where IV length is not 16
Support ECB, which has no IV. The code also now supports arbitrary IV
lengths based on the algorithm and key type.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
4eb1c7e965 64-bit block ciphers are incompatible with some modes
Only allow selected modes with 64-bit block ciphers (i.e. DES).

This removes some storage tests and creates corresponding op_fail tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
0de11438bb Storage format tests: exercise operations with keys
In key read tests, add usage flags that are suitable for the key type and
algorithm. This way, the call to exercise_key() in the test not only checks
that exporting the key is possible, but also that operations on the key are
possible.

This triggers a number of failures in edge cases where the generator
generates combinations that are not valid, which will be fixed in subsequent
commits.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00