Commit Graph

8798 Commits

Author SHA1 Message Date
Hanno Becker
79250c255f Add identifiers for TLS-1.2 PRF
This commit adds KDF algorithm identifiers `PSA_ALG_TLS12_PRF(HASH)`
to the PSA crypto API. They represent the key derivation functions
used by TLS 1.2 for the PreMasterSecret->MasterSecret and
MasterSecret->KeyBlock conversions.
2018-11-16 11:12:01 +00:00
Jaeden Amero
ab81a6c312
Merge pull request #151 from ARMmbed/psa-key_agreement-ecdh
Key agreement: basic framework and ECDH
2018-11-16 10:23:09 +00:00
Gilles Peskine
99d0259987 Improve documentation the shared secret format for FFDH 2018-11-15 17:48:15 +01:00
Gilles Peskine
d171e78b46 Document the peer_key format for psa_key_agreement 2018-11-15 17:48:15 +01:00
Gilles Peskine
6c6a023f99 More tweaks on EC-related wording
Use m for the bit size of the field order, not q which is
traditionally the field order.

Correct and clarify the private key representation format as has been
done for the private key and ECDH shared secret formats.
2018-11-15 17:48:15 +01:00
Simon Butcher
681edee803 Fix language and formatting in ChangeLog
Changed the formatting and language in the ChangeLog to the house-style.
2018-11-15 13:01:23 +00:00
Gilles Peskine
7b5b4a01a4 Correct description of the ECDH shared secret
The endianness actually depends on the curve type.

Correct the terminology around "curve size" and "order of the curve".
I tried to find a formulation that is comprehensible to programmers
who do not know the underlying mathematics, but nonetheless correct
and precise.

Use similar terminology in other places that were using "order of the
curve" to describe the bit size associated with the curve.
2018-11-14 21:17:16 +01:00
Gilles Peskine
b408661be9 ECDH: check that the keys are on the same curve
In psa_key_agreement_ecdh, check that the public key is on the same
curve as the private key. The underlying mbedtls API doesn't check.

If the curves don't match, psa_key_agreement_ecdh is practically
guaranteed to return INVALID_ARGUMENT anyway, because way the code is
written, the public point is interpreted on the curve of the private
point, and it is rejected because the point is not on the curve. This
is why the test case "PSA key agreement setup: ECDH, raw: public key
on different curve" passed even before adding this check.
2018-11-14 21:17:16 +01:00
Gilles Peskine
c7998b78b8 Factor common code into key_agreement_with_self 2018-11-14 21:17:16 +01:00
Gilles Peskine
f5f442a50c More accurate description of the shared secret for ECDH
Don't refer to the "curve size", call it the "size of the order of the
curve".
2018-11-14 21:17:16 +01:00
Gilles Peskine
88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine
714e16b37a Add import/export test of EC public key 2018-11-14 21:17:16 +01:00
Gilles Peskine
3ec8ed8b51 Add multipart key agreement tests
Add test cases that do key agreement with raw selection in pieces, to
validate that selection works even when the application doesn't read
everything in one chunk.
2018-11-14 21:15:37 +01:00
Gilles Peskine
bf49197c9b key_agreement_capacity: test the actual capacity as well
After testing that the advertized capacity is what the test data says,
read that many bytes to test that this is also actual capacity.
2018-11-14 21:15:37 +01:00
Gilles Peskine
10df341436 Factor usage_to_exercise into its own function 2018-11-14 21:15:37 +01:00
Gilles Peskine
fc411f1ac1 Use ASSERT_ALLOC in key agreement tests 2018-11-14 21:15:37 +01:00
Gilles Peskine
211a436f2e Document that key agreement produces a maximum-capacity generator 2018-11-14 21:15:37 +01:00
Gilles Peskine
79dd6229e4 Clarify the format of the (EC)DH shared secret 2018-11-14 21:15:37 +01:00
Gilles Peskine
2607bca666 Give "DH" and "DHM" as alternative names
Be consistent about calling it just "Diffie-Hellman", except once
where I state that "Diffie-Hellman-Merkle" is an alternative name.
2018-11-14 21:15:37 +01:00
Gilles Peskine
1d7c082124 Fix a memory leak in a test 2018-11-14 21:15:37 +01:00
Gilles Peskine
b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine
5968559a9c Key agreement test functions 2018-11-14 21:15:37 +01:00
Gilles Peskine
01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
8feb3a886d Support key derivation with non-predefined capacity
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
751d965dfc Implement PSA_ALG_SELECT_RAW 2018-11-14 21:15:37 +01:00
Gilles Peskine
cce18aec4c Split off psa_key_derivation_internal
Refactor psa_key_derivation to prepare for key agreement algorithms
which need to plug into key derivation after argument validation.
2018-11-14 21:15:37 +01:00
Gilles Peskine
93098fd996 Key agreement: macros for finite-field Diffie-Hellman, ECDH
Declare macros to represent key agreement algorithms.
2018-11-14 21:15:37 +01:00
Gilles Peskine
e8f0e3dc3c New algorithm category: key selection
A key selection algorithm is similar to a key derivation algorithm in
that it takes a secret input and produces a secret output stream.
However, unlike key derivation algorithms, there is no expectation
that the input cannot be reconstructed from the output. Key selection
algorithms are exclusively meant to be used on the output of a key
agreement algorithm to select chunks of the shared secret.
2018-11-14 21:15:37 +01:00
Gilles Peskine
92587dbf2b Write missing bit of the documentation of psa_key_derivation 2018-11-14 21:15:37 +01:00
Jaeden Amero
c11be0943e
Merge pull request #196 from ARMmbed/psa-remove-rsa_get_bitlen-2
remove mbedtls_rsa_get_bitlen
2018-11-13 17:55:14 +00:00
Gilles Peskine
e19b7d54d0 Revert "New function mbedtls_rsa_get_bitlen"
This reverts commit 1d26709dbd.
2018-11-12 19:14:34 +01:00
Gilles Peskine
64a43ce48e Revert "fixup! New function mbedtls_rsa_get_bitlen"
This reverts commit c939f6fcba.
2018-11-12 19:14:34 +01:00
Gilles Peskine
86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine
aac64a2839 Remove support for non-byte-aligned RSA keys
Remove the need for an extra function mbedtls_rsa_get_bitlen. Use
mbedtls_rsa_get_len, which is only correct for keys whose size is a
multiple of 8. Key sizes that aren't a multiple of 8 are extremely
rarely used, so in practice this is not a problematic limitation.
2018-11-12 18:37:42 +01:00
Simon Butcher
06d80cf172 Fix merge of Changelog 128bit CTR_DRBG entry
The entry describing support for 128-bit keys in CTR_DRBG was merged into the
wrong version.
2018-11-12 14:30:19 +00:00
Simon Butcher
de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Simon Butcher
cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Simon Butcher
2ab14bb2ca Clarified new platform errors in the ChangeLog
Clarified new platform errors and error code deprecations in the ChangeLog.
2018-11-09 20:09:33 +00:00
Simon Butcher
e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor
6aa9fb4916 Add ChangeLog entry
Add the ChangeLog entry describing the change.
2018-11-09 15:01:09 +00:00
Ron Eldor
9924bdc792 Deprecate hardware acceleration errors
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
2018-11-09 15:01:07 +00:00
Ron Eldor
bcca58c6cd Add common feature unavailable error
Add a common error for the feature unavailable, in the
platform module.
2018-11-09 13:57:37 +00:00
Gilles Peskine
9eaab02607
Merge pull request #193 from ARMmbed/dev/Patater/fix-snprintf-truncation
psa: test: Fix truncation of message by snprintf
2018-11-08 18:56:58 +01:00
Jaeden Amero
594a330eb7 psa: test: Fix truncation of message by snprintf
We had only allocated 40 bytes for printing into, but we wanted to print 46
bytes. Update the buffer to be 47 bytes, which is large enough to hold what
we want to print plus a terminating null byte.
2018-11-08 17:32:45 +00:00
Jaeden Amero
db2717b091
Merge pull request #192 from ARMmbed/psa-fix-curves-20181108
Fix curves.pl
2018-11-08 10:06:55 +00:00
Gilles Peskine
728944718a Fix a test case with incorrect dependency
Simplify the test case "PSA export a slot after a failed import of an
EC keypair": use an invalid private value for the specified curve. Now
the dependencies match the test data, so this fixes curves.pl.
2018-11-08 10:00:08 +01:00
Jaeden Amero
30b90cb406
Merge pull request #175 from ARMmbed/coverage_tests
add tests that increase key slot management code coverage slightly
2018-11-07 16:59:17 +00:00
Moran Peker
ce50007f90 Add tests of using cipher in bad state cases
- cipher setup after import key failure.
- cipher setup after set key policy but no key material
creation.
2018-11-07 16:20:07 +02:00
Moran Peker
3455009116 Add tests that check export failures after illegal behavior
- export a key after import key failure.
- export a key after the key was destroyed.
- export a key after set key policy but no key material
creation.
2018-11-07 16:19:34 +02:00
Moran Peker
28a38e6e38 Add tests that checks key management corner cases
- import a key into a non empty key slot.
- export a key from invalid slot number.
2018-11-07 16:18:24 +02:00