Commit Graph

10764 Commits

Author SHA1 Message Date
Gilles Peskine
f02aec90dc Allow AEAD update output to be delayed
Do not require finish() to have empty output for any algorithm. Some
hardware does not support immediate stream processing.
2019-05-06 15:59:44 +02:00
Gilles Peskine
26869f2d9b Implement ChaCha20 and ChaCha20-Poly1305
Smoke tests: test data for ChaCha20 calculated with PyCryptodome; test
vector from RFC 7539 for ChaCha20-Poly1305.
2019-05-06 15:59:44 +02:00
Gilles Peskine
3e79c8ecfd Declare ChaCha20 cipher and AEAD
Declare algorithms for ChaCha20 and ChaCha20-Poly1305, and a
corresponding (common) key type.

Don't declare Poly1305 as a separate algorithm because it's a one-time
authenticator, not a MAC, so the API isn't suitable for it (no way to
use a nonce).
2019-05-06 15:59:44 +02:00
Gilles Peskine
f7e7b01a25 Minor refactoring in AEAD code
Make it a little easier to add ChaCha20-Poly1305.

This also fixes the error code in case mbedtls_gcm_setkey() fails with
a status that doesn't map to INVALID_ARGUMENT.
2019-05-06 15:59:44 +02:00
Gilles Peskine
ff2d200fa5 Always include platform.h for MBEDTLS_ERR_PLATFORM_xxx
Recognize MBEDTLS_ERR_PLATFORM_xxx in mbedtls_to_psa_error().
2019-05-06 15:59:44 +02:00
Gilles Peskine
423005ea93 Cipher tests: pass the IV from the test data
Don't hard-code an IV in cipher test functions. It restricts what can
be used as test data.
2019-05-06 15:59:44 +02:00
Gilles Peskine
49dd8d8cec Add size macros for multipart AEAD
New macros PSA_AEAD_UPDATE_OUTPUT_SIZE, PSA_AEAD_FINISH_OUTPUT_SIZE
and PSA_AEAD_VERIFY_OUTPUT_SIZE to determine the output buffer sizes
for psa_aead_update(), psa_aead_finish() and psa_aead_verify().
2019-05-06 15:59:16 +02:00
Gilles Peskine
5211efb317 Add output parameter for psa_aead_verify
Like psa_aead_finish(), psa_aead_verify() needs to produce output from
the last partial block of input if psa_aead_update() cannot produce
output byte by byte.
2019-05-06 15:56:05 +02:00
Gilles Peskine
bdc27860c2 Reorder macros for clarity
Group PSA_AEAD_DECRYPT_OUTPUT_SIZE with PSA_AEAD_ENCRYPT_OUTPUT_SIZE.
2019-05-06 15:45:16 +02:00
Gilles Peskine
679693ee49 Algorithm encoding: add flag bit PSA_ALG_AEAD_FROM_BLOCK_FLAG
Make it easy to distinguish generic constructions on top of block
ciphers, such as CCM or GCM, from specialized algorithms such as
Chacha20-Poly1305.
2019-05-06 15:10:16 +02:00
Andrzej Kurek
d8cf464f7d Add a link to the seedfile for out-of-tree cmake builds 2019-05-06 07:24:02 -04:00
Gilles Peskine
d22b6c4f89
Merge pull request #264 from adrianlshaw/adrianlshaw/116
Rename psa_generator_import_key
2019-05-03 17:35:01 +02:00
Gilles Peskine
4a6446482a Test psa_copy_key with wrong type or size in attributes
Split the test function copy_key into two: one for success and one for
failure.

Add failure tests where the attributes specify an incorrect type or size.
2019-05-03 17:14:08 +02:00
Gilles Peskine
8fb3a9ead4 Test psa_import_key: test for size in attributes
Add tests where psa_import_key is called with attributes specifying an
incorrect size.
2019-05-03 16:59:21 +02:00
Gilles Peskine
4ce2a9dcbf Check unused attributes in import and copy
In psa_import_key and psa_copy_key, some information comes from the
key data (input buffer or source key) rather than from the attributes:
key size for import, key size and type and domain parameters for copy.
If an unused attribute is nonzero in the attribute structure, check
that it matches the correct value. This protects against application
errors.
2019-05-03 16:57:15 +02:00
Adrian L. Shaw
5a5a79ae2a Rename psa_generate_key() and psa_generator_import_key() 2019-05-03 15:44:28 +01:00
Gilles Peskine
971bd69696
Merge pull request #263 from ARMmbed/psa-key_attributes-prototype
PSA key creation with attributes
2019-05-03 15:39:36 +02:00
Gilles Peskine
1ea5e44c93 Minor documentation improvement 2019-05-02 20:31:10 +02:00
Jaeden Amero
8bf196b303
Merge pull request #98 from yanesca/curve25519_negative_tests
Curve25519 negative tests
2019-05-02 09:16:35 +01:00
Jaeden Amero
75d9a333ce Merge remote-tracking branch 'origin/pr/1633' into development
* origin/pr/1633: (26 commits)
  Fix uninitialized variable access in debug output of record enc/dec
  Adapt PSA code to ssl_transform changes
  Ensure non-NULL key buffer when building SSL test transforms
  Catch errors while building SSL test transforms
  Use mbedtls_{calloc|free}() in SSL unit test suite
  Improve documentation of mbedtls_record
  Adapt record length value after encryption
  Alternative between send/recv transform in SSL record test suite
  Fix memory leak on failure in test_suite_ssl
  Rename ssl_decrypt_buf() to mbedtls_ssl_decrypt_buf() in comment
  Add record encryption/decryption tests for ARIA to SSL test suite
  Improve documentation of mbedtls_ssl_transform
  Double check that record expansion is as expected during decryption
  Move debugging output after record decryption
  Add encryption/decryption tests for small records
  Add tests for record encryption/decryption
  Reduce size of `ssl_transform` if no MAC ciphersuite is enabled
  Remove code from `ssl_derive_keys` if relevant modes are not enabled
  Provide standalone version of `ssl_decrypt_buf`
  Provide standalone version of `ssl_encrypt_buf`
  ...
2019-05-02 09:08:43 +01:00
Jaeden Amero
aa2e298bde
Merge pull request #100 from Patater/tls-development-20190501
Update to latest Mbed TLS development (as of 2019-05-01)
2019-05-01 16:56:21 +01:00
Jaeden Amero
7b3603c6d8 Merge remote-tracking branch 'tls/development' into development
Resolve merge conflicts by performing the following actions:

- Reject changes to deleted files.
- Reject changes to generate_errors.pl and generate_visualc_files.pl.
  Don't add an 'include-crypto' option which would attempt to use the
  non-existent crypto submodule.
- list-identifiers.sh had the `--internal` option added to it, which
  lists identifiers only in internal headers. Add PSA-specific internal
  headers to list-identifiers.sh.

* origin/development: (40 commits)
  Document the scripts behaviour further
  Use check_output instead of Popen
  all.sh: Require i686-w64-mingw32-gcc version >= 6
  generate_visualc_files.pl: add mbedtls source shadowing by crypto
  generate_errors.pl: refactor and simplify the code
  Start unused variable with underscore
  Correct documentation
  generate_errors.pl: typo fix
  revert changes to generate_features.pl and generate_query_config.pl
  Check that the report directory is a directory
  Use namespaces instead of full classes
  Fix pylint issues
  Don't put abi dumps in subfolders
  Add verbose switch to silence all output except the final report
  Fetch the remote crypto branch, rather than cloning it
  Prefix internal functions with underscore
  Add RepoVersion class to make handling of many arguments easier
  Reduce indentation levels
  Improve documentation
  Use optional arguments for setting repositories
  ...
2019-05-01 14:12:43 +01:00
Jaeden Amero
0804b1d609 Merge remote-tracking branch 'origin/pr/2617' into development
* origin/pr/2617:
  Regenerate errors.c
  crypto: Update to Mbed Crypto 461fd58fb2
2019-05-01 09:58:07 +01:00
Jaeden Amero
e3435053f5 Merge remote-tracking branch 'origin/pr/2473' into development
* origin/pr/2473:
  Fix CMake build error on Cygwin and minGW platforms
2019-05-01 09:56:42 +01:00
Jaeden Amero
4e952f6ebd Regenerate errors.c
Autogenerate errors.c There are changes in error.c due to updating the
crypto submodule to a version that no longer has the SSL, X.509, or net
modules. The errors are correctly sourced from Mbed TLS and not Mbed
Crypto, but they do move around within the file due to how the error
generator script is written.
2019-04-30 16:47:36 +01:00
Jaeden Amero
af35383b89 crypto: Update to Mbed Crypto 461fd58fb2
Update the Mbed Crypto submodule to revision 461fd58fb2 ("Merge pull
request #71 from Patater/remove-non-crypto"). This includes removing
SSL, NET, and X.509 modules from Mbed Crypto.
2019-04-30 16:46:37 +01:00
Janos Follath
05a708f7e2 Add negative tests for Curve25519
If we provide low order element as a public key and the implementation
maps the point in infinity to the origin, we can force the common secret
to be zero.

According to the standard (RFC 7748) this is allowed but in this case
the primitive must not be used in a protocol that requires contributory
behaviour.

Mbed Crypto returns an error when the result is the point in the
infinity and does not map it to the origin. This is safe even if used in
protocols that require contributory behaviour.

This commit adds test cases that verify that Mbed Crypto returns an
error when low order public keys are processed.

The low order elements in the test cases were taken from this website:
https://cr.yp.to/ecdh.html
2019-04-30 14:58:15 +01:00
Janos Follath
182b0b9966 Add test for ECP multiplication
The tests we had for ECP point multiplication were tailored for test
vectors symulating crypto operations and tested a series of operations
against public test vectors.

This commit adds a test function that exercises a single multiplication.
This is much better suited for negative testing than the preexisting
test.

Only one new test case is added that exercises a fraction of an existing
test, just to make sure that the test is consistent with the existing
test functions.
2019-04-30 14:53:49 +01:00
Jaeden Amero
461fd58fb2
Merge pull request #71 from Patater/remove-non-crypto
Remove non-crypto code
2019-04-30 11:10:51 +01:00
Jaeden Amero
5900ed6dcc
Merge pull request #99 from Patater/tls-generated-sources-debug-print
Makefile: Remove extra debug print
2019-04-30 08:59:37 +01:00
Jaeden Amero
d29db1f8ab Makefile: Remove extra debug print
Remove debug print added to print list of source files used in making
libmbedcrypto.

Fixes 92da0bd862 ("Makefile: Use generated source files from parent").
2019-04-29 15:06:33 +01:00
Jaeden Amero
b978282aaa
Merge pull request #97 from Patater/tls-generated-sources
Use generated source files from Mbed TLS
2019-04-29 11:07:48 +01:00
Gilles Peskine
aa02c17dfa Add buffer size macro for psa_get_key_domain_parameters 2019-04-28 11:48:29 +02:00
Gilles Peskine
9bc88c6e2c Document the key creation flow (start, variable, finish, and fail) 2019-04-28 11:48:29 +02:00
Gilles Peskine
9c640f91d4 Improve documentation of key attributes 2019-04-28 11:48:26 +02:00
Gilles Peskine
06af0cd4a3 Always require reset after psa_get_key_attributes
There was a guarantee that psa_get_key_attributes() does not require a
subsequent psa_reset_key_attributes() to free resources as long as the
key was created with attributes having this property. This requirement
was hard to pin down because if a key is created with default
parameters, there are cases where it is difficult to ensure that the
domain parameters will be reported without allocating memory. So
remove this guarantee. Now the only case psa_reset_key_attributes() is
not required is if the attribute structure has only been modified with
certain specific setters.
2019-04-28 11:46:10 +02:00
Gilles Peskine
e56e878207 Remove extra parameter from psa_generate_key
Read extra data from the domain parameters in the attribute structure
instead of taking an argument on the function call.

Implement this for RSA key generation, where the public exponent can
be set as a domain parameter.

Add tests that generate RSA keys with various public exponents.
2019-04-26 17:37:50 +02:00
Gilles Peskine
772c8b16b4 psa_get_domain_parameters: for RSA, if e=65537, output an empty string 2019-04-26 17:37:21 +02:00
Gilles Peskine
b699f07af0 Switch psa_{get,set}_domain_parameters to attributes
Change psa_get_domain_parameters() and psa_set_domain_parameters() to
access a psa_key_attributes_t structure rather than a key handle.

In psa_get_key_attributes(), treat the RSA public exponent as a domain
parameter and read it out. This is in preparation for removing the
`extra` parameter of psa_generate_key() and setting the RSA public
exponent for key generation via domain parameters.

In this commit, the default public exponent 65537 is not treated
specially, which allows us to verify that test code that should be
calling psa_reset_key_attributes() after retrieving the attributes of
an RSA key is doing so properly (if it wasn't, there would be a memory
leak), even if the test data happens to use an RSA key with the
default public exponent.
2019-04-26 17:37:08 +02:00
Jaeden Amero
18d4789947 CMake: Use generated source files from parent
When building as a submodule of a parent project, like Mbed TLS, use the
parent projects generated source files (error.c, version.c,
version_features.c)
2019-04-26 15:41:33 +01:00
Jaeden Amero
92da0bd862 Makefile: Use generated source files from parent
When building as a submodule of a parent project, like Mbed TLS, use the
parent projects generated source files (error.c, version.c,
version_features.c)
2019-04-26 15:41:33 +01:00
Gilles Peskine
a1ace9c494 Call psa_reset_key_attributes after psa_get_key_attributes
After calling psa_get_key_attributes(), call
psa_reset_key_attributes() if the key may have domain parameters,
because that's the way to free the domain parameter substructure in
the attribute structure. Keep not calling reset() in some places where
the key can only be a symmetric key which doesn't have domain
parameters.
2019-04-26 16:15:31 +02:00
Jaeden Amero
8df5de42e2 Makefile: Output to explicit target
Don't depend on the C compiler's default output file name and path. Make
knows what it wants to build and where it should go, and this may not
always align with the C compiler default, so tell the C compilter to
output to the Make target explicitly.
2019-04-26 14:00:02 +01:00
Hanno Becker
1f10d7643f Fix uninitialized variable access in debug output of record enc/dec 2019-04-26 13:34:37 +01:00
Gilles Peskine
3a4f1f8e46 Set the key size as an attribute
Instead of passing a separate parameter for the key size to
psa_generate_key and psa_generator_import_key, set it through the
attributes, like the key type and other metadata.
2019-04-26 13:49:28 +02:00
Gilles Peskine
30afafd527 Fix build errors with MBEDTLS_PSA_CRYPTO_STORAGE_C disabled 2019-04-25 17:42:32 +02:00
Gilles Peskine
3495b58fcf Fix loading of 0-sized key on platforms where malloc(0)=NULL 2019-04-25 17:42:32 +02:00
Hanno Becker
22bf145599 Adapt PSA code to ssl_transform changes 2019-04-25 12:58:21 +01:00
Hanno Becker
78d1f70ab6 Ensure non-NULL key buffer when building SSL test transforms 2019-04-25 12:58:21 +01:00
Hanno Becker
a5780f1993 Catch errors while building SSL test transforms 2019-04-25 12:58:21 +01:00