Commit Graph

8189 Commits

Author SHA1 Message Date
Gilles Peskine
9fb0e01177 Fix nonstandard whitespace 2018-09-12 16:50:07 +03:00
itayzafrir
a2d0804b33 psa: programs: Add cipher AES CBC PKCS7 multipart 2018-09-12 16:50:07 +03:00
Jaeden Amero
1ff639d37c crypto: Add a Makefile 2018-09-12 16:50:07 +03:00
itayzafrir
10366708d6 psa: programs: Add cipher AES CBC no padding 2018-09-12 16:50:07 +03:00
Jaeden Amero
5a6ade8ab6 crypto/programs: Add a Makefile 2018-09-12 16:50:07 +03:00
itayzafrir
a3ff8a6ed5 psa: programs: Add cipher example
Add `programs/psa/crypto_examples.c`. Update relevant Makefiles,
CMakeLists.txt, and .gitignore files.
2018-09-12 16:50:07 +03:00
Jaeden Amero
1efc5fe6c5 crypto/tests: Add a Makefile 2018-09-12 16:50:07 +03:00
Jaeden Amero
50a058c9f3 crypto/library: Add a Makefile 2018-09-12 16:50:07 +03:00
Gilles Peskine
d54931c7c4 HKDF: be more robust if we reach the maximum ouptut length
In psa_generator_hkdf_read, return BAD_STATE if we're trying to
construct more output than the algorithm allows. This can't happen
through the API due to the capacity limit, but it could potentially
happen in an internal call.

Also add a test case that verifies that we can set up HKDF with its
maximum capacity and read up to the maximum capacity.
2018-09-12 16:50:05 +03:00
Gilles Peskine
0386fbaa70 Key derivation: test deriving a key from the KDF output 2018-09-12 16:48:24 +03:00
Gilles Peskine
f24af9602f Key derivation with HKDF: add a few negative tests 2018-09-12 16:45:46 +03:00
Gilles Peskine
96ee5c70b9 HKDF: positive tests 2018-09-12 16:45:45 +03:00
Gilles Peskine
bef7f14f8e Implement HKDF 2018-09-12 16:44:05 +03:00
Gilles Peskine
ea0fb4975c Add framework for simple key derivation
New key type PSA_KEY_TYPE_DERIVE. New usage flag PSA_KEY_USAGE_DERIVE.
New function psa_key_derivation.

No key derivation algorithm is implemented yet. The code may not
compile with -Wunused.

Write some unit test code for psa_key_derivation. Most of it cannot be
used yet due to the lack of a key derivation algorithm.
2018-09-12 16:44:04 +03:00
Gilles Peskine
e83f06a229 Minor clarifications 2018-09-12 16:41:12 +03:00
Jaeden Amero
c13c0b6e52 Merge pull request #108 from ARMmbed/psa-constant_to_string
PSA constant name lookup (strerror generalization)
2018-09-12 16:41:12 +03:00
Moran Peker
f2ffdb87f6 Fix generate_key and hash_setup tests vectors
-Add depends_on MBEDTLS_CIPHER_MODE_CTR for CTR test_suite_psa_crypto
-Change bad type/hash alg parameter to *_CATEGORY_*
2018-09-12 16:41:12 +03:00
Gilles Peskine
eab56e4159 Add generator API
Add an API for byte generators: psa_crypto_generator_t,
PSA_CRYPTO_GENERATOR_INIT, psa_crypto_generator_init,
psa_get_generator_capacity, psa_generator_read,
psa_generator_import_key, psa_generator_abort.

This commit does not yet implement any generator algorithm, it only
provides the framework. This code may not compile with -Wunused.
2018-09-12 16:41:12 +03:00
Gilles Peskine
674038aaa4 README file for Mbed Crypto
Link to the API documentation in docs/.
2018-09-12 16:41:12 +03:00
Gilles Peskine
35a4ddc73a Merge remote-tracking branch 'psa/pr/86' into feature-psa 2018-09-12 16:41:12 +03:00
Gilles Peskine
029b5d648d New utility program psa/psa_constant_names
Print the symbolic name corresponding to a numerical value.

Supported types: status values, algorithms, elliptic curves,
key types, key usage masks.

The program is partly generated from parsing psa/crypto.h with a few
hard-coded assumptions. This isn't ideal but it works and requires
little machinery.
2018-09-12 16:41:12 +03:00
Moran Peker
cb088e7059 Replace ssize_t by ptrdiff_t
ssize_t is a POSIX thing, not standard C
2018-09-12 16:41:12 +03:00
Gilles Peskine
9aa369eafb HMAC: improve robustness checks on hash/block size
In psa_mac_setup and psa_hmac_setup_internal, perform a sanity check
on the hash size and the hash block size respectively. These sanity
checks should only trigger on an incompletely or incorrectly
implemented hash function.

Remove the check on the block size in psa_hmac_finish_internal
because at this point it has already been checked and used.
2018-09-12 16:41:12 +03:00
Gilles Peskine
731606c580 Add OAEP tests with non-empty labels 2018-09-12 16:41:12 +03:00
Gilles Peskine
55728b0e70 Add a few key type and algorithm test macros
These new PSA_xxx_IS_yyy macros fill a few missing gaps.
2018-09-12 16:41:12 +03:00
Gilles Peskine
1e6bfdff5e psa_hmac_setup_internal: fix double call of psa_hash_setup
In the common case (key no longer than the block size), psa_hash_setup
was being called twice in succession. With current implementations
this is just a small performance loss, but potentially with
alternative implementations this could have lead to a memory leak.
2018-09-12 16:41:12 +03:00
Gilles Peskine
b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine
3bd1a42203 Remove duplicate definition of PSA_KEY_TYPE_IS_RSA 2018-09-12 16:41:12 +03:00
Gilles Peskine
ff94abdf3a Make psa_hmac_setup_internal more standalone
Call psa_hash_setup in psa_hmac_setup_internal rather than
psa_mac_init. This makes it easier to use psa_hmac_setup_internal on
its own (for the sake of using HMAC internally inside the library).
2018-09-12 16:41:12 +03:00
Gilles Peskine
55c94dd500 Asymmetric encrypt/decrypt tests: check output length
In asymmetric_encrypt_decrypt, use the buffer size advertized by the
library for the ciphertext, and the length of the plaintext for the
re-decrypted output.

Test the output length if known. Require it to be 0 on error for
encrypt/decrypt functions. If the output length is unknown, test at
least that it's within the buffer limits.
2018-09-12 16:41:12 +03:00
Gilles Peskine
b8be288374 psa_hmac_setup_internal: add some missing cleanup on failure
Clean ipad if hashing the key failed.
2018-09-12 16:41:12 +03:00
Gilles Peskine
6842812188 Asymmetric encryption tests: allow label argument
Add a label argument to all asymmetric encryption test functions
(currently empty in all tests, but that will change soon).

In asymmetric_encrypt and asymmetric_decrypt, with an empty label,
test with both a null pointer and a non-null pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine
9688997301 MAC setup: support 0-length HMAC key
Avoid undefined behavior when using a 0-length HMAC key (Asan
complained).
2018-09-12 16:41:12 +03:00
Gilles Peskine
072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine
01126fae7f Isolate HMAC code into its own functions
Create internal functions for HMAC operations. This prepares for two
things: separating crypto-sensitive code from argument decoding and
validation, and using HMAC for other purposes than a MAC inside the
library (e.g. HMAC_DRBG, HKDF).

No intended observable behavior change in this commit.
2018-09-12 16:41:12 +03:00
Gilles Peskine
71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine
94e44540ff psa_hash_update: robustify the case length=0
Don't require hash implementations to behave correctly on a
zero-length input, which may have an invalid pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine
a4d20bd387 For RSA PSS, document that salt length = hash length
This is the most common mode and the only mode that Mbed TLS functions
fully supports (mbedtls_rsa_rsassa_pss_verify_ext can verify
signatures with a different salt length).
2018-09-12 16:41:12 +03:00
Gilles Peskine
f64ee8a7f1 Fix "unknown MAC algorithm" to actually use a MAC algorithm 2018-09-12 16:41:12 +03:00
Gilles Peskine
ef0cb40736 Fix bug in exercise_mac_key that almost always broke the SIGN case
That case isn't used in the test suite yet.
2018-09-12 16:41:12 +03:00
Gilles Peskine
ebe10de167 Merge remote-tracking branch 'psa/pr/103' into feature-psa 2018-09-12 16:41:11 +03:00
Gilles Peskine
f969b3ac74 Change a generate_key test to exercise with PSS
This required tweaking exercise_signature_key to use a payload size
for the signature based on the algorithm, since our implementation of
PSS requires that the input size matches the hash size. This would
also be the case for PKCS#1 v1.5 with a specified hash.
2018-09-12 16:41:11 +03:00
Gilles Peskine
6489bc7a97 Merge pull request #106 from ARMmbed/psa-test_dependencies-201807
Fix some test dependencies
2018-09-12 16:41:11 +03:00
Gilles Peskine
b82ab6f402 Improve documentation of abort functions
Explicitly state that calling abort is safe after initializing to
zero.

Explicitly state that calling abort on an inactive operation is safe,
and replace "active" by "initialized" in the description of the
parameter.

Get rid of the recommendation for implementers to try to handle
uninitialized structures safely. It's good advice in principle but
cannot be achieved in a robust way and the wording was confusing.
2018-09-12 16:41:11 +03:00
Gilles Peskine
54622aec80 Fix PSA_ALG_SIGN_GET_HASH for PSA_ALG_SIGN_xxx_RAW 2018-09-12 16:41:11 +03:00
Jaeden Amero
0794936411 Merge pull request #102 from ARMmbed/dev/Patater/fix-allsh
Fix various issues caught by all.sh
2018-09-12 16:41:11 +03:00
Gilles Peskine
1c211b3e01 Fix some test dependencies
* No test depends on MBEDTLS_PK_C except via MBEDTLS_PK_PARSE_C, so
  remove MBEDTLS_PK_C and keep only MBEDTLS_PK_PARSE_C.
* Add MBEDTLS_PK_WRITE_C for pk export tests.
* Add MBEDTLS_GENPRIME for RSA key generation tests.
* Add dependencies to AEAD tests.
* Add missing dependencies to many RSA tests.
2018-09-12 16:41:11 +03:00
Gilles Peskine
be42f312a8 Doxygen: use \c foo in preference to foo for consistency 2018-09-12 16:41:11 +03:00
Gilles Peskine
66763a008a asymmetric_decrypt test: remove redundant argument
The expected output size is the size of the expected output, it
doesn't need to be passed separately.
2018-09-12 16:41:11 +03:00
Jaeden Amero
ed35da2b6f Merge pull request #97 from ARMmbed/psa-renamings_for_alpha1
Function renamings for alpha1
2018-09-12 16:41:11 +03:00