Commit Graph

2559 Commits

Author SHA1 Message Date
Hanno Becker
e21387e014 Add build instructions to generate DER versions of CRTs and keys 2019-06-03 17:46:56 +01:00
Hanno Becker
8c07beeb84 Rename MBEDTLS_SSL_CID->MBEDTLS_SSL_DTLS_CONNECTION_ID in SSL suite 2019-06-03 16:07:50 +01:00
Hanno Becker
a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker
e2c2314ab4 Add missing dependencies in unit tests for CID-based record enc/dec
Changes generated via:
% sed -i '/.*CID [0-9]+[0-9]/{n;s/depends_on:/depends_on:MBEDTLS_SSL_CID:/}' test_suite_ssl.data
2019-06-03 14:47:36 +01:00
Hanno Becker
43c24b8da9 Fix missing compile-time guards around CID-only constants 2019-06-03 14:47:36 +01:00
Hanno Becker
d856c82993 Add unit tests for record protection using CID 2019-06-03 14:47:36 +01:00
Hanno Becker
6c87b3f9df Record enc/dec tests: Don't take turns in sending / receiving roles
Part of the record encryption/decryption tests is to gradually
increase the space available at the front and/or at the back of
a record and observe when encryption starts to succeed. If exactly
one of the two parameters is varied at a time, the expectation is
that encryption will continue to succeed once it has started
succeeding (that's not true if both pre- and post-space are varied
at the same time).

Moreover, previously the test would take turns when choosing which
transform should be used for encryption, and which for decryption.

With the introduction of the CID feaature, this switching of transforms
doesn't align with the expectation of eventual success of the encryption,
since the overhead of encryption might be different for the parties,
because both parties may use different CIDs for their outgoing records.

This commit modifies the tests to not take turns between transforms,
but to always use the same transforms for encryption and decryption
during a single round of the test.
2019-06-03 14:47:36 +01:00
Hanno Becker
4a9b028c08 Correct name of X.509 parsing test for well-formed, ill-signed CRT 2019-06-03 14:45:21 +01:00
Hanno Becker
20a4ade3f5 Add test cases exercising successful verification of MD2/MD4/MD5 CRT 2019-06-03 14:45:21 +01:00
Hanno Becker
7b8abee4f5 Add test case exercising verification of valid MD2 CRT
The X.509 parsing test suite test_suite_x509parse contains a test
exercising X.509 verification for a valid MD4/MD5 certificate in a
profile which doesn't allow MD4/MD5. This commit adds an analogous
test for MD2.
2019-06-03 14:45:16 +01:00
Hanno Becker
2e0f71f977 Add instructions for MD[245] test CRTs to tests/data_files/Makefile 2019-06-03 14:22:53 +01:00
Hanno Becker
ba698da57a Remove use of MD2 in further x509parse tests 2019-06-03 09:54:07 +01:00
Hanno Becker
32b48ea364 Convert further x509parse tests to use lower-case hex data 2019-06-03 09:48:39 +01:00
Hanno Becker
01346c645b Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:16:39 +01:00
Hanno Becker
d0d78d7c4a Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:16:39 +01:00
Gilles Peskine
2938268fb4 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190524
Conflicts:
* library/ssl_cli.c, library/ssl_tls.c:
  Removed on the development branch. Keep them removed.
* include/psa/crypto_extra.h, library/psa_crypto_storage.c,
  tests/suites/test_suite_psa_crypto.data,
  tests/suites/test_suite_psa_crypto.function,
  tests/suites/test_suite_psa_crypto_persistent_key.data,
  tests/suites/test_suite_psa_crypto_slot_management.data,
  tests/suites/test_suite_psa_crypto_slot_management.function:
  Modified on the development branch only to implement the enrollment
  algorithm, which has been reimplemented on the API branch.
  Keep the API branch.
2019-05-29 09:57:29 +02:00
Gilles Peskine
3027ba6429 Enrollment algorithm in policy: add tests of psa_copy_key 2019-05-27 14:08:28 +02:00
Gilles Peskine
bcdd44b9be Enrollment algorithm in policy: add support in psa_copy_key tests
Add parameters to psa_copy_key tests for the enrollment algorithm (alg2).

This commit only tests with alg2=0, which is equivalent to not setting
an enrollment algorithm.
2019-05-27 14:08:28 +02:00
Gilles Peskine
b4e0cda8db Enrollment algorithm in policy: update persistent key tests
The storage format has changed, so update the test data accordingly.
2019-05-27 14:08:28 +02:00
Gilles Peskine
183442c854 Enrollment algorithm in policy: test persistent keys 2019-05-27 14:08:27 +02:00
Gilles Peskine
96f0b3b1d3 Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-27 14:08:27 +02:00
Gilles Peskine
d3bb7bb2f2 Persistent key reload: test more metadata
In the tests for opening a persistent key after closing it, also read
back and check the key data if permitted by policy, and the key
policy.
2019-05-24 17:02:25 +02:00
Gilles Peskine
1ecf92c2f8 Align test functions to usage/alg parameter order
Manually cherry-picked from ca5bed742f
by taking that patch, replacing KEYPAIR by KEY_PAIR
throughout (renaming applied in this branch), and discarding parts
about import_twice in test_suite_psa_crypto (this test function was
removed from this branch).
2019-05-24 16:38:14 +02:00
Ron Eldor
56f071fb9e Add negative test for malformed SAN
Add a negative test for a malformed SAN extension.
2019-05-22 17:36:58 +03:00
Jaeden Amero
496c176d90
Merge pull request #266 from ARMmbed/psa-policy_alg2-poc
Keys may allow a second algorithm
2019-05-22 11:55:01 +01:00
Gilles Peskine
52315e4c16 Enrollment algorithm in policy: add tests of psa_copy_key 2019-05-21 18:31:59 +02:00
Gilles Peskine
705cbfd802 Enrollment algorithm in policy: add support in psa_copy_key tests
Add parameters to psa_copy_key tests for the enrollment algorithm (alg2).

This commit only tests with alg2=0, which is equivalent to not setting
an enrollment algorithm.
2019-05-21 18:31:59 +02:00
Gilles Peskine
468c96cccc Enrollment algorithm in policy: update persistent key tests
The storage format has changed, so update the test data accordingly.
2019-05-21 17:06:35 +02:00
Gilles Peskine
6fbfdb9e06 Enrollment algorithm in policy: test persistent keys 2019-05-21 17:06:35 +02:00
Gilles Peskine
cbce4d8889 Persistent key reload: test more metadata
In the tests for opening a persistent key after closing it, also read
back and check the key data if permitted by policy, and the key
policy.
2019-05-21 17:06:35 +02:00
Gilles Peskine
2c86ebc2f8 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allowed to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-21 17:06:27 +02:00
Gilles Peskine
536e20571a New macro to get the bit size of an elliptic curve 2019-05-21 17:06:03 +02:00
Gilles Peskine
ca5bed742f Align test functions to usage/alg parameter order 2019-05-21 17:06:03 +02:00
Gilles Peskine
d6f371b1ba Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-21 17:06:03 +02:00
Jaeden Amero
3d07ffade2 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following operations:
    - Reject changes to files removed during the creation of Mbed Crypto
      from Mbed TLS.
    - Reject the addition of certificates that would not be used by any
      tests, including rejecting the addition of Makefile rules to
      generate these certificates.
    - Reject changes to error.c referencing modules that are not part of
      Mbed Crypto.

* origin/development: (80 commits)
  Style fix
  Fix test data
  Update test data
  Add some negative test cases
  Fix minor issues
  Add ChangeLog entry about listing all SAN
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Check that SAN is not malformed when parsing
  Documentation fixes
  Fix ChangeLog entry
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  ...
2019-05-21 08:57:44 +01:00
Jaeden Amero
31d1432233 Merge remote-tracking branch 'origin/pr/2530' into development
* origin/pr/2530: (27 commits)
  Style fix
  Fix test data
  Update test data
  Add some negative test cases
  Fix minor issues
  Add ChangeLog entry about listing all SAN
  Check that SAN is not malformed when parsing
  Documentation fixes
  Fix ChangeLog entry
  Fail in case critical crt policy not supported
  Update SAN parsing documentation
  change the type of hardware_module_name member
  Change mbedtls_x509_subject_alternative_name
  Add length checking in certificate policy parsing
  Rephrase x509_crt extension member description
  Rephrase changeLog entries
  Remove redundant memset()
  Propogate error when parsing SubjectAltNames
  Tidy up style in x509_info_subject_alt_name
  Print unparseable SubjectAlternativeNames
  ...
2019-05-20 18:02:25 +01:00
Jaeden Amero
9ebcf9b00a Merge remote-tracking branch 'origin/pr/2538' into development
* origin/pr/2538:
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  Add eap-tls key derivation in the examples.
  Add ChangeLog entry
  Add an extra key export function
  Have the temporary buffer allocated dynamically
  Zeroize secret data in the exit point
  Add a single exit point in key derivation function
2019-05-20 10:58:36 +01:00
Ron Eldor
76a9c4a81f Fix test data
Fix test data to test what it actually intends to test.
2019-05-20 11:58:59 +03:00
Ron Eldor
8a59d6b964 Update test data
Update the test data for the negative certificate policies
extension tests with correct lengths, to test the correct behaviour.
Add another test.
2019-05-19 14:11:20 +03:00
Gilles Peskine
35ef36b62f Rename psa_generate_random_key back to psa_generate_key
generate_key is a more classical name. The longer name was only
introduced to avoid confusion with getting a key from a generator,
which is key derivation, but we no longer use the generator
terminology so this reason no longer applies.

perl -i -pe 's/psa_generate_random_key/psa_generate_key/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
c93b80c350 Rename *KEYPAIR* to *KEY_PAIR*
Be consistent with PUBLIC_KEY.

perl -i -pe 's/KEYPAIR/KEY_PAIR/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
dcaefae849 Parametrize Diffie-Hellman keys by a group identifier
Parametrize finite-field Diffie-Hellman key types with a DH group
identifier, in the same way elliptic curve keys are parametrized with
an EC curve identifier.

Define the DH groups from the TLS registry (these are the groups from
RFC 7919).

Replicate the macro definitions and the metadata tests from elliptic
curve identifiers to DH group identifiers.

Define PSA_DH_GROUP_CUSTOM as an implementation-specific extension for
which domain parameters are used to specify the group.
2019-05-16 19:51:10 +02:00
Gilles Peskine
be697d8324 Shorten the name of psa_key_agreement_raw_shared_secret
There is less of a risk of confusion with the KA+KDF function now.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cf7292e257 Wrap and reindent some lines
After renaming several identifiers, re-wrap and re-indent some lines
to make the code prettier.
2019-05-16 18:55:25 +02:00
Gilles Peskine
51ae0e4b79 Rename "generator" to "operation"
Generators are now key derivation operations.

Keep "random generator" intact.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cbe6650394 Rename generator-related internal identifiers
perl -pe 's/crypto_generator/key_derivation/gi' $(git ls-files)
    perl -pe 's/_generator/_key_derivation/gi' $(git ls-files)
2019-05-16 18:55:25 +02:00
Gilles Peskine
03410b5c5f Rename PSA_KDF_STEP_xxx -> PSA_KEY_DERIVATION_INPUT_xxx
More consistent with the new function names.
2019-05-16 18:55:25 +02:00
Gilles Peskine
a99d3fbd05 Rename generator functions to psa_key_derivation_xxx
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology. Call a generator a key
derivation operation structure, since it behaves like other multipart
operation structures. Furthermore, the function names are not fully
consistent.

In this commit, I rename the functions to consistently have the prefix
"psa_key_derivation_". I used the following command:

    perl -i -pe '%t = (
        psa_crypto_generator_t => "psa_key_derivation_operation_t",
        psa_crypto_generator_init => "psa_key_derivation_init",
        psa_key_derivation_setup => "psa_key_derivation_setup",
        psa_key_derivation_input_key => "psa_key_derivation_input_key",
        psa_key_derivation_input_bytes => "psa_key_derivation_input_bytes",
        psa_key_agreement => "psa_key_derivation_key_agreement",
        psa_set_generator_capacity => "psa_key_derivation_set_capacity",
        psa_get_generator_capacity => "psa_key_derivation_get_capacity",
        psa_generator_read => "psa_key_derivation_output_bytes",
        psa_generate_derived_key => "psa_key_derivation_output_key",
        psa_generator_abort => "psa_key_derivation_abort",
        PSA_CRYPTO_GENERATOR_INIT => "PSA_KEY_DERIVATION_OPERATION_INIT",
        PSA_GENERATOR_UNBRIDLED_CAPACITY => "PSA_KEY_DERIVATION_UNLIMITED_CAPACITY",
        ); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files)
2019-05-16 18:55:21 +02:00
Jaeden Amero
d35249e66f
Merge pull request #109 from gilles-peskine-arm/psa-key_attributes-set_persistent
Individual setters for persistent key attributes
2019-05-16 17:28:53 +01:00
Jaeden Amero
99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Ron Eldor
11818f2c17 Add some negative test cases
Add some invalid certificate tests for certifiate policies extension.
2019-05-16 18:17:02 +03:00
Jaeden Amero
16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero
76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero
826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Gilles Peskine
c9d910bed6 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allow to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-16 00:18:48 +02:00
Gilles Peskine
6c9514427b New macro to get the bit size of an elliptic curve 2019-05-16 00:16:46 +02:00
Gilles Peskine
049c7535af Split long lines after psa_import_key refactoring 2019-05-15 23:16:07 +02:00
Gilles Peskine
73676cbc50 Put handle parameter last: psa_import_key
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
98dd779eb5 Put handle parameter last: psa_generate_derived_key
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
dd835cbea6 Add a few tests for persistent attributes
psa_set_key_lifetime and psa_set_key_id aren't pure setters: they also
set the other attribute in some conditions. Add dedicated tests for
this behavior.
2019-05-15 19:14:05 +02:00
Gilles Peskine
c87af66325 Replace psa_make_key_persistent by id/lifetime setters in tests
Remove all internal uses of psa_make_key_persistent.
2019-05-15 19:14:05 +02:00
Gilles Peskine
f9fbc38e66 Declare key id 0 as invalid
In keeping with other integral types, declare 0 to be an invalid key
identifier.

Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
Ron Eldor
6b9b1b88fb Initialize psa_crypto in ssl test
Call `psa_crypto_init()` in `tls_prf` ssl test in case
`MBEDTLS_USE_PSA_CRYPTO` is defined since tls_prf may use psa crypto.
2019-05-15 17:04:33 +03:00
Ron Eldor
d2f25f7ea8 Fix missing tls version test failures
Add checks for tls_prf tests with the relevant tls version configuration.
2019-05-15 14:54:22 +03:00
Ron Eldor
824ad7b351 Add tests for the public tls_prf API
Add tests for `mbedtls_ssl_tls_prf` wiht and without
the function types dependencies.
2019-05-15 13:57:39 +03:00
Gilles Peskine
003a4a97d3 Use PSA_AEAD_{ENCRYPT,DECRYPT}_OUTPUT_SIZE in tests 2019-05-14 16:11:07 +02:00
Gilles Peskine
c160d9ec83 psa_copy_key: enforce PSA_KEY_USAGE_COPY
Implement the check and add a negative test.
2019-05-14 14:32:03 +02:00
Gilles Peskine
f9f4a4849c Update psa_copy_key tests to use PSA_KEY_USAGE_COPY
Pass the new flag to the existing tests and add a few more test cases
to explore more variations of flag sets.
2019-05-14 14:24:49 +02:00
Ron Eldor
890819a597 Change mbedtls_x509_subject_alternative_name
Make `mbedtls_x509_subject_alternative_name` to be a single item
rather than a list. Adapt the subject alternative name parsing function,
to receive a signle `mbedtls_x509_buf` item from the subject_alt_names
sequence of the certificate.
2019-05-13 19:23:07 +03:00
Jaeden Amero
1fe90fab30
Merge pull request #101 from gilles-peskine-arm/psa-key_attributes-verify_attributes
Check unused attributes in import and copy
2019-05-13 11:48:40 +01:00
Janos Follath
22f605fbab Print unparseable SubjectAlternativeNames
In x509_info_subject_alt_name() we silently dropped names that we
couldn't parse because they are not supported or are malformed. (Being
malformed might mean damaged file, but can be a sign of incompatibility
between applications.)

This commit adds code notifying the user that there is something, but
we can't parse it.
2019-05-10 10:57:44 +01:00
Ron Eldor
3c4734a2a5 Add Wisun Fan device certificate
Add certificate with Wisun fan device extended key usage,
support parsing it and add tests.
2019-05-07 17:06:47 +03:00
Ron Eldor
74d9acc144 Add support for certificate policies extension
Add support for certificate policies, as defined in rfc 5280.
Currently support only `anyPolicy` policy.
2019-05-07 17:05:45 +03:00
Ron Eldor
b2dc3fa72e Suppport otherName of type hardware module name
Add support of parsing of subject alternative name, of type otherName.
Currently supports only hardware module name, as defined in rfc 4108.
2019-05-07 17:04:57 +03:00
Gilles Peskine
f9666595e1 Implement and test the new key identifier range
Only allow creating keys in the application (user) range. Allow
opening keys in the implementation (vendor) range as well.

Compared with what the implementation allowed, which was undocumented:
0 is now allowed; values from 0x40000000 to 0xfffeffff are now
forbidden.
2019-05-06 18:56:30 +02:00
Gilles Peskine
225010fdf7 Remove lifetime parameter from psa_open_key
Change the scope of key identifiers to be global, rather than
per lifetime. As a result, you now need to specify the lifetime of a
key only when creating it.
2019-05-06 18:52:22 +02:00
Gilles Peskine
ee32cd4af6 Slot management tests: more robust storage purge
Record what key ids have been used in a test case and purge them. The
cleanup code no longer requires the key identifiers used in the tests
to be in a certain small range.
2019-05-06 18:39:37 +02:00
Jack Lloyd
3ded1c81b1 Test the return value in the OID->X.509 map functions 2019-05-06 12:16:32 -04:00
Jack Lloyd
5ed7fff8ce Add a test of the OID->MD map functions 2019-05-06 12:16:18 -04:00
Jack Lloyd
5d9c9636fa Add support for RSA PKCSv1.5 signatures using RIPEMD-160 2019-05-06 12:15:17 -04:00
Gilles Peskine
26869f2d9b Implement ChaCha20 and ChaCha20-Poly1305
Smoke tests: test data for ChaCha20 calculated with PyCryptodome; test
vector from RFC 7539 for ChaCha20-Poly1305.
2019-05-06 15:59:44 +02:00
Gilles Peskine
3e79c8ecfd Declare ChaCha20 cipher and AEAD
Declare algorithms for ChaCha20 and ChaCha20-Poly1305, and a
corresponding (common) key type.

Don't declare Poly1305 as a separate algorithm because it's a one-time
authenticator, not a MAC, so the API isn't suitable for it (no way to
use a nonce).
2019-05-06 15:59:44 +02:00
Gilles Peskine
423005ea93 Cipher tests: pass the IV from the test data
Don't hard-code an IV in cipher test functions. It restricts what can
be used as test data.
2019-05-06 15:59:44 +02:00
Gilles Peskine
679693ee49 Algorithm encoding: add flag bit PSA_ALG_AEAD_FROM_BLOCK_FLAG
Make it easy to distinguish generic constructions on top of block
ciphers, such as CCM or GCM, from specialized algorithms such as
Chacha20-Poly1305.
2019-05-06 15:10:16 +02:00
Gilles Peskine
4a6446482a Test psa_copy_key with wrong type or size in attributes
Split the test function copy_key into two: one for success and one for
failure.

Add failure tests where the attributes specify an incorrect type or size.
2019-05-03 17:14:08 +02:00
Gilles Peskine
8fb3a9ead4 Test psa_import_key: test for size in attributes
Add tests where psa_import_key is called with attributes specifying an
incorrect size.
2019-05-03 16:59:21 +02:00
Adrian L. Shaw
5a5a79ae2a Rename psa_generate_key() and psa_generator_import_key() 2019-05-03 15:44:28 +01:00
Janos Follath
05a708f7e2 Add negative tests for Curve25519
If we provide low order element as a public key and the implementation
maps the point in infinity to the origin, we can force the common secret
to be zero.

According to the standard (RFC 7748) this is allowed but in this case
the primitive must not be used in a protocol that requires contributory
behaviour.

Mbed Crypto returns an error when the result is the point in the
infinity and does not map it to the origin. This is safe even if used in
protocols that require contributory behaviour.

This commit adds test cases that verify that Mbed Crypto returns an
error when low order public keys are processed.

The low order elements in the test cases were taken from this website:
https://cr.yp.to/ecdh.html
2019-04-30 14:58:15 +01:00
Janos Follath
182b0b9966 Add test for ECP multiplication
The tests we had for ECP point multiplication were tailored for test
vectors symulating crypto operations and tested a series of operations
against public test vectors.

This commit adds a test function that exercises a single multiplication.
This is much better suited for negative testing than the preexisting
test.

Only one new test case is added that exercises a fraction of an existing
test, just to make sure that the test is consistent with the existing
test functions.
2019-04-30 14:53:49 +01:00
Gilles Peskine
aa02c17dfa Add buffer size macro for psa_get_key_domain_parameters 2019-04-28 11:48:29 +02:00
Gilles Peskine
e56e878207 Remove extra parameter from psa_generate_key
Read extra data from the domain parameters in the attribute structure
instead of taking an argument on the function call.

Implement this for RSA key generation, where the public exponent can
be set as a domain parameter.

Add tests that generate RSA keys with various public exponents.
2019-04-26 17:37:50 +02:00
Gilles Peskine
a1ace9c494 Call psa_reset_key_attributes after psa_get_key_attributes
After calling psa_get_key_attributes(), call
psa_reset_key_attributes() if the key may have domain parameters,
because that's the way to free the domain parameter substructure in
the attribute structure. Keep not calling reset() in some places where
the key can only be a symmetric key which doesn't have domain
parameters.
2019-04-26 16:15:31 +02:00
Gilles Peskine
3a4f1f8e46 Set the key size as an attribute
Instead of passing a separate parameter for the key size to
psa_generate_key and psa_generator_import_key, set it through the
attributes, like the key type and other metadata.
2019-04-26 13:49:28 +02:00
Hanno Becker
78d1f70ab6 Ensure non-NULL key buffer when building SSL test transforms 2019-04-25 12:58:21 +01:00
Hanno Becker
a5780f1993 Catch errors while building SSL test transforms 2019-04-25 12:58:21 +01:00
Hanno Becker
3ee5421f9c Use mbedtls_{calloc|free}() in SSL unit test suite 2019-04-25 12:58:21 +01:00
Hanno Becker
907ab20b38 Alternative between send/recv transform in SSL record test suite 2019-04-25 12:58:21 +01:00
Hanno Becker
81e16a34f5 Fix memory leak on failure in test_suite_ssl 2019-04-25 12:58:21 +01:00
Hanno Becker
d0fa2d7563 Add record encryption/decryption tests for ARIA to SSL test suite 2019-04-25 12:58:21 +01:00
Hanno Becker
b3268dac00 Add encryption/decryption tests for small records
This commit adds tests to check the behavior of the record encryption
routine `ssl_encrypt_buf` when the buffer surrounding the plaintext is
too small to hold the expansion in the beginning and end (due to IV's,
padding, and MAC).

Each test starts successively increases the space available at the
beginning, end, or both, of the record buffer, and checks that the
record encryption either fails with a BUFFER_TOO_SMALL error, or
that it succeeds. Moreover, if it succeeds, it is checked that
decryption succeeds, too, and results in the original record.
2019-04-25 12:58:21 +01:00
Hanno Becker
a18d1320da Add tests for record encryption/decryption
This commit adds tests exercising mutually inverse pairs of
record encryption and decryption transformations for the various
transformation types allowed in TLS: Stream, CBC, and AEAD.
2019-04-25 12:58:21 +01:00
Gilles Peskine
2c2cf0e36d Update remaining test cases to use key attributes
Finish updating the tests to use psa_key_attributes_t and
psa_import_key instead of psa_key_policy_t and
psa_import_key_to_handle.
2019-04-24 15:47:30 +02:00
Gilles Peskine
4440688a69 Update key management tests to use attributes
Remove test cases which are no longer relevant because they involve a
slot which is allocated but not filled with key material.
2019-04-24 15:47:29 +02:00
Gilles Peskine
34e23d2109 Persistent key gray-box tests: add test cases with restart
Also test the behavior if the crypto subsystem is restarted after
creating the persistent key.
2019-04-24 15:46:04 +02:00
Gilles Peskine
5c648abe44 Update persistent_key_load_key_from_storage to use attributes
Update persistent_key_load_key_from_storage to the new attribute-based
key creation interface. I tweaked the code a little to make it simpler
and more robust without changing the core logic.
2019-04-24 15:46:04 +02:00
Gilles Peskine
ca25db91f5 Update copy_key tests to the new attribute-based interface 2019-04-24 15:46:04 +02:00
Gilles Peskine
4cf3a43dbd Simplify and expand invalid-handle tests
Simplify invalid-handle tests and make them test more things. Call
these tests in several test functions after destroying a key.
2019-04-24 15:46:04 +02:00
Gilles Peskine
c4344042f4 Remove tests for empty slots
With the attribute-based key creation API, it is no longer possible to
have a handle to a slot that does not hold key material. Remove all
corresponding tests.
2019-04-24 15:46:04 +02:00
Gilles Peskine
8c8f2ab66b Implement psa_get_key_attributes
Implement attribute querying.

Test attribute getters and setters. Use psa_get_key_attributes instead
of the deprecated functions psa_get_key_policy or
psa_get_key_information in most tests.
2019-04-24 15:46:04 +02:00
Gilles Peskine
ff5f0e7221 Implement atomic-creation psa_{generate,generator_import}_key
Implement the new, attribute-based psa_generate_key and
psa_generator_import_key.
2019-04-24 15:46:03 +02:00
Gilles Peskine
4747d19d18 Implement atomic-creation psa_import_key
Implement the new, attribute-based psa_import_key and some basic
functions to access psa_key_attributes_t. Replace
psa_import_key_to_handle by psa_import_key in a few test functions.

This commit does not handle persistence attributes yet.
2019-04-24 15:45:50 +02:00
Gilles Peskine
87a5e565f4 Rename functions that inject key material to an allocated handle
This commit starts a migration to a new interface for key creation.
Today, the application allocates a handle, then fills its metadata,
and finally injects key material. The new interface fills metadata
into a temporary structure, and a handle is allocated at the same time
it gets filled with both metadata and key material.

This commit was obtained by moving the declaration of the old-style
functions to crypto_extra.h and renaming them with the to_handle
suffix, adding declarations for the new-style functions in crypto.h
under their new name, and running

    perl -i -pe 's/\bpsa_(import|copy|generator_import|generate)_key\b/$&_to_handle/g' library/*.c tests/suites/*.function programs/psa/*.c
    perl -i -pe 's/\bpsa_get_key_lifetime\b/$&_from_handle/g' library/*.c tests/suites/*.function programs/psa/*.c

Many functions that are specific to the old interface, and which will
not remain under the same name with the new interface, are still in
crypto.h for now.

All functional tests should still pass. The documentation may have
some broken links.
2019-04-24 15:24:45 +02:00
Gilles Peskine
f8a9d942a5 Test multipart key agreement with ECDH+HKDF
Basic coverage with one algorithm only and a restricted choice of
output lengths.
2019-04-18 09:42:21 +02:00
Gilles Peskine
f0cba73b99 New test function for raw agreement
Change test cases with test data for raw agreement to this new test
function.
2019-04-18 09:42:21 +02:00
Gilles Peskine
f8831c27f3 Remove obsolete test case "ECDH-only public key"
Since the format change for EC public key import from
SubjectPublicKeyInfo to the ECPoint content, it is no longer possible
to import a key with metadata marking it as ECDH-only. This test was
converted systematically but now no longer has any purpose since the
public key is now like any other public key.
2019-04-18 09:42:21 +02:00
Gilles Peskine
77f40d83c1 Quick fix of key agreement setup tests for the new derivation API
Allow either the key derivation step or the key agreement step to
fail.

These tests should be split into three groups: key derivation setup
tests with an algorithm that includes a key agreement step, and
multipart key agreement failure tests, and raw key agreement failure
tests.
2019-04-18 09:42:21 +02:00
Gilles Peskine
04ee2d2295 Update key agreement policy tests for the new derivation API
Separate test functions for raw key agreement and key agreement with
KDF.
2019-04-18 09:42:21 +02:00
Gilles Peskine
2e46e9cf21 Add exercise_key for raw key agreement 2019-04-18 09:42:21 +02:00
Jaeden Amero
521dbc67da Merge remote-tracking branch 'tls/development' into development
Merge Mbed TLS at f790a6cbee into Mbed Crypto.

Resolve conflicts by performing the following:
    - Reject changes to README.md
    - Don't add crypto as a submodule
    - Remove test/ssl_cert_test from programs/Makefile
    - Add cipher.nist_kw test to tests/CMakeLists.txt
    - Reject removal of crypto-specific all.sh tests
    - Reject update to SSL-specific portion of component_test_valgrind
      in all.sh
    - Reject addition of ssl-opt.sh testing to component_test_m32_o1 in
      all.sh

* tls/development: (87 commits)
  Call mbedtls_cipher_free() to reset a cipher context
  Don't call mbedtls_cipher_setkey twice
  Update crypto submodule
  Minor fixes in get certificate policies oid test
  Add certificate policy oid x509 extension
  cpp_dummy_build: Add missing header psa_util.h
  Clarify comment mangled by an earlier refactoring
  Add an "out-of-box" component
  Run ssl-opt.sh on 32-bit runtime
  Don't use debug level 1 for informational messages
  Skip uncritical unsupported extensions
  Give credit to OSS-Fuzz for #2404
  all.sh: remove component_test_new_ecdh_context
  Remove crypto-only related components from all.sh
  Remove ssl_cert_test sample app
  Make CRT callback tests more robust
  Rename constant in client2.c
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix a rebase error
  ...
2019-04-17 12:12:24 +01:00
Jaeden Amero
f790a6cbee Merge remote-tracking branch 'origin/pr/2536' into development
* origin/pr/2536:
  Update crypto submodule
  Minor fixes in get certificate policies oid test
  Add certificate policy oid x509 extension
2019-04-17 10:52:54 +01:00
Jaeden Amero
5c7915b0ed Merge remote-tracking branch 'origin/pr/2582' into development
* origin/pr/2582:
  Call mbedtls_cipher_free() to reset a cipher context
  Don't call mbedtls_cipher_setkey twice
2019-04-17 10:46:45 +01:00
Gilles Peskine
424840e033 Call mbedtls_cipher_free() to reset a cipher context
mbedtls_cipher_reset() only restarts the operation, it doesn't
dissociate the key from the context.
2019-04-16 16:06:34 +02:00
Jaeden Amero
ff34d43720 Merge remote-tracking branch 'origin/pr/2532' into development
* origin/pr/2532: (29 commits)
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix name to function call
  Address comments for x509 tests
  Address review comments regarding ssl_client2 and ssl tests
  Remove mbedtls_ from the static function name
  Change docs according to review comments
  Change the verify function naming
  Fix ssl_client2 and ssl_server2 if !PLATFORM_C
  Correct placement of usage macro in ssl_client2
  Update version_features.c
  Remove trailing whitespace in test_suite_x509parse.function
  Update query_config.c
  Add ssl-opt.sh tests for trusted CA callbacks
  Only run X.509 CRT verification tests with CA callback tests if !CRL
  Minor fixes to CA callback tests
  Declare CA callback type even if feature is disabled
  Implement X.509 CRT verification using CA callback
  Add prototype for CRT verification with static and dynamic CA list
  Make use of CA callback if present when verifying peer CRT chain
  ...
2019-04-16 14:42:11 +01:00
Gilles Peskine
139ec3b913 Don't call mbedtls_cipher_setkey twice
The documentation doesn't explicitly say whether it's allowed or not.
This currently works with the default software implementation, but
only by accident. It isn't guaranteed to work with new ciphers or with
alternative implementations of individual ciphers, and it doesn't work
with the PSA wrappers. So don't do it.
2019-04-16 15:25:20 +02:00
Ron Eldor
685a398a6b Minor fixes in get certificate policies oid test
1. Remove irrelevant  dependency on `MBEDTLS_ASN1_WRITE_C`.
2. Remove whitespace between `*` and parameter.
2019-04-16 13:26:54 +03:00
Ron Eldor
e82341646a Add certificate policy oid x509 extension
Add the `MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES` to the list
of supported x509 extensions, in `mbedtls_oid_get_x509_ext_type()`.
2019-04-16 13:26:54 +03:00
Gilles Peskine
1e2730b9b1 Update usage of PSA_ALG_ECDH so that test_suite_psa_crypto compiles 2019-04-09 12:25:23 +02:00
Gilles Peskine
3135184cfc Merge remote-tracking branch 'upstream-crypto/development' into psa-api-beta2-merge-development
Merge the Mbed Crypto development branch a little after
mbedcrypto-1.0.0 into the PSA Crypto API 1.0 beta branch a little
after beta 2.

Summary of merge conflicts:

* Some features (psa_copy_key, public key format without
  SubjectPublicKeyInfo wrapping) went into both sides, but with a few
  improvements on the implementation side. For those, take the
  implementation side.
* The key derivation API changed considerably on the API side. This
  merge commit generally goes with the updated API except in the tests
  where it keeps some aspects of the implementation.

Due to the divergence between the two branches on key derivation and
key agreement, test_suite_psa_crypto does not compile. This will be
resolved in subsequent commits.
2019-04-09 12:00:00 +02:00
Janos Follath
846ae7a70d Document and test flags in x509_verify 2019-04-05 16:45:01 +01:00
Janos Follath
d7ecbd6914 Fix style issues and a typo 2019-04-05 16:44:42 +01:00
Jaeden Amero
aa3402018e Merge remote-tracking branch 'origin/pr/2535' into development
* origin/pr/2535:
  Add Wisun Fan device extended key usage
2019-04-05 14:36:08 +01:00
Jaeden Amero
d192ba4ef1 Merge remote-tracking branch 'origin/pr/2463' into development
* origin/pr/2463:
  Fix a rebase error
  Wrap lines at 80 columns
  Add NIST keywrap as a cipher mode
  Fix errors in AEAD test function
2019-04-05 14:15:40 +01:00
Jaeden Amero
62ab1f9961 Merge remote-tracking branch 'origin/pr/2405' into development
* origin/pr/2405:
  Fix ChangeLog entry ordering
  Fix typo
  Add non-regression test for buffer overflow
  Improve documentation of mbedtls_mpi_write_string()
  Adapt ChangeLog
  Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
2019-04-05 14:08:49 +01:00
Jaeden Amero
3d8144731f Merge remote-tracking branch 'origin/pr/2192' into development
* origin/pr/2192:
  Increase okm_hex buffer to contain null character
  Minor modifications to hkdf test
  Add explanation for okm_string size
  Update ChangeLog
  Reduce buffer size of okm
  Reduce Stack usage of hkdf test function
2019-04-05 13:53:14 +01:00
Ron Eldor
b6dc105456 Add Wisun Fan device extended key usage
Add the Wisun extended key usage oid and tests.
2019-04-03 13:48:50 +03:00
Jack Lloyd
ffdf28851d Add NIST keywrap as a cipher mode
Closes #2003 see also #1658
2019-04-02 10:02:55 -07:00
Jack Lloyd
1dbc5a257f Fix errors in AEAD test function
It was failing to set the key in the ENCRYPT direction before encrypting.
This just happened to work for GCM and CCM.

After re-encrypting, compare the length to the expected ciphertext
length not the plaintext length. Again this just happens to work for
GCM and CCM since they do not perform any kind of padding.
2019-04-02 10:02:55 -07:00
Jarno Lamsa
dfd22c4dbd Address comments for x509 tests 2019-04-01 15:18:53 +03:00
Jarno Lamsa
31d9db6195 Change the verify function naming
Change the naming to reflect that the function uses a new ca callback
feature to distinguish different callbacks.
2019-04-01 14:33:49 +03:00
Hanno Becker
3f932bbc5d Remove trailing whitespace in test_suite_x509parse.function 2019-03-28 17:06:47 +00:00
Hanno Becker
0350d56286 Only run X.509 CRT verification tests with CA callback tests if !CRL 2019-03-28 16:13:44 +00:00
Hanno Becker
cbb590369c Minor fixes to CA callback tests 2019-03-28 16:13:44 +00:00
Jarno Lamsa
557426ad77 Add a failure testcase for ca callback 2019-03-28 16:13:43 +00:00
Jarno Lamsa
912ed33991 Change callback name to ca_callback 2019-03-28 16:13:43 +00:00
Jarno Lamsa
03cd120ce4 Test for ca list callback 2019-03-28 16:13:43 +00:00
Jaeden Amero
c70a3c76bf Merge remote-tracking branch 'tls/development' into development
Resolve conflicts actions:
 - Reject path changes to config.h
 - Reject submodule-related changes in build scripts (Makefile,
   CMakeLists.txt)
 - Add oid test suite to list of tests in tests/CMakeLists.txt,
   rejecting any test filtering related changes (which TLS uses to avoid
   duplicating crypto tests)
 - Add legacy ECDH test to all.sh without including
   all.sh tests that depend on SSL
2019-03-28 16:02:25 +00:00
Jaeden Amero
57773d4ede Merge remote-tracking branch 'restricted/pr/551' into development
* restricted/pr/551:
  ECP: Clarify test descriptions
  ECP: remove extra whitespaces
  Fix ECDH secret export for Mongomery curves
  Improve ECP test names
  Make ecp_get_type public
  Add more tests for ecp_read_key
  ECP: Catch unsupported import/export
  Improve documentation of mbedtls_ecp_read_key
  Fix typo in ECP module
  Remove unnecessary cast from ECP test
  Improve mbedtls_ecp_point_read_binary tests
  Add Montgomery points to ecp_point_write_binary
  ECDH: Add test vectors for Curve25519
  Add little endian export to Bignum
  Add mbedtls_ecp_read_key
  Add Montgomery points to ecp_point_read_binary
  Add little endian import to Bignum
2019-03-27 17:01:24 +00:00
Jaeden Amero
0ea33776ce Merge remote-tracking branch 'restricted/pr/552' into development
Ensure this merge passes tests by auto-generating query_config.c, adding
MBEDTLS_ECDH_LEGACY_CONTEXT to it.

* restricted/pr/552:
  Fix mbedtls_ecdh_get_params with new ECDH context
  Test undefining MBEDTLS_ECDH_LEGACY_CONTEXT in all.sh
  Define MBEDTLS_ECDH_LEGACY_CONTEXT in config.h
  Add changelog entry for mbedtls_ecdh_get_params robustness
  Fix ecdh_get_params with mismatching group
  Add test case for ecdh_get_params with mismatching group
  Add test case for ecdh_calc_secret
  Fix typo in documentation
2019-03-27 17:01:16 +00:00
Jaeden Amero
c73fde725b Merge remote-tracking branch 'origin/pr/2531' into development
Ensure tests pass when the submodule is used by updating the list of
crypto tests to include test_suite_oid in both tests/CMakeLists.txt and
tests/Makefile.

* origin/pr/2531:
  Add changeLog entry
  Add certificate policy of type any policy id
2019-03-27 16:52:08 +00:00
Jaeden Amero
d5d01a0435 Merge remote-tracking branch 'origin/pr/2525' into development
* origin/pr/2525:
  Update library version to 2.17.0
2019-03-26 14:50:06 +00:00
Ron Eldor
11ee07191f Add certificate policy of type any policy id
Add a function for getting the certificate policy. Currently only
"Any Policy" is supported.
2019-03-26 14:41:07 +02:00
Jaeden Amero
3f8d78411a Update library version to 2.17.0 2019-03-19 16:12:55 +00:00
Gilles Peskine
d7929e7539 Fix copypasta in test data 2019-03-15 11:37:09 +01:00
Gilles Peskine
e3dbdd8d90 Gate entropy injection through a dedicated configuration option
Entropy injection has specific testing requirements. Therefore it
should depend on a specific option.
2019-03-15 11:15:21 +01:00
Gilles Peskine
6bf4baef95 Remove compilation option MBEDTLS_PSA_HAS_ITS_IO
MBEDTLS_PSA_HAS_ITS_IO is not really useful since it doesn't actually
enable anything except the entropy seed file support, which only
requires the ITS interface and not a native implemetation. Remove it.
2019-03-15 11:15:13 +01:00
Gilles Peskine
5e80d91dbf Remove psa_crypto_storage_backend.h
Since there is now a single storage backend, we don't need a backend
interface. Make the functions that were declared in
psa_crypto_storage_backend.h and are now both defined and used in
psa_crypto_storage.c static, except for psa_is_key_present_in_storage
which is used by the gray-box tests and is now declared in
psa_crypto_storage.h.
2019-03-15 11:15:04 +01:00
Gilles Peskine
e435f23019 Remove psa_crypto_storage_file
Now that we have ITS over files, we no longer need a direct backend
for key storage over files. Remove psa_crypto_storage_file and its
tests.

Switch MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C and MBEDTLS_PSA_ITS_FILE_C on
by default. This preserves functionality and test coverage in the
default configuration, but forgets any key previously stored using the
file backend.
2019-03-15 11:14:51 +01:00
Gilles Peskine
23793482ac Support ITS over file in PSA crypto 2019-03-15 11:14:37 +01:00
Gilles Peskine
b0c642abae Tests for PSA ITS over stdio files 2019-03-15 11:14:35 +01:00
Gilles Peskine
bc1f272750 Tests for PSA ITS over files 2019-03-15 11:14:29 +01:00
Jaeden Amero
9afb2e9921 Remove tests that depend on TLS or X.509 2019-03-11 16:49:26 +00:00
Jaeden Amero
2b9eb0bd6c Merge remote-tracking branch 'tls/development' into development
* origin/development: (113 commits)
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
  Fix unused variable warning in ssl_parse_certificate_coordinate()
  Update the crypto submodule to a78c958
  Fix ChangeLog entry to correct release version
  Fix typo in x509write test data
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for named bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Add new function mbedtls_asn1_write_named_bitstring()
  Add missing compile time guard in ssl_client2
  Update programs/ssl/query_config.c
  ssl_client2: Reset peer CRT info string on reconnect
  Add further debug statements on assertion failures
  ...
2019-03-07 12:02:18 +00:00
Janos Follath
04dadb73fd Add non-regression test for buffer overflow 2019-03-06 12:29:37 +00:00
Jaeden Amero
6b47a6ceac Merge remote-tracking branch 'origin/pr/2100' into development
* origin/pr/2100:
  Fix test data missing some fake-random input
  Add tests for RSA encrypt/decrypt with NULL for empty message
2019-03-05 16:29:27 +00:00
Simon Butcher
74ac6e3fec Merge remote-tracking branch 'public/pr/2028' into development
* public/pr/2028:
  Update the crypto submodule to a78c958
  Fix ChangeLog entry to correct release version
  Fix typo in x509write test data
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for named bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Add new function mbedtls_asn1_write_named_bitstring()
2019-03-01 12:44:19 +00:00
Simon Butcher
bbed914b41 Merge remote-tracking branch 'public/pr/2447' into development
* public/pr/2447:
  Unbump version to 0.0.0
2019-03-01 12:41:25 +00:00
Andres Amaya Garcia
412ddf3812 Fix typo in x509write test data 2019-02-28 09:38:03 +00:00
Andres Amaya Garcia
7067f812f8 Add tests for (named) bitstring to suite_asn1write 2019-02-28 09:36:30 +00:00
Jaeden Amero
a78c958b17 Merge remote-tracking branch 'tls/pr/2028' into development 2019-02-27 15:21:44 +00:00
Jaeden Amero
a9d6ba2510 Merge remote-tracking branch 'tls/development' into development
Additional work done as part of merge:
    - Run ./tests/scripts/check-generated-files.sh and check in the
      resulting changes to programs/ssl/query_config.c
2019-02-27 15:15:53 +00:00
Janos Follath
54ba3eb7de ECP: Clarify test descriptions 2019-02-27 14:47:10 +00:00
Janos Follath
bf42408528 Improve ECP test names 2019-02-26 16:49:52 +00:00
Janos Follath
df9295b7ec Make ecp_get_type public
The ecp_get_type function comes handy in higher level modules and tests
as well. It is not inline anymore, to enable alternative implementations
to implement it for themselves.
2019-02-26 16:49:42 +00:00
Janos Follath
4ffdbe0979 Add more tests for ecp_read_key 2019-02-26 16:48:40 +00:00
Janos Follath
28eb06df16 ECP: Catch unsupported import/export
mbedtls_ecp_read_key() module returned without an error even when
importing keys corresponding to the requested group was not
implemented.

We change this and return an error when the requested group is not
supported and make the remaining import/export functions more robust.
2019-02-26 16:48:40 +00:00
Janos Follath
e5670f2663 Remove unnecessary cast from ECP test 2019-02-26 16:48:40 +00:00
Gilles Peskine
9e0a4a54a2 Test abort after failed setup
Commit "Smoke-test operation contexts after setup+abort" replaced
{failed-setup; abort} sequences by {failed-setup; successful-setup}.
We want to test that, but we also want to test {failed-setup; abort}.
So test {failed-setup; abort; failed-setup; successful-setup}.
2019-02-26 11:29:17 +01:00
Gilles Peskine
f426e0f303 Smoke-test operation contexts after setup+abort
After a successful setup followed by abort, or after a failed setup
from an inactive state, a context must be usable. Test this for
hash, MAC and cipher contexts.
2019-02-26 11:29:16 +01:00
Janos Follath
ffbd7e8ff3 Improve mbedtls_ecp_point_read_binary tests
Renamed the tests because they are explicitly testing Curve25519 and
nothing else. Improved test coverage, test documentation and extended
in-code documentation with a specific reference to the standard as well.
2019-02-25 11:49:54 +00:00
Janos Follath
7caf8e452f Add Montgomery points to ecp_point_write_binary
The library is able to perform computations and cryptographic schemes on
curves with x coordinate ladder representation. Here we add the
capability to export such points.
2019-02-22 15:42:18 +00:00
Janos Follath
ab0f71a22a ECDH: Add test vectors for Curve25519
The test vectors added are published in RFC 7748.
2019-02-22 15:42:03 +00:00
Janos Follath
e344d0f6fc Add little endian export to Bignum
The function `mbedtls_mpi_write_binary()` writes big endian byte order,
but we need to be able to write little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs ..` to transform the test data to little endian.
2019-02-22 15:41:31 +00:00
Janos Follath
171a7efd02 Add mbedtls_ecp_read_key
The private keys used in ECDH differ in the case of Weierstrass and
Montgomery curves. They have different constraints, the former is based
on big endian, the latter little endian byte order. The fundamental
approach is different too:
- Weierstrass keys have to be in the right interval, otherwise they are
  rejected.
- Any byte array of the right size is a valid Montgomery key and it
  needs to be masked before interpreting it as a number.

Historically it was sufficient to use mbedtls_mpi_read_binary() to read
private keys, but as a preparation to improve support for Montgomery
curves we add mbedtls_ecp_read_key() to enable uniform treatment of EC
keys.

For the masking the `mbedtls_mpi_set_bit()` function is used. This is
suboptimal but seems to provide the best trade-off at this time.
Alternatives considered:
- Making a copy of the input buffer (less efficient)
- removing the `const` constraint from the input buffer (breaks the api
and makes it less user friendly)
- applying the mask directly to the limbs (violates the api between the
modules and creates and unwanted dependency)
2019-02-22 15:39:03 +00:00
Janos Follath
59b813c7be Add Montgomery points to ecp_point_read_binary
The library is able to perform computations and cryptographic schemes on
curves with x coordinate ladder representation. Here we add the
capability to import such points.
2019-02-22 15:38:46 +00:00
Janos Follath
a778a94b7d Add little endian import to Bignum
The function `mbedtls_mpi_read_binary()` expects big endian byte order,
but we need to be able to read from little endian in some caseses. (For
example when handling keys corresponding to Montgomery curves.)

Used `echo xx | tac -rs .. | tr [a-z] [A-Z]` to transform the test data
to little endian and `echo "ibase=16;xx" | bc` to convert to decimal.
2019-02-22 15:38:32 +00:00
Jaeden Amero
e895342522 Merge remote-tracking branch 'origin/pr/2427' into development 2019-02-22 12:53:13 +00:00
Jaeden Amero
8963b0311c Merge remote-tracking branch 'origin/pr/2411' into development 2019-02-22 10:32:44 +00:00
Jaeden Amero
0ae63f7bc3 Merge remote-tracking branch 'origin/pr/2383' into development 2019-02-22 10:32:43 +00:00
Gilles Peskine
c4dff06f31 Add test case for ecdh_get_params with mismatching group
Add a test case for doing an ECDH calculation by calling
mbedtls_ecdh_get_params on both keys, with keys belonging to
different groups. This should fail, but currently passes.
2019-02-22 10:21:31 +01:00
Gilles Peskine
552563b741 Add test case for ecdh_calc_secret
Add a test case for doing an ECDH calculation by calling
mbedtls_ecdh_get_params on both keys, then mbedtls_ecdh_calc_secret.
2019-02-22 10:20:07 +01:00
Jaeden Amero
bf61ca7a04
Merge pull request #58 from Patater/disallow-invalid-context
Disallow use of invalid contexts
2019-02-21 17:37:04 +00:00
Jaeden Amero
36ee5d0fbf psa: Disallow repeated setup
Calling psa_*_setup() twice on a MAC, cipher, or hash context should
result in a PSA_ERROR_BAD_STATE error because the operation has already
been set up.

Fixes #10
2019-02-20 15:27:41 +00:00
Jaeden Amero
11aa7ee189 psa: Extend hash bad order test
Extend hash bad order test in line with the new bad order tests for MAC
and cipher, covering more cases and making comments and test layout
consistent.

Ensure that when doing hash operations out of order, PSA_ERROR_BAD_STATE
is returned as documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero
a0f625ac9a psa: Disallow use of invalid hash contexts
If a hash context has not been set up, fail with PSA_ERROR_BAD_STATE as
documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero
ab43997f44 psa: Disallow use of invalid cipher contexts
Ensure that when doing cipher operations out of order,
PSA_ERROR_BAD_STATE is returned as documented in crypto.h and the PSA
Crypto specification.
2019-02-20 15:27:41 +00:00
Jaeden Amero
252ef28dac psa: Disallow use of invalid MAC contexts
Ensure that when doing MAC operations out of order, PSA_ERROR_BAD_STATE
is returned as documented in crypto.h and the PSA Crypto specification.
2019-02-20 15:27:41 +00:00
Gilles Peskine
e086652aef Test the length of cipher_update output
In multipart cipher tests, test that each step of psa_cipher_update
produces output of the expected length. The length is hard-coded in
the test data since it depends on the mode.

The length of the output of psa_cipher_finish is effectively tested
because it's the total output length minus the length produced by the
update steps.
2019-02-19 19:45:55 +01:00
Gilles Peskine
a04ba4ec52 Add some CTR multipart tests
Test data obtained with Python+PyCrypto:
AES.new(key, mode=AES.MODE_CTR, counter=Crypto.Util.Counter.new(128, initial_value=0x2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a)).encrypt(plaintext.decode('hex')).encode('hex')
2019-02-19 19:26:06 +01:00
Gilles Peskine
3215de4cf5 Add CBC multipart tests with 2 blocks
Test data obtained with Python+PyCrypto:
AES.new(key, AES.MODE_CBC, iv).encrypt(plaintext.decode('hex')).encode('hex')
2019-02-19 19:26:02 +01:00
Gilles Peskine
3b7e084077 Fix incorrect length check in multipart cipher tests
The output length can be equal to the input length.

This wasn't noticed at runtime because we happened to only test with
CBC with the first chunk being a partial block.
2019-02-19 19:22:51 +01:00
Gilles Peskine
ee46fe7b9b Fix output size calculations in cipher tests
Some calls to psa_cipher_finish or psa_cipher_update append to a
buffer. Several of these calls were not calculating the offset into
the buffer or the remaining buffer size correctly.

This did not lead to buffer overflows before because the buffer sizes
were sufficiently large for our test inputs. This did not lead to
incorrect output when the test was designed to append but actually
wrote too early because all the existing test cases either have no
output from finish (stream cipher) or have no output from update (CBC,
with less than one block of input).
2019-02-19 19:05:33 +01:00
Gilles Peskine
adc558e289 Fix test data missing some fake-random input
The test function pkcs1_rsaes_v15_encrypt gets its fake-random input
for padding from a test parameter. In one test case, the parameter was
too short, causing a fallback to rand(). The reference output depends
on this random input, so the test data was correct only for a platform
with one particular rand() implementation. Supply sufficient
fake-random input so that rand() isn't called.
2019-02-19 18:33:57 +01:00
Gilles Peskine
85a6dd40ba Add tests for RSA encrypt/decrypt with NULL for empty message 2019-02-19 18:33:57 +01:00
Jaeden Amero
cf2010cf58 psa: Check generator validity before read
Check generator validity (i.e. that alg has been initialized) before
allowing reads from the generator or allowing reads of the generator's
capacity.

This aligns our implementation with the documented error code behavior
in our crypto.h and the PSA Crypto API.
2019-02-18 17:05:50 +00:00
Jaeden Amero
9654e11b1d
Merge pull request #55 from davidsaada/david_its_ps_err_codes
Modify PSA related error codes and types
2019-02-18 15:39:27 +00:00
David Saada
a2523b2c6d Replace ITS specific types with more generic PSA storage types
PSA spec now defines more generic PSA storage types instead of the ITS
specific ones. This is necessary in order to integrate with
the newer implementation of PSA ITS landing in Mbed OS soon.
Changes include the following:
- psa_status_t replaces psa_its_status_t
- psa_storage_info_t replaces psa_its_info_t
- psa_storage_uid_t replaces psa_its_uid_t
2019-02-18 13:56:26 +02:00
David Saada
b4ecc27629 Replace PSA error code definitions with the ones defined in PSA spec 2019-02-18 13:53:13 +02:00
k-stachowiak
28cb6fbd47 Unbump version to 0.0.0 2019-02-18 12:01:03 +01:00
Andrzej Kurek
1b20be59e2 Write documentation for TEST_ASSERT 2019-02-15 10:13:35 -05:00
Jaeden Amero
0574e6a7bd
Merge pull request #51 from Patater/update-dev-tls-dev-crypto-merge
Merge mbedtls/development-psa, mbedtls/development into development
2019-02-15 15:07:37 +00:00
Jaeden Amero
67ea2c5e6d Merge branch 'development-psa-proposed' into development
Resolve conflicts by performing the following.

- Take the upstream Mbed TLS ChangeLog verbatim.
- Reject changes to Makefiles and CMake that are related to using Mbed
  Crypto as a submodule. It doesn't make sense to use Mbed Crypto as a
  submodule of itself.
- Reject README changes, as Mbed Crypto has its own, different README.
- Reject PSA-related changes to config.h. We don't want to disable the
  availability of the PSA Crypto API by default in the Mbed Crypto
  config.h.
- Don't inadvertently revert dead code removal in
  mbedtls_cipher_write_tag() which was added in f2a7529403 ("Fix
  double return statement in cipher.c")
- Where Mbed Crypto already had some MBEDTLS_USE_PSA_CRYPTO code (from
  past companion PRs) take the latest version from Mbed TLS which
  includes integration with MBEDTLS_CHECK_PARAMS.
- Update the version of the shared library files to match what's
  currently present in Mbed TLS.
- Reject removal of testing with PSA from config full tests.
- Resolve conflicts in test tests/suites/helpers.function, where both
  Mbed Crypto and Mbed TLS both added documentation for TEST_ASSERT.
  Combine text from both documentation efforts.
- Reject adding a submodule of ourselves.
- Reject addition of submodule tests in all.sh.
- Reject addition of submodule to library path in
  tests/scripts/run-test-suites.pl.
- Avoid using USE_CRYPTO_SUBMODULE=1 in
  component_test_use_psa_crypto_full_cmake_asan() in all.sh.
2019-02-14 15:58:43 +00:00
Jaeden Amero
3ea2687053 psa: Initialize crypto in tests that need to
Don't unconditionally enable PSA Crypto for all tests. Only enable it in
tests that require it. This allows crypto tests to check that
psa_crypto_init() fails when it is supposed to fail, since we want to
perform some action in a test, and then call psa_crypto_init() and check
the result without it having been called previously.
2019-02-13 07:34:54 -05:00
Jaeden Amero
2d7e5fe31d
Merge pull request #46 from Patater/fix-windows-initializers
psa: Test fresh contexts have default behavior
2019-02-12 16:34:10 +00:00
Andres Amaya Garcia
4343384966 Fix typo in x509write test data 2019-02-11 21:33:10 +00:00
Andrzej Kurek
f389629556 Move a restartable ecp context to a conditional compilation block
This was an unused variable when compiling with parameter validation
but without ecp_restartable
2019-02-11 05:15:54 -05:00
Hanno Becker
2d8a2c0852 Modify existing X.509 test for also test new copyless API
The existing test `x509parse_crt()` for X.509 CRT parsing
so far used the generic parsing API `mbedtls_x509_crt_parse()`
capable of parsing both PEM encoded and DER encoded certficates,
but was actually only used with DER encoded input data. Moreover,
as the purpose of the test is the testing of the core DER X.509 parsing
functionality, not the PEM vs. DER dispatch (which is now already tested
in the various `x509_crt_info()` tests), the call can be replaced with a
direct call to `mbedtls_x509_parse_crt_der()`.

This commit does that, and further adds to the test an analogous
call to the new API `mbedtls_x509_parse_crt_der_nocopy()` to test
copyless parsing of X.509 certificates.
2019-02-08 14:24:58 +00:00
Hanno Becker
462c3e5210 Add test for mbedtls_x509_parse_file() with DER encoded CRT 2019-02-08 14:24:58 +00:00
Jaeden Amero
2a0f48ae1f
Merge pull request #43 from Patater/update-2.16-dev
Update to a development version of Mbed TLS 2.16.0
2019-02-08 08:13:41 +00:00
Jaeden Amero
5229bbb08e psa: Test fresh contexts have default behavior
Test that freshly-initialized contexts exhibit default behavior through
the API. Do this without depending on the internal representation of the
contexts. This provides better portability of our tests on compilers
like MSVC.
2019-02-07 17:01:12 +00:00
Jaeden Amero
6fd4ee2af1
Merge pull request #20 from gilles-peskine-arm/psa-copy_key
New function psa_copy_key
2019-02-07 15:40:42 +00:00
Jaeden Amero
c979f6ab38 psa: Test empty PKCS#1 v1.5 decryption
The tests use a ciphertext for PKCS#1 v1.5 encryption of a zero-length
buffer that was created with a call to psa_asymmetric_encrypt().
2019-02-07 12:19:59 +00:00
Jaeden Amero
f8daab78ff psa: Enable testing RSA decryption with output sizes
For must-fail asymmetric decryption tests, add an output size parameter
so that tests can directly control what output buffer size they allocate
and use independently from the key size used. This enables better
testing of behavior with various output buffer sizes.
2019-02-07 12:19:59 +00:00
Jaeden Amero
412654a605 psa: Expect output-buffer-sized RSA-decryption
When RSA decrypting, unlike with RSA encrypting, we sometimes expect the
output length will be less than the key size. For instance, in the case
where the plaintext is zero-length we expect the output length of the
decryption to be zero-length as well, not key size in length.

For must-fail tests, we don't expect output-buffer-sized RSA-decryption,
only that the output length is less than or equal to the output size, so
these tests remain unchanged.

Change the must-pass tests to expect that the actual output size is
equal to the expected length of the output buffer instead of always
being the key size.
2019-02-07 12:19:59 +00:00
Jaeden Amero
68933640f5 Merge commit '01b34fb316a5' into development
Merge a development version of Mbed TLS 2.16.0 that doesn't have
parameter validation into development.

The following conflicts were resolved:

- Update ChangeLog to include release notes merged from development so
  far, with a version of "2.14.0+01b34fb316a5" and release date of
  "xxxx-xx-xx" to show this is not a released version, but instead a
  snapshot of the development branch equivalent to version of the 2.14.0
  with additional commits from the mbedtls/development branch up through
  01b34fb316 included. Entries added for unreleased versions of Mbed
  Crypto remain at the top of the file for Mbed TLS 2.xx.x.
- Replace the Mbed Crypto version of
  mbedtls_rsa_rsaes_pkcs1_v15_decrypt() with the version from Mbed TLS
  which fixes timing variations and memory access variations that could
  lead to a Bleichenbacher-style padding oracle attack. This will
  prevent using psa_asymmetric_decrypt() with zero-length output buffers
  until a follow up commit is made to restore this capability.
- In ssl_srv.c, include changes for both the new ECDH interface and
  opaque PSK as already added to development previously.
2019-02-07 12:19:59 +00:00
Gilles Peskine
c9516fbf13 Document exercise_key and fix one incorrect usage
In one place, exercise_key was used in a such a way that if the test
failed inside exercise_key, the test suite would correctly report the
test as failed but would not report the exact location of the failure.
Fix this.

Add documentation for exercise_key that explains how to use it.
2019-02-06 16:42:34 +01:00
Gilles Peskine
e84d5d2f1c psa_copy_key: Add test cases to specifically check non-exportability
Test that copying a non-exportable key doesn't make it exportable.
This complements similar tests that exercise a different usage flag.
2019-02-06 16:42:05 +01:00
Andrzej Kurek
8a2e97c2df Merge development-psa commit 80b5662 into development-psa-merged branch
Adjust crypto submodule version to use new, forked crypto version accordingly.
2019-02-05 06:02:51 -05:00
k-stachowiak
a1dc9117a7 Correct code formatting in the timing test suites 2019-02-05 09:22:20 +01:00
Jaeden Amero
acdf07c033
Merge pull request #41 from hanno-arm/ec_pubkey_fmt_fixes
Make further adaptations to new EC public key format
2019-02-01 13:05:48 +00:00
Andrzej Kurek
de5a007316 Merge development commit f352f7 into development-psa 2019-02-01 07:03:03 -05:00
Hanno Becker
00114d71f4 Adapt test in test_suite_pk to work with new PSA public key format 2019-02-01 11:56:42 +00:00
Hanno Becker
56104ea9bb Adapt test in test_suite_pk to work with new PSA public key format 2019-02-01 11:48:19 +00:00
Andrzej Kurek
409fdae6bf test_suite_ctr_drbg: use ctr_drbg_update_ret instead of ctr_drbg_update
Align files with development to ensure the same state of repositories.
2019-02-01 02:53:16 -05:00
Andrzej Kurek
f093a3dc61 Use ecdh_setup instead of ecp_group_load
Align files with development to ensure the same state of repositories.
2019-02-01 02:50:36 -05:00
Andrzej Kurek
c470b6b021 Merge development commit 8e76332 into development-psa
Additional changes to temporarily enable running tests:
ssl_srv.c and test_suite_ecdh use mbedtls_ecp_group_load instead of
mbedtls_ecdh_setup
test_suite_ctr_drbg uses mbedtls_ctr_drbg_update instead of 
mbedtls_ctr_drbg_update_ret
2019-01-31 08:20:20 -05:00
Jaeden Amero
730ecdf3b1 Merge remote-tracking branch 'origin/pr/2371' into development 2019-01-30 13:15:40 +00:00
k-stachowiak
21daa3c1ee Reduce the timing tests complexity 2019-01-29 10:19:49 +01:00
Gilles Peskine
6b156df1ba Don't consider RIPEMD160 a PSA_ALG_ANY_HASH candidate
Some parts of the library don't support it, such as RSA PKCS#1v1.5
signature.
2019-01-28 15:43:19 +01:00
Gilles Peskine
8c1247fec9 Add psa_copy_key tests with policy constraints
Test a few cases. The logic to combine the constraint is similar to
the logic to combine the source and target, so it's ok to have less
parameter domain coverage for constraints.
2019-01-28 14:55:16 +01:00
Gilles Peskine
57ab721d8a Test psa_copy_key
Split the testing into tests that exercise policies in
test_suite_psa_crypto and tests that exercise slot content (slot
states, key material) in test_suite_psa_crypto_slot_management.

Test various cases of source and target policies with and without
wildcards. Missing: testing of the policy constraint on psa_copy_key
itself.

Test several key types (raw data, AES, RSA). Test with the
source or target being persistent.

Add failure tests (incompatible policies, source slot empty, target
slot occupied).
2019-01-28 14:55:06 +01:00
Gilles Peskine
f603c718c9 New function psa_copy_key
Copy a key from one slot to another.

Implemented and smoke-tested.
2019-01-28 14:41:11 +01:00
Jaeden Amero
43bafcca94
Merge pull request #15 from gilles-peskine-arm/psa-signature_policy_wildcard
Support wildcard hash in signature policies
2019-01-28 13:31:14 +00:00
Ron Eldor
17233f5a5c Increase okm_hex buffer to contain null character
Add an additional byte for the `okm_hex` buffer, to assure
it is null-terminated in case `okm` is 128 bytes long.
2019-01-28 15:18:15 +02:00
Ron Eldor
bc93219f66 Minor modifications to hkdf test
1. Fix comment grammar.
2. Rename `okm_string` to `okm_hex`.
2019-01-28 15:07:55 +02:00
Ron Eldor
1a3a7e5fc7 Add explanation for okm_string size
Add explanation for why the size of `okm_string` buffer
is twice as `okm` buffer.
2019-01-28 15:01:53 +02:00
Jaeden Amero
37a8c0c144
Merge pull request #27 from hanno-arm/crypto_submodule_update_prs_6_18_19_sibling
PSA integration sibling: Update crypto submodule (Hash clone, Key Policy Init, Key slot alloc)
2019-01-28 11:33:28 +00:00
Hanno Becker
a814ae6f92 PSA: Adapt PK test suite to new key policy initialization API 2019-01-25 14:36:28 +00:00
Hanno Becker
fcf659b12d PSA: Adapt PK test suite to modified key slot allocation mechanism 2019-01-25 14:36:28 +00:00
Hanno Becker
8d865dfe37 PSA: Adapt PK test suite to new key policy initialization API 2019-01-25 14:25:16 +00:00
Hanno Becker
353295ac70 PSA: Adapt PK test suite to modified key slot allocation mechanism 2019-01-25 14:25:00 +00:00
Jaeden Amero
4d69cf1a84
Merge pull request #13 from Patater/pubkey-format
Simplify RSA and EC public key formats
2019-01-25 10:09:40 +00:00
Gilles Peskine
eb2d4b9037 Test that HASH_ANY is not meaningful for OAEP
PSA_ALG_HASH_ANY is specified as meaningful only for signature.
2019-01-24 13:05:36 +01:00
Antonin Décimo
36e89b5b71 Fix #2370, minor typos and spelling mistakes 2019-01-24 10:37:40 +01:00
Jaeden Amero
ccdce90adb psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-23 17:39:46 +00:00
Jaeden Amero
25384a236e psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-23 17:31:50 +00:00
Jaeden Amero
0b6b871056
Merge pull request #22 from ARMmbed/iotssl-2697-psa-key-allocation-crypto
Adapting to the new PSA key slot allocation mechanism
2019-01-23 15:00:19 +00:00
Andrzej Kurek
c750932f2c Adapt to the new key allocation mechanism 2019-01-23 06:22:32 -05:00
Gilles Peskine
870f5dc656 Add missing test dependency 2019-01-23 10:42:23 +01:00
Simon Butcher
8e763329ad Merge remote-tracking branch 'public/pr/2040' into development 2019-01-23 10:28:25 +01:00
Simon Butcher
38cb940692 Merge remote-tracking branch 'public/pr/2231' into development 2019-01-23 10:20:08 +01:00
Jaeden Amero
494624d299
Merge pull request #18 from gilles-peskine-arm/psa-hash_clone
New function psa_hash_clone
2019-01-22 17:35:25 +00:00
Gilles Peskine
ea2e3604b1 Merge branch 'psa-copy_key' into psa-api-1.0-beta
New function psa_copy_key().

Conflicts:
* library/psa_crypto.c: trivial conflicts due to consecutive changes.
* tests/suites/test_suite_psa_crypto.data: the same code
  was added on both sides, but with a conflict resolution on one side.
* tests/suites/test_suite_psa_crypto_metadata.function: the same code
  was added on both sides, but with a conflict resolution on one side.
2019-01-19 13:56:35 +01:00
Gilles Peskine
4cb9dde84a New function psa_copy_key
Copy a key from one slot to another.

Implemented and smoke-tested.
2019-01-19 13:46:36 +01:00
Gilles Peskine
0ce26e35d6 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-19 13:42:51 +01:00
Gilles Peskine
b66c27b2c9 New macro PSA_ALG_IS_HASH_AND_SIGN
Test for a subclass of public-key algorithm: those that perform
full-domain hashing, i.e. algorithms that can be broken down as
sign(key, hash(message)).
2019-01-19 13:42:51 +01:00
Gilles Peskine
b865df005c Merge branch 'psa-no_type_on_allocate_key' into psa-api-1.0-beta
Remove the type and bits arguments from psa_allocate_key() and
psa_create_key().
2019-01-19 12:24:18 +01:00
Gilles Peskine
d40c1fbd50 Don't require a type and size when creating a key slot
Remove the type and bits arguments to psa_allocate_key() and
psa_create_key(). They can be useful if the implementation wants to
know exactly how much space to allocate for the slot, but many
implementations (including ours) don't care, and it's possible to work
around their lack by deferring size-dependent actions to the time when
the key material is created. They are a burden to applications and
make the API more complex, and the benefits aren't worth it.

Change the API and adapt the implementation, the units test and the
sample code accordingly.
2019-01-19 12:20:52 +01:00
Gilles Peskine
b37af92eb9 Merge branch 'psa-hash_clone' into psa-api-1.0-beta
Add psa_hash_clone.
2019-01-19 12:07:27 +01:00
Gilles Peskine
ebb2c3e419 New function psa_hash_clone
Clone a hash operation.

Test good cases as part as multipart tests. Add new test functions for
the state machine.
2019-01-19 12:03:41 +01:00
Gilles Peskine
9dcc80e628 Merge branch 'psa-derive_input_steps-agreement_as_one_step' into psa-api-1.0-beta
Change the key derivation API to take inputs in multiple steps,
instead of a single one-site-fits-poorly function.

Conflicts:
* include/psa/crypto.h: merge independent changes in the documentation
  of psa_key_agreement (public_key from the work on public key formats
  vs general description and other parameters in the work on key derivation).
* tests/suites/test_suite_psa_crypto.data: update the key agreement
  tests from the work on key derivation to the format from the work on
  public key formats.
* tests/suites/test_suite_psa_crypto_metadata.function: reconcile the
  addition of unrelated ALG_IS_xxx macros
2019-01-18 18:54:15 +01:00
Gilles Peskine
6843c29713 Simplify the encoding of key agreement algorithms
Get rid of "key selection" algorithms (of which there was only one:
raw key selection).

Encode key agreement by combining a raw key agreement with a KDF,
rather than passing the KDF as an argument of a key agreement macro.
2019-01-18 18:38:08 +01:00
Gilles Peskine
969c5d61f7 Make key agreement the secret input for key derivation
* Documentation
* Proof-of-concept implementation
* Updates to the tests (work in progress)
2019-01-18 18:34:28 +01:00
Gilles Peskine
b70a0fd1a5 Key derivation by small input steps: proof-of-concept
Document the new API. Keep the old one.

Implement for HKDF. Use it in a few test cases.

Key agreement is still unchanged.
2019-01-18 18:33:12 +01:00
Gilles Peskine
1f9e58a1bb Merge branch 'psa-signature_policy_wildcard' into psa-api-1.0-beta
For hash-and-sign algorithms, allow a policy to specify a wildcard
instead of a specific hash algorithm.
2019-01-18 17:52:17 +01:00
Andres Amaya Garcia
5d26163db4 Add tests for (named) bitstring to suite_asn1write 2019-01-16 18:59:07 +00:00
Jaeden Amero
0ae445f8fd psa: Simplify EC public key format
Remove front matter from our EC key format, to make it just the contents
of an ECPoint as defined by SEC1 section 2.3.3.

As a consequence of the simplification, remove the restriction on not
being able to use an ECDH key with ECDSA. There is no longer any OID
specified when importing a key, so we can't reject importing of an ECDH
key for the purpose of ECDSA based on the OID.
2019-01-15 11:29:18 +00:00
Gilles Peskine
30f77cdfc1 Add a hash wildcard value for hash-and-sign algorithm
You can use PSA_ALG_ANY_HASH to build the algorithm value for a
hash-and-sign algorithm in a policy. Then the policy allows usage with
this hash-and-sign family with any hash.

Test that PSA_ALG_ANY_HASH-based policies allow a specific hash, but
not a different hash-and-sign family. Test that PSA_ALG_ANY_HASH is
not valid for operations, only in policies.
2019-01-14 19:38:56 +01:00
Gilles Peskine
d35b489ce5 New macro PSA_ALG_IS_HASH_AND_SIGN
Test for a subclass of public-key algorithm: those that perform
full-domain hashing, i.e. algorithms that can be broken down as
sign(key, hash(message)).
2019-01-14 16:02:15 +01:00
Jaeden Amero
6b19600fba psa: Simplify RSA public key format
Remove pkcs-1 and rsaEncryption front matter from RSA public keys. Move
code that was shared between RSA and other key types (like EC keys) to
be used only with non-RSA keys.
2019-01-11 18:08:53 +00:00
Simon Butcher
6944e05956 Merge remote-tracking branch 'public/pr/2232' into development 2019-01-08 15:33:28 +00:00
Simon Butcher
012a06cbf6 Merge remote-tracking branch 'public/pr/2228' into development 2019-01-08 15:26:58 +00:00
Andrzej Kurek
2349c4db88 Adapt to the new key allocation mechanism 2019-01-08 09:36:01 -05:00
Jaeden Amero
d94d671f14 psa: Test that generator initializers work 2019-01-08 14:28:04 +00:00
Jaeden Amero
5bae227da0 psa: Add initializers for cipher operation objects
Add new initializers for cipher operation objects and use them in our
tests and library code. Prefer using the macro initializers due to their
straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero
769ce27f12 psa: Add initializers for MAC operation objects
Add new initializers for MAC operation objects and use them in our tests
and library code. Prefer using the macro initializers due to their
straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero
6a25b41ac3 psa: Add initializers for hash operation objects
Add new initializers for hash operation objects and use them in our
tests and library code. Prefer using the macro initializers due to their
straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero
70261c513a psa: Add initializers for key policies
Add new initializers for key policies and use them in our docs, example
programs, tests, and library code. Prefer using the macro initializers
due to their straightforwardness.
2019-01-08 14:28:04 +00:00
Jaeden Amero
8c7e95d9e0 tests: Remove unused key policy objects
persistent_key_import() and persistent_key_destroy() don't need to and
don't use key policy objects. Remove unused key policy objects.
2019-01-04 15:38:07 +00:00
Simon Butcher
ecff219e6f Change file scoping of test helpers.function
Dependent on configured options, not all of the helper functions were being
used, which was leading to warning of unused functions with Clang.

To avoid any complex compile time options, or adding more logic to
generate_test_code.py to screen out unused functions, those functions which were
provoking the warning were changed to remove static, remove them from file
scope, and expose them to the linker.
2018-12-28 11:06:25 +00:00
Simon Butcher
6c164e754b Update the version of the library to 2.16.0 2018-12-21 10:51:51 +00:00
Gilles Peskine
c08fc1d7e9 Move MIN and MAX macros from PSA tests to helpers.function 2018-12-20 18:47:53 +01:00
Gilles Peskine
d76f181617 Prefer ASSERT_ALLOC to calloc+TEST_ASSERT in PSA tests
To allocate memory dynamically in a test, call ASSERT_ALLOC which
takes care of calling calloc and of checking for NULL.
2018-12-20 18:47:53 +01:00
Gilles Peskine
1f2aa0e3b0 Remove useless null checks of data_t* parameters
The test framework never passes NULL for a data_t* parameter, so
testing them against NULL is clutter.
2018-12-20 18:47:53 +01:00
Gilles Peskine
40ab95bdbc Remove checks of test parameters against SIZE_MAX
Our code base doesn't even support 16-bit platforms, so those checks
are always trivially true.
2018-12-20 18:47:53 +01:00
Gilles Peskine
0dfba2ddf0 Use ASSERT_COMPARE in preference to memcmp in PSA tests 2018-12-20 18:47:52 +01:00
Gilles Peskine
f812dcf4ae Rewrap some lines after the macro changes
Change the way some lines are wrapped to cut at a more logical place.
This commit mainly rewrites multi-line calls to TEST_EQUAL, and also a
few calls to PSA_ASSERT.
2018-12-20 18:47:52 +01:00
Gilles Peskine
fe11b72b93 Use TEST_EQUAL(a,b) in preference to TEST_ASSERT(a==b)
This commit is the result of the following command, followed by
reindenting (but not wrapping lines):

perl -00 -i -pe 's/^( *)TEST_ASSERT\(([^;=]*)(?: |\n *)==([^;=]*)\);$/${1}TEST_EQUAL($2,$3);/gm' tests/suites/test_suite_psa_*.function
2018-12-20 18:47:52 +01:00
Gilles Peskine
8817f61007 Use PSA_ASSERT(a) in preference to TEST_ASSERT(a==PSA_SUCCESS)
This commit is the result of the following command, followed by
reindenting (but not wrapping lines):

perl -00 -i -pe 's/^( *)TEST_ASSERT\(([^;=]*)(?: |\n *)==\s*PSA_SUCCESS\s*\);$/${1}PSA_ASSERT($2 );/gm' tests/suites/test_suite_psa_*.function
2018-12-20 18:47:52 +01:00
Gilles Peskine
0f915f1d2a Indent PSA tests according to K&R rules with Mbed TLS tweaks
Only whitespace changes in this commit.
2018-12-20 18:47:52 +01:00
Gilles Peskine
9d8eea7e19 Wrap some multiline expressions in parentheses
This guarantees that they'll be indented as desired under most
indentation rules.
2018-12-20 18:47:52 +01:00
Gilles Peskine
5f7aeeea06 New test macro TEST_EQUAL
TEST_EQUAL(expr1, expr2) is just TEST_ASSERT((expr1) == (expr2)) for
now, but in the future I hope that it will print out the differing
values.
2018-12-20 18:47:52 +01:00
Gilles Peskine
0174be2c17 Move the PSA_ASSERT macro to the common helpers file
It's potentially useful in all PSA test suites, of which there are now
several.
2018-12-20 18:47:52 +01:00
Gilles Peskine
f055ad7512 Add a safety check to ARRAY_LENGTH
Cause a compilation error on ARRAY_LENGTH(p) where p is a pointer as
opposed to an array. This only works under GCC and compatible
compilers such as Clang. On other compilers, ARRAY_LENGTH works but
doesn't check the type of its argument.
2018-12-20 18:47:52 +01:00
Simon Butcher
ad7c2105a2 Merge remote-tracking branch 'public/pr/2274' into development 2018-12-20 12:16:57 +00:00
Simon Butcher
12b4240300 Merge remote-tracking branch 'public/pr/2288' into development 2018-12-20 12:16:46 +00:00
Simon Butcher
c831193c85 Merge remote-tracking branch 'public/pr/2302' into development 2018-12-20 12:16:39 +00:00
Simon Butcher
1efda39f8a Merge remote-tracking branch 'public/pr/2297' into development 2018-12-20 12:16:29 +00:00
Simon Butcher
5aa7809ac8 Merge remote-tracking branch 'public/pr/2275' into development 2018-12-20 12:15:19 +00:00
Simon Butcher
780cf189b0 Merge remote-tracking branch 'public/pr/2271' into development 2018-12-20 12:15:08 +00:00
Simon Butcher
032c037052 Merge remote-tracking branch 'public/pr/2270' into development 2018-12-20 12:04:13 +00:00
Simon Butcher
a033633bb0 Merge remote-tracking branch 'public/pr/2269' into development 2018-12-20 12:02:56 +00:00
Simon Butcher
70935a4001 Merge remote-tracking branch 'public/pr/2299' into development 2018-12-20 12:02:23 +00:00
Simon Butcher
003c0e032f Merge remote-tracking branch 'public/pr/2292' into development 2018-12-20 12:02:17 +00:00
Simon Butcher
decf2f5c2c Merge remote-tracking branch 'public/pr/2291' into development 2018-12-20 12:02:11 +00:00
Simon Butcher
65ce5dc981 Merge remote-tracking branch 'public/pr/2290' into development 2018-12-20 12:02:05 +00:00
Simon Butcher
ad2e0dae32 Merge remote-tracking branch 'public/pr/2283' into development 2018-12-20 12:01:58 +00:00
Simon Butcher
0bbf7f450d Merge remote-tracking branch 'public/pr/2279' into development 2018-12-20 12:01:49 +00:00
Simon Butcher
962b7b17d5 Merge remote-tracking branch 'public/pr/2273' into development 2018-12-20 12:01:17 +00:00
Simon Butcher
6be67a6518 Merge remote-tracking branch 'public/pr/2281' into development 2018-12-20 12:01:09 +00:00
Simon Butcher
dac513e246 Merge remote-tracking branch 'public/pr/2282' into development 2018-12-20 12:01:04 +00:00
Simon Butcher
ccafd14fee Merge remote-tracking branch 'public/pr/2276' into development 2018-12-20 12:00:57 +00:00
Simon Butcher
2a8d32c6c1 Merge remote-tracking branch 'public/pr/2287' into development 2018-12-20 12:00:50 +00:00
Gilles Peskine
743e3988dc Avoid unused-variable warnings for str as well
The exact guard is FS_IO && PK_PARSE_C. Just keep it simple.
2018-12-20 12:29:48 +01:00
Gilles Peskine
88ca3a244e Avoid unused-variable warnings in some configurations 2018-12-20 12:26:16 +01:00
Gilles Peskine
d6027119be Fix dependencies on MBEDTLS_FS_IO 2018-12-20 12:15:41 +01:00
Hanno Becker
73b79841b2 Remove parameter validation for deprecated function in ECDSA module 2018-12-20 09:53:24 +00:00
k-stachowiak
dd63359dae Add tests for valid NULL in ccm_free() 2018-12-19 19:02:39 +01:00
k-stachowiak
508bcd96db Remove unneeded test for the CCM free function 2018-12-19 19:02:39 +01:00
k-stachowiak
26d365eb54 Add parameter validation for CCM 2018-12-19 19:02:39 +01:00
k-stachowiak
fb54360f8c Prevent unused variable in some configurations 2018-12-19 18:34:21 +01:00
Gilles Peskine
6af45ec53e PK: document context validity requirements
Document when a context must be initialized or not, when it must be
set up or not, and whether it needs a private key or a public key will
do.

The implementation is sometimes more liberal than the documentation,
accepting a non-set-up context as a context that can't perform the
requested information. This preserves backward compatibility.
2018-12-19 18:10:03 +01:00
k-stachowiak
a85edd9415 Split the unconditional and conditional parameter validation tests 2018-12-19 18:06:35 +01:00
Hanno Becker
f25ee7f79d Fix parameter validation for mbedtls_mpi_lsb()
The MPI_VALIDATE_RET() macro cannot be used for parameter
validation of mbedtls_mpi_lsb() because this function returns
a size_t.

Use the underlying MBEDTLS_INTERNAL_VALIDATE_RET() insteaed,
returning 0 on failure.

Also, add a test for this behaviour.
2018-12-19 16:51:50 +00:00
Gilles Peskine
d54b97503b pk parse: the password is optional
For mbedtls_pk_parse_key and mbedtls_pk_parse_keyfile, the password is
optional. Clarify what this means: NULL is ok and means no password.
Validate parameters and test accordingly.
2018-12-19 17:36:14 +01:00
k-stachowiak
516897a44a Remove unnecessary parameter validation from the Cipher module 2018-12-19 17:34:58 +01:00
k-stachowiak
95070a8286 Make some cipher parameter validation unconditional 2018-12-19 17:34:58 +01:00
k-stachowiak
5b01f8b3ae Add a new line at the end of the test data file 2018-12-19 17:34:13 +01:00
k-stachowiak
90b8d4a11e Include static cipher functions in the parameter validation scheme 2018-12-19 17:34:13 +01:00
k-stachowiak
a539070f82 Make all parameter validation tests optional 2018-12-19 17:34:13 +01:00
Krzysztof Stachowiak
e0215d7869 Add Cipher module parameter validation 2018-12-19 17:34:13 +01:00
k-stachowiak
5fccb3edf3 Add tests for valid NULL in gcm_free() 2018-12-19 17:30:38 +01:00
k-stachowiak
8ffc92a1e8 Add parameter validation for the GCM module 2018-12-19 17:30:38 +01:00
Gilles Peskine
ee3cfec3cc PK sign/verify: hash=NULL is ok if md_alg=0 and hash_len=0 2018-12-19 17:11:44 +01:00
Gilles Peskine
998fbfbe68 Properly test pk_write with an empty output buffer
This needs a real key to test properly.
2018-12-19 17:08:51 +01:00
Gilles Peskine
cc274c2ebf Do run the valid parameters test function 2018-12-19 17:08:01 +01:00
Gilles Peskine
1f19fa6f62 PK: Fix free(NULL) in library and tests
free() functions are documented as no-ops on NULL. Implement and test
this correctly.
2018-12-19 14:18:39 +01:00
Hanno Becker
f947c0a2dd Move testing of mbedtls_blowfish_free() to separate test case
It should be tested regardless of the setting of MBEDTLS_CHECK_PARAMS.
2018-12-19 12:52:59 +00:00
Hanno Becker
49acc64c69 Minor improvements to Blowfish documentation and tests 2018-12-19 12:52:59 +00:00
Hanno Becker
e38b4cd661 Test parameter validation for Blowfish module 2018-12-19 12:52:59 +00:00
Hanno Becker
0294072c09 Avoid unused variable warning in ARIA param validation test 2018-12-19 12:51:00 +00:00
Hanno Becker
14b91e8e22 Move testing of mbedtls_aria_free() to separate test
The test that mbedtls_aria_free() accepts NULL parameters
can be performed even if MBEDTLS_CHECK_PARAMS is unset, but
was previously included in the test case aria_invalid_params()
which is only executed if MBEDTLS_CHECK_PARAMS is set.
2018-12-19 12:51:00 +00:00
Hanno Becker
fac1d44d62 Fix style in ARIA parameter validation tests 2018-12-19 12:51:00 +00:00
Hanno Becker
b0de9f5b03 Test that mbedtls_aria_free() accepts NULL parameter 2018-12-19 12:51:00 +00:00
Hanno Becker
9e45c1607e Test parameter validation for ARIA module 2018-12-19 12:51:00 +00:00
Hanno Becker
f1931760d8 Move test of mbedtls_camellia_free() to separate test
The acceptance of NULL should be tested regardless of the
setting of MBEDTLS_CHECK_PARAMS.
2018-12-19 12:47:55 +00:00
Hanno Becker
ff62f44ad7 Remove duplicated parameter check in CAMELLIA module 2018-12-19 12:47:55 +00:00
Hanno Becker
e939de7247 Minor fixes to Camellia parameter validation 2018-12-19 12:47:55 +00:00
Hanno Becker
75788371df Test parameter validation for CAMELLIA module 2018-12-19 12:47:55 +00:00
Gilles Peskine
e146e7dbae Don't use TEST_VALID_PARAM with a value
TEST_VALID_PARAM is only for functions that return void. This commit
fixes the build with clang -Wunused-comparison.
2018-12-19 13:21:22 +01:00
Hanno Becker
1959535038 Add parameter validation test for mbedtls_ecp_check_pub_priv() 2018-12-19 08:52:08 +00:00
Hanno Becker
549e455a42 Add parameter validation test for mbedtls_ecp_gen_privkey() 2018-12-19 08:52:02 +00:00
Hanno Becker
0a4fa9b1fb Add parameter validation test for mbedtls_ecp_check_budget() 2018-12-19 08:51:58 +00:00
Hanno Becker
807c107c3c Fix typos in ECP test suite 2018-12-19 08:51:55 +00:00
Simon Butcher
54b789aa74 Merge remote-tracking branch 'public/pr/2298' into development 2018-12-19 08:08:14 +00:00
Gilles Peskine
78438e4109 Test parameter validation for pk, pkparse and pkwrite 2018-12-19 00:55:47 +01:00
Hanno Becker
59274d43cb Remove unnecessary call to mbedtls_mpi_free() in MPI tests 2018-12-18 23:27:03 +00:00
Hanno Becker
b48e1aa846 Add separate test for mbedtls_mpi_free() accepting NULL 2018-12-18 23:25:01 +00:00
Hanno Becker
e118504a5f Numerous minor improvements to bignum documentation 2018-12-18 18:12:13 +00:00
Hanno Becker
56b661cbf8 Add test that mbedtls_mpi_free() accepts NULL parameter 2018-12-18 18:12:13 +00:00
Hanno Becker
afb607b9db Add tests for parameter validation in MPI module 2018-12-18 18:12:13 +00:00
Hanno Becker
d22df58a56 Add missing guards around SHA-1 tests 2018-12-18 17:02:03 +00:00
Hanno Becker
adc9b178ca Minor improvements to DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker
8c8a93c574 Test parameter validation for DHM module 2018-12-18 16:59:09 +00:00
Hanno Becker
4fbd4bf442 Fix guard in SHA-512 tests 2018-12-18 16:37:43 +00:00
Hanno Becker
36beb04fd5 Add tests or SHA-256 parameter validation 2018-12-18 16:31:06 +00:00
Hanno Becker
686c9a0e8d Test SHA-512 parameter validation 2018-12-18 15:33:14 +00:00
Hanno Becker
a994b2379f Test that xxx_free() functions accept NULL parameter 2018-12-18 15:30:30 +00:00
Hanno Becker
ae2ff02ff1 Add tests for ChaChaPoly parameter validation
Parameter validation was previously performed and tested unconditionally
for the ChaCha/Poly modules. This commit therefore only needs go guard the
existing tests accordingly and use the appropriate test macros for parameter
validation.
2018-12-18 15:30:30 +00:00
Hanno Becker
af05a90349 Test parameter validation in ECDSA module 2018-12-18 14:31:50 +00:00
Hanno Becker
491db772c3 Test parameter validation for ECJPAKE module 2018-12-18 14:31:18 +00:00
Hanno Becker
4c818483b2 Test parameter validation for ECDH module 2018-12-18 14:30:39 +00:00
Hanno Becker
b06f193d73 Add missing cases to RSA parameter validation test 2018-12-18 14:05:20 +00:00
Hanno Becker
05cf6dabb8 Add missing test for mbedtls_rsa_pkcs1_sign() 2018-12-18 13:38:05 +00:00
Hanno Becker
f04d923834 Test mbedtls_rsa_gen_key() with NULL ctx/RNG separately 2018-12-18 13:38:05 +00:00
Hanno Becker
71cd6c7ba9 Remove duplicate test in RSA parameter validation test 2018-12-18 13:38:05 +00:00
Hanno Becker
a7ee00225b Test mbedtls_rsa_init() with invalid padding 2018-12-18 13:38:05 +00:00
Hanno Becker
046d2024c5 Test parameter validation for RSA module 2018-12-18 13:38:05 +00:00
Hanno Becker
57b684f9d1 Add separate test for xxx_free() functions in ECP module 2018-12-18 13:00:48 +00:00
Hanno Becker
12dff0352b Test parameter validation for ECP module 2018-12-18 13:00:48 +00:00
Manuel Pégourié-Gonnard
488d9309fc Fix unused param warnings in test function 2018-12-18 13:05:49 +01:00
Hanno Becker
0e24473b94 Test parameter validation in SHA-1 module 2018-12-18 11:37:28 +00:00
Manuel Pégourié-Gonnard
e55e103bfe Fix off-by-one in iv_off check and add tests 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
ab6b9758d6 Improve constant naming in test functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
2bc535be86 Add parameter validation for AES-CTR 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
8e41eb7187 Add parameter validation for AES-OFB 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
1677cca54b Add parameter validation for AES-CFB functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
191af1313a Add param validation for mbedtls_aes_crypt_xts() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
3178d1a997 Add param validation for mbedtls_aes_crypt_cbc() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
1aca260571 Add parameter validation for mbedtls_aes_crypt_ecb() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
68e3dff3f1 Add parameter validation XTS setkey functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
af0c6cb9e0 Fix missing guard on XTS function in tests 2018-12-18 12:02:52 +01:00
Hanno Becker
6640b0d9a3 Undo deprecation of MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH 2018-12-18 09:53:14 +00:00
Hanno Becker
938f9e9bdb Undo deprecation of MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
Merging MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH and
MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH is an API break.
2018-12-18 09:50:57 +00:00
Gilles Peskine
3d2f949c86 Move the ARRAY_LENGTH macro to the common helpers file 2018-12-17 23:17:17 +01:00
Hanno Becker
d2f3a00062 Introduce single BLOWFISH error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
* MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
2018-12-17 13:26:37 +00:00
Hanno Becker
4c029d09be Introduce single CAMELLIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:33 +00:00
Manuel Pégourié-Gonnard
e7306d30a9 Improve some documentation and ChangeLog entry 2018-12-13 09:45:49 +01:00
Manuel Pégourié-Gonnard
a4251f4775 Test aes_free( NULL ) unconditionally 2018-12-12 12:04:51 +01:00
Manuel Pégourié-Gonnard
54e7f312d3 Make TEST_VALID_PARAM() available unconditionally 2018-12-12 11:56:09 +01:00
Manuel Pégourié-Gonnard
aae10fa427 Fix some whitespace issues 2018-12-12 10:24:19 +01:00
Manuel Pégourié-Gonnard
cd2b29cd12 Improve wording in documentation and ChangeLog 2018-12-12 10:23:57 +01:00
Gilles Peskine
79a11d6c42 Test invalid lifetime regardless of support for persistent keys
Even if persistent keys are not supported, psa_open_key and
psa_create_key must fail if invoked with an invalid lifetime value.
2018-12-11 16:48:14 +01:00
Gilles Peskine
539cda57df Add tests with invalid key identifiers
Test that 0 and PSA_CRYPTO_ITS_RANDOM_SEED_UID are not accepted as key
identifiers.
2018-12-11 16:48:14 +01:00
Gilles Peskine
4a044739a8 Fix the build without persistent storage
Add missing guards on MBEDTLS_PSA_CRYPTO_STORAGE_C.

Add test cases to test that psa_create_key and psa_open_key return
NOT_SUPPORTED.
2018-12-11 16:48:14 +01:00
Gilles Peskine
c5487a8892 Drop support for psa_key_slot_t in psa_crypto.c
This commit finishes the removal of support for direct access to key
slots in psa_crypto.c.

This marks the end of the necessary phase of the transition to key
handles. The code should subsequently be refactored to move key slot
management from psa_crypto.c to psa_crypto_slot_management.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine
7bc9f68232 Convert the PSA crypto persistent storage tests to the new handle API
Switch from the direct use of slot numbers to handles allocated by
psa_allocate_key.

The general principle for each function is:
* Change `psa_key_slot_t slot` to `psa_key_handle_t handle` or
  `psa_key_id_t key_id` depending on whether it's used as a handle to
  an open slot or as a persistent name for a key.
* Call psa_create_key() before using a slot, instead of calling
  psa_set_key_lifetime to make a slot persistent.

Remove the unit test persistent_key_is_configurable which is no longer
relevant.
2018-12-11 16:48:13 +01:00
Gilles Peskine
bdf309ccdb Convert the PSA crypto cryptography tests to the new handle API
Switch from the direct use of slot numbers to handles allocated by
psa_allocate_key.

This commit does not affect persistent key tests except for the one
test function in test_suite_psa_crypto that uses persistent keys
(persistent_key_load_key_from_storage).

The general principle for each function is:
* Change `psa_key_slot_t slot` to `psa_key_handle_t handle`.
* Call psa_allocate_key() before setting the policy of the slot,
  or before creating key material in functions that don't set a policy.
* Some PSA_ERROR_EMPTY_SLOT errors become PSA_ERROR_INVALID_HANDLE
  because there is now a distinction between not having a valid
  handle, and having a valid handle to a slot that doesn't contain key
  material.
* In tests that use symmetric keys, calculate the max_bits parameters
  of psa_allocate_key() from the key data size. In tests where the key
  may be asymmetric, call an auxiliary macro KEY_BITS_FROM_DATA which
  returns an overapproximation. There's no good way to find a good
  value for max_bits with the API, I think the API should be tweaked.
2018-12-11 16:48:13 +01:00
Gilles Peskine
a8860b2990 Remove lifetime test functions
With the handle-based slot management interface, psa_set_key_lifetime
will no longer exist, so remove the corresponding unit tests.
2018-12-11 16:48:13 +01:00
Gilles Peskine
dc911fd594 Remove redundant slot-based test
fill_slots is superseded by many_transient_handles.
2018-12-11 16:48:13 +01:00
Gilles Peskine
a426168cbf Test that failure of import_key preserves metadata 2018-12-11 16:48:13 +01:00
Gilles Peskine
961849f6d1 Implement slot allocation
Implement psa_allocate_key, psa_open_key, psa_create_key,
psa_close_key.

Add support for keys designated to handles to psa_get_key_slot, and
thereby to the whole API.

Allocated and non-allocated keys can coexist. This is a temporary
stage in order to transition from the use of direct slot numbers to
allocated handles only. Once all the tests and sample programs have
been migrated to use handles, the implementation will be simplified
and made more robust with support for handles only.
2018-12-11 16:48:13 +01:00
Gilles Peskine
5ec7b078ea Add tests for the new slot management mechanism
Add unit tests for handle allocation and release.
2018-12-11 16:48:12 +01:00
Gilles Peskine
7f6e3a868a Change ASSERT_ALLOC to take a size in elements, not bytes
`ASSERT_ALLOC(p, length)` now allocates `length` elements, i.e.
`length * sizeof(*p)` bytes.
2018-12-11 16:48:12 +01:00
Manuel Pégourié-Gonnard
9b8ea89ae5 Fix a few style / whitespace issues 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
acfdc623d2 Fix test macro that was too lenient
Previously, one could change the definition of AES_VALIDATE_RET() to return
some other code than MBEDTLS_ERR_AES_BAD_INPUT_DATA, and the test suite
wouldn't notice. Now this modification would make the suite fail as expected.
2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
44c5d58d05 Document AES functions and fix free() functions 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
a2b0e27378 Skip param validation tests if custom macro used
The test framework for validation of parameters depends on the macro
MBEDTLS_PARAM_FAILED() being set to its default value when building the
library. So far the test framework attempted to define this macro but this was
the wrong place - this definition wouldn't be picked by the library.

Instead, a different approach is taken: skip those tests when the macro is
defined in config.h, as in that case we have no way to know if it will indeed
end up calling mbedtls_param_failed() as we need it to.

This commit was tested by manually ensuring that aes_invalid_params:

- passes (and is not skipped) in the default configuration
- is skipped when MBEDTLS_PARAM_FAILED() is defined in config.h
2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
3ef6a6dc5c Fix const-ness in mbedtls_param_failed()
The previous prototype gave warnings are the strings produced by #cond and
__FILE__ are const, so we shouldn't implicitly cast them to non-const.

While at it modifying most example programs:
- include the header that has the function declaration, so that the definition
  can be checked to match by the compiler
- fix whitespace
- make it work even if PLATFORM_C is not defined:
    - CHECK_PARAMS is not documented as depending on PLATFORM_C and there is
      no reason why it should
    - so, remove the corresponding #if defined in each program...
    - and add missing #defines for mbedtls_exit when needed

The result has been tested (make all test with -Werror) with the following
configurations:

- full with    CHECK_PARAMS with    PLATFORM_C
- full with    CHECK_PARAMS without PLATFORM_C
- full without CHECK_PARAMS without PLATFORM_C
- full without CHECK_PARAMS with    PLATFORM_C

Additionally, it has been manually tested that adding

    mbedtls_aes_init( NULL );

near the normal call to mbedtls_aes_init() in programs/aes/aescrypt2.c has the
expected effect when running the program.
2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
8e661bf6a8 Fix arity of the PARAM_FAILED() macro and function
It was inconsistent between files: sometimes 3 arguments, sometimes one.

Align to 1 argument for the macro and 3 for the function, because:
- we don't need 3 arguments for the macro, it can add __FILE__ and __LINE__
  in its expansion, while the function needs them as parameters to be correct;
- people who re-defined the macro should have flexibility, and 3 arguments
  can give the impression they they don't have as much as they actually do;
- the design document has the macro with 1 argument, so let's stick to that.
2018-12-11 12:28:56 +01:00
Simon Butcher
249b3d6efe Remove use of the macro TEST_FN from the AES test suite
The TEST_FN macro is now redundant and no longer necessary.
2018-12-11 12:28:56 +01:00
Simon Butcher
6542f6c597 Change the use of setjmp/longjmp in parameter failure callback
Change the use of setjmp and longjmp in signalling parameter validation failures
when using the MBEDTLS_CHECK_PARAMS config.h option. This change allows
all calls which might result in a call to the parameter validation failure
handler to always be caught, even without use of the new macros, by placing a
setjmp() in the outer function which calls the test function, which the handler
can jump to.

This has several benefits:
    * it allows us to remove the clang compiler warning (-Wclobbered) caused
      by local auto variables being in the same function as the call to setjmp.
    * removes the need to wrap all function calls in the test functions with the
      TEST_ASSERT() macro. Now all parameter validation function calls should be
      caught.
2018-12-11 12:28:56 +01:00
Simon Butcher
747f5fe3e2 Add disabling of gcc 'clobbered' warning
With gcc, use of setjmp() was triggering warnings about use of auto variables
being clobbered.
2018-12-11 12:28:56 +01:00
Simon Butcher
a646345e3f Add additional parameter validation tests for the AES module
This adds additional tests to validate the AES module parameter validation
checks which are enabled using the MBEDTLS_CHECK_PARAMS option.
2018-12-11 12:28:56 +01:00
Jaeden Amero
fedb407a3f Merge remote-tracking branch 'upstream-public/pr/2208' into development 2018-12-07 16:16:04 +00:00
Jaeden Amero
52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Jaeden Amero
41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Janos Follath
36c5f7fe9b ECDH: Hide context from tests
The tests for the ECDH key exchange that use the context accessed it
directly. This can't work with the new context, where we can't make any
assumptions about the implementation of the context. This commit works
around this problem and comes with the cost of allocating an extra
structures on the stack when executing the test.

One of the tests is testing an older interface for the sake of backward
compatibility. The new ECDH context is not backward compatible and this
test doesn't make any sense for it, therefore we skip this test in
non-legacy mode.
2018-12-06 12:22:46 +00:00
Gilles Peskine
79e213cfc8 Don't include mbedtls/platform.h unconditionally
Programs must not include mbedtls/platform.h if MBEDTLS_PLATFORM_C is
not defined. Test suites don't need to include mbedtls/platform.h
because helpers.function takes care of it.

This commit also removes a stray `;` which is technically not standard C.
2018-12-04 12:25:40 +01:00
Jaeden Amero
5dfca1e1bd Update library version to 2.15.1 2018-12-01 18:44:29 +00:00
Janos Follath
fc03e8dfa9 ECDH: Adapt tests for mbedtls_ecdh_setup()
The recently added `mbedtls_ecdh_setup()` function is not used in the
tests yet. This commit adapts the tests to the new workflow.

Having done that, the old lifecycle is not tested anymore, so we add a
new test to ensure backward compatibility.
2018-11-30 14:09:57 +00:00
Gilles Peskine
9edc146237
Merge pull request #209 from ARMmbed/psa-init_tests
Test psa_crypto_init and make it more robust
2018-11-30 13:28:47 +01:00
Simon Butcher
51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher
658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Gilles Peskine
b0b189f31f Add missing compilation guards for GCM and CCM
Add missing compilation guards that broke the build if either GCM or
CCM was not defined.

Add missing guards on test cases that require GCM or CBC.

The build and tests now pass for any subset of {MBEDTLS_CCM_C,
MBEDTLS_GCM_C}. There are still unused variables warnings if neither
is defined.
2018-11-28 17:30:58 +01:00
Andres Amaya Garcia
687d6739b2 Fix resource leak of file desc in test code 2018-11-26 21:23:28 +00:00
Gilles Peskine
d919993b76 CTR_DRBG: deprecate mbedtls_ctr_drbg_update because it ignores errors
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error.
2018-11-26 19:26:00 +01:00
Ron Eldor
d5062dedeb Add conditional dependency to tests
Add a way to check compile time defionitions values, for determining
whether to skip tests.
2018-11-26 14:23:14 +02:00
Ron Eldor
6dbb9aabf8 Test AD too long only when CCM_ALT not defined
Since the AD too long is a limitation on Mbed TLS,
HW accelerators may support this. Run the test for AD too long,
only if `MBEDTLS_CCM_ALT` is not defined.
Addresses comment in #1996.
2018-11-25 10:31:53 +02:00
Gilles Peskine
9e1be6a246 Create the NV seed file for the tests if needed
Write an all-bits-zero NV seed file for the tests. Without this, if
the seed file is not present when this test suite is executed, the
PSA module initialization will fail, causing most test cases to fail.

Also write an all-bits-zero NV seed file at the end. The test cases in
this test suite mess with the file, but subsequent test suites may
need it.
2018-11-23 22:58:40 +01:00
Gilles Peskine
0fce4c5830 Add init tests with entropy from NV seed 2018-11-23 22:58:40 +01:00
Gilles Peskine
0b3b5733fc Support NV seed enabled at compile time but not at runtime
When testing with custom entropy sources, if MBEDTLS_ENTROPY_NV_SEED
is enabled at compile time but the NV seed source is not used at
runtime, mbedtls_entropy_func makes a second pass anyway. Cope with
this in the test code by telling the entropy module not to make this
second pass.
2018-11-23 22:58:40 +01:00
Gilles Peskine
ebe770c693 Add tests with a fake entropy source
Add tests with a fake entropy source to check that the required amount
of entropy is one block, fed in one or more steps.
2018-11-23 22:58:40 +01:00
Gilles Peskine
5e76952235 Add a facility to configure entropy sources
Add a function to configure entropy sources. For testing only.

Use it to test that the library initialization fails properly if there is no
entropy source.
2018-11-23 22:58:38 +01:00
Simon Butcher
60ee838a8a Merge remote-tracking branch 'public/pr/2224' into development-psa-proposed 2018-11-23 21:18:32 +00:00
Hanno Becker
8295695aca Merge branch 'iotssl-2578-psa-sig-verification_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 16:00:32 +00:00
Hanno Becker
6b01a9fa7c Merge branch 'psa_cipher_CRYPTO' into feature-psa-tls-integration-proposed 2018-11-23 15:53:27 +00:00
Simon Butcher
ebeb6cb446 Update library version to 2.15.0 2018-11-23 14:18:15 +00:00
Hanno Becker
4ae8b497c0 Merge branch 'iotssl-2578-psa-sig-verification' into development-psa-proposed 2018-11-23 11:37:00 +00:00
Hanno Becker
f8b5f27bce Merge branch 'psa_cipher' into development-psa-proposed 2018-11-23 11:18:02 +00:00
Manuel Pégourié-Gonnard
7b7808cc76 Add tests for ECDSA verify with short r, s values
This is intended to test transcoding the signature to the format expected by
PSA (fixed-length encoding of r, s) when r and s have respectively:
- full length with initial null byte
- full length without initial null byte
- non-full length with initial null byte
- non-full length without initial null byte

The signatures were generated using:

programs/pkey/pk_sign tests/data_files/server5.key foo

where foo is an empty file, and with a variant of one of the following patches
applied:

diff --git a/library/ecdsa.c b/library/ecdsa.c
index abac015cebc6..e4a27b044516 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -305,7 +305,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;
             }
+            printf("\ngenerating r...\n");

+gen:
             MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );

 #if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -317,6 +319,11 @@ mul:
             MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
                                                   f_rng, p_rng, ECDSA_RS_ECP ) );
             MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
+
+            size_t bits = mbedtls_mpi_bitlen( pr );
+            printf("%zu ", bits);
+            if( bits != 255 )
+                goto gen;
         }
         while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );

or:

diff --git a/library/ecdsa.c b/library/ecdsa.c
index abac015cebc6..d704376e0c42 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -305,7 +305,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;
             }
+            printf("\ngenerating r...\n");

+gen:
             MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );

 #if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -353,6 +355,11 @@ modn:
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
+
+            size_t bits = mbedtls_mpi_bitlen( s );
+            printf("%zu ", bits);
+            if( bits != 247 )
+                goto gen;
     }
     while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );

with the value edited manually between each run to get the desired bit length.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
510ee70501 pk_wrap: test if a valid md_alg is passed to ecdsa_verify_wrap
Adjust tests to pass a valid algorithm
2018-11-22 13:37:14 -05:00
Andrzej Kurek
d6d07909f2 Remove trailing whitespace 2018-11-22 12:43:53 -05:00
Andrzej Kurek
2f31122585 Cosmetic changes
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
c3de438b8e Add CSR write testing using opaque keys
Parse and verify CSR programatically instead of using predetermined data,
to not tamper with randomness in tests.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
967cfd18fd Remove trailing whitespace 2018-11-22 12:05:08 -05:00
Andrzej Kurek
4b11407258 Cosmetic changes
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:05:08 -05:00
Andrzej Kurek
5f7bad34bb Add CSR write testing using opaque keys
Parse and verify CSR programatically instead of using predetermined data,
to not tamper with randomness in tests.
2018-11-22 12:05:08 -05:00
Manuel Pégourié-Gonnard
e31411a814 Fix test that wasn't actually effective
psa_destroy_key() returns success even if the slot is empty.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
72d94be0de Improve description of a test 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
276cb64e6c Align names to use "opaque" only everywhere
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
7d51255ca7 Implement pk_sign() for opaque ECDSA keys 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
99af2f0dd1 Add tests for unsupported operations/functions 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
07b103fe07 Implement can_do for opaque ECC keypairs
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
683632b78e Add support for get_(bit)len on opaque keys 2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
06c631859c Add key generation to opaque test function
While at it, clarify who's responsible for destroying the underlying key. That
can't be us because some keys cannot be destroyed and we wouldn't know. So
let's leave that up to the caller.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
274f521b9a Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 16:39:39 +00:00
Hanno Becker
91cb605032 Add missing newline at the end of test_suite_cipher.gcm.data 2018-11-22 16:33:01 +00:00
Hanno Becker
e15c71ca72 Test PSA-based GCM cipher operations 2018-11-22 16:33:01 +00:00
Hanno Becker
78115ac478 Adapt existing Cipher-GCM test cases to new param for auth_crypt_tv 2018-11-22 16:33:01 +00:00
Hanno Becker
1ccb1d614d Test PSA-based CCM cipher operations 2018-11-22 16:33:01 +00:00
Hanno Becker
58fc9aab54 Add AES-*-CBC test vectors for PSA-based cipher contexts 2018-11-22 16:33:01 +00:00
Hanno Becker
4ba0901bfc Merge branch 'gcm_through_cipher_api_tests' into gcm_through_cipher_api_tests_tmp 2018-11-22 16:32:30 +00:00
Hanno Becker
eba9993171 Initialize PSA Crypto implementation at the start of each test suite 2018-11-22 16:27:56 +00:00
Manuel Pégourié-Gonnard
2baae9ef71 Add tests for ECDSA verify with short r, s values
This is intended to test transcoding the signature to the format expected by
PSA (fixed-length encoding of r, s) when r and s have respectively:
- full length with initial null byte
- full length without initial null byte
- non-full length with initial null byte
- non-full length without initial null byte

The signatures were generated using:

programs/pkey/pk_sign tests/data_files/server5.key foo

where foo is an empty file, and with a variant of one of the following patches
applied:

diff --git a/library/ecdsa.c b/library/ecdsa.c
index abac015cebc6..e4a27b044516 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -305,7 +305,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;
             }
+            printf("\ngenerating r...\n");

+gen:
             MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );

 #if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -317,6 +319,11 @@ mul:
             MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
                                                   f_rng, p_rng, ECDSA_RS_ECP ) );
             MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
+
+            size_t bits = mbedtls_mpi_bitlen( pr );
+            printf("%zu ", bits);
+            if( bits != 255 )
+                goto gen;
         }
         while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );

or:

diff --git a/library/ecdsa.c b/library/ecdsa.c
index abac015cebc6..d704376e0c42 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -305,7 +305,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;
             }
+            printf("\ngenerating r...\n");

+gen:
             MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );

 #if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -353,6 +355,11 @@ modn:
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
+
+            size_t bits = mbedtls_mpi_bitlen( s );
+            printf("%zu ", bits);
+            if( bits != 247 )
+                goto gen;
     }
     while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );

with the value edited manually between each run to get the desired bit length.
2018-11-22 11:17:37 -05:00
Andrzej Kurek
c05ec9f39c pk_wrap: test if a valid md_alg is passed to ecdsa_verify_wrap
Adjust tests to pass a valid algorithm
2018-11-22 11:17:37 -05:00
Hanno Becker
b1b2c01df4 Add missing newline at the end of test_suite_cipher.gcm.data 2018-11-22 14:03:39 +00:00
Hanno Becker
b0c05e242c Test PSA-based GCM cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
5cec718191 Adapt existing Cipher-GCM test cases to new param for auth_crypt_tv 2018-11-22 14:03:39 +00:00
Hanno Becker
a13272d6d2 Test PSA-based CCM cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
e43164e8f1 Add AES-*-CBC test vectors for PSA-based cipher contexts 2018-11-22 14:03:39 +00:00
Hanno Becker
6767cca100 Merge branch 'gcm_through_cipher_api_tests' into psa_cipher_ 2018-11-22 14:03:14 +00:00
Hanno Becker
c0c882cd67 Add missing dependencies in test_suite_cipher.gcm 2018-11-22 13:41:53 +00:00
Hanno Becker
ef42f22edd Add NIST AES GCM test vectors to single-step cipher API test suite
The test suites `test_suite_gcm.aes{128,192,256}_en.data` contains
numerous NIST test vectors for AES-*-GCM against which the GCM
API mbedtls_gcm_xxx() is tested.

However, one level higher at the cipher API, no tests exist which
exercise mbedtls_cipher_auth_{encrypt/decrypt}() for GCM ciphers,
although test_suite_cipher.function contains the test auth_crypt_tv
which does precisely that and is already used e.g. in
test_suite_cipher.ccm.

This commit replicates the test vectors from
test_suite_gcm.aes{128,192,256}_en.data in test_suite_cipher.gcm.data
and adds a run of auth_crypt_tv for each of them.

The conversion was mainly done through the sed command line

```
s/gcm_decrypt_and_verify:\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):
\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\)/auth_crypt_tv:
\1:\2:\4:\5:\3:\7:\8:\9/
```
2018-11-22 13:41:07 +00:00
Gilles Peskine
c6b6907066 Make library init and deinit more robust to errors
Allow mbedtls_psa_crypto_free to be called twice, or without a prior
call to psa_crypto_init. Keep track of the initialization state more
precisely in psa_crypto_init so that mbedtls_psa_crypto_free knows
what to do.
2018-11-22 13:46:51 +01:00
Gilles Peskine
445e225745 Test that deinit deactivates random generation and key slots 2018-11-22 13:41:38 +01:00
Gilles Peskine
b309eec4a5 Move library initialization tests to a new test suite 2018-11-22 13:41:38 +01:00
Manuel Pégourié-Gonnard
23a1ccd23f Fix test that wasn't actually effective
psa_destroy_key() returns success even if the slot is empty.
2018-11-22 12:21:20 +01:00
Manuel Pégourié-Gonnard
fa9a1ca967 Improve description of a test 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
69baf70984 Align names to use "opaque" only everywhere
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
3686771dfa Implement pk_sign() for opaque ECDSA keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
d97390e97d Add tests for unsupported operations/functions 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
920c063bad Implement can_do for opaque ECC keypairs
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
0184b3c69b Add support for get_(bit)len on opaque keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
01a12c49aa Add key generation to opaque test function
While at it, clarify who's responsible for destroying the underlying key. That
can't be us because some keys cannot be destroyed and we wouldn't know. So
let's leave that up to the caller.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
7b5fe041f1 Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 09:59:34 +01:00
Hanno Becker
1cfc5ddb11 Initialize PSA Crypto implementation at the start of each test suite 2018-11-21 21:08:43 +00:00
avolinski
0d2c266c06 change MBEDTLS_RANDOM_SEED_ITS define to be PSA_CRYPTO_ITS_RANDOM_SEED_UID 2018-11-21 17:31:07 +02:00
avolinski
13beb100c2 Adjust psa entropy inject tests to take as minimum seed size
the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE
2018-11-21 16:24:53 +02:00
avolinski
7cc8229d80 Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID
Update mbedtls_psa_inject_entropy function documentation
2018-11-21 16:24:53 +02:00
avolinski
4d27c94aee Adding testcase for PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM 2018-11-21 16:24:53 +02:00
Netanel Gonen
21f37cbbec Add Tests for psa crypto entropy incjection
Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option
2018-11-21 16:24:52 +02:00
Netanel Gonen
9468bb241c Add Tests for psa crypto entropy incjection 2018-11-21 16:23:41 +02:00
Darryl Green
0c6575a84d psa: Extend psa_generate_key to support persistent lifetimes 2018-11-20 15:40:32 +00:00
Darryl Green
d49a499d03 psa: Implement persistent keys
Allow use of persistent keys, including configuring them, importing and
exporting them, and destroying them.

When getting a slot using psa_get_key_slot, there are 3 scenarios that
can occur if the keys lifetime is persistent:

1. Key type is PSA_KEY_TYPE_NONE, no persistent storage entry:
   -  The key slot is treated as a standard empty key slot
2. Key type is PSA_KEY_TYPE_NONE, persistent storage entry exists:
   -  Attempt to load the key from persistent storage
3. Key type is not PSA_KEY_TYPE_NONE:
   -  As checking persistent storage on every use of the key could
      be expensive, the persistent key is assumed to be saved in
      persistent storage, the in-memory key is continued to be used.
2018-11-20 15:40:25 +00:00
Darryl Green
db2b8db715 psa: Add storage implementation for files
Add new functions, psa_load_persistent_key(),
psa_free_persistent_key_data(), and psa_save_persistent_key(), for
managing persistent keys. These functions load to or save from our
internal representation of key slots. Serialization is a concern of the
storage backend implementation and doesn't abstraction-leak into the
lifetime management code.

An initial implementation for files is provided. Additional storage
backends can implement this interface for other storage types.
2018-11-20 15:21:22 +00:00
Jaeden Amero
818eab2e76 Merge tag 'mbedtls-2.14.0' into feature-psa
Mbed TLS version 2.14.0

Resolved conflicts in include/mbedtls/config.h,
tests/scripts/check-files.py, and yotta/create-module.sh by removing yotta.

Resolved conflicts in tests/.jenkins/Jenkinsfile by continuing to run
mbedtls-psa job.
2018-11-19 19:25:56 +00:00
Simon Butcher
c1b9892177 Update library version number to 2.14.0 2018-11-19 18:31:40 +00:00
Ron Eldor
7a977881b4 Change buf size to a valid size
Change the size of `buf` to a valid hash size, in `ecdsa_prim_random()`
2018-11-19 13:51:00 +02:00
Hanno Becker
6b123fbc39 Add test for overly long PSK in TLS-1.2 PSK-to-MS KDF 2018-11-19 11:24:26 +00:00
Hanno Becker
f074938aae Add SHA-384 tests for TLS 1.2 PSK-to-MS key derivation 2018-11-19 11:24:26 +00:00
Hanno Becker
a198f06feb Add tests for TLS-1.2 PSK-to-MS derivation 2018-11-19 11:24:25 +00:00
Gilles Peskine
a1b87e5afe Add missing dependency in an ECDH test case
curves.pl passes.
2018-11-16 16:43:04 +01:00
Gilles Peskine
1dfb1ba684 Add a test case for key agreement with a following KDF
There was no test case of ECDH with anything other than
PSA_ALG_SELECT_RAW. Exercise the code path from ECDH through a
"proper" KDF.

ECDH shared secret copied from an existing test, HKDF output
calculated with Cryptodome.
2018-11-16 16:09:27 +01:00
Hanno Becker
24658c4ba1 Add test vectors for TLS 1.2 PRF
Taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
2018-11-16 11:24:59 +00:00
Gilles Peskine
c7998b78b8 Factor common code into key_agreement_with_self 2018-11-14 21:17:16 +01:00
Gilles Peskine
88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine
714e16b37a Add import/export test of EC public key 2018-11-14 21:17:16 +01:00
Gilles Peskine
3ec8ed8b51 Add multipart key agreement tests
Add test cases that do key agreement with raw selection in pieces, to
validate that selection works even when the application doesn't read
everything in one chunk.
2018-11-14 21:15:37 +01:00
Gilles Peskine
bf49197c9b key_agreement_capacity: test the actual capacity as well
After testing that the advertized capacity is what the test data says,
read that many bytes to test that this is also actual capacity.
2018-11-14 21:15:37 +01:00
Gilles Peskine
10df341436 Factor usage_to_exercise into its own function 2018-11-14 21:15:37 +01:00
Gilles Peskine
fc411f1ac1 Use ASSERT_ALLOC in key agreement tests 2018-11-14 21:15:37 +01:00
Gilles Peskine
1d7c082124 Fix a memory leak in a test 2018-11-14 21:15:37 +01:00
Gilles Peskine
b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine
5968559a9c Key agreement test functions 2018-11-14 21:15:37 +01:00
Gilles Peskine
01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
93098fd996 Key agreement: macros for finite-field Diffie-Hellman, ECDH
Declare macros to represent key agreement algorithms.
2018-11-14 21:15:37 +01:00
Gilles Peskine
e8f0e3dc3c New algorithm category: key selection
A key selection algorithm is similar to a key derivation algorithm in
that it takes a secret input and produces a secret output stream.
However, unlike key derivation algorithms, there is no expectation
that the input cannot be reconstructed from the output. Key selection
algorithms are exclusively meant to be used on the output of a key
agreement algorithm to select chunks of the shared secret.
2018-11-14 21:15:37 +01:00
Ron Eldor
ae3a631518 Reduce buffer size of okm
Reduce the buffer size of okm to 128, to reduce stack usage.
2018-11-14 20:22:03 +02:00
Ron Eldor
732ccc4b06 Reduce Stack usage of hkdf test function
`test_hkdf` in the hkdf test suites consumed stack of ~6KB with
6 buffers of ~1KB each. This causes stack overflow on some platforms
with smaller stack. The buffer sizes were reduced. By testing, the sizes
can be reduced even further, as the largest seen size is 82 bytes(for okm).
2018-11-13 19:03:32 +02:00
Gilles Peskine
e19b7d54d0 Revert "New function mbedtls_rsa_get_bitlen"
This reverts commit 1d26709dbd.
2018-11-12 19:14:34 +01:00
Gilles Peskine
64a43ce48e Revert "fixup! New function mbedtls_rsa_get_bitlen"
This reverts commit c939f6fcba.
2018-11-12 19:14:34 +01:00
Gilles Peskine
86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Simon Butcher
cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Jaeden Amero
594a330eb7 psa: test: Fix truncation of message by snprintf
We had only allocated 40 bytes for printing into, but we wanted to print 46
bytes. Update the buffer to be 47 bytes, which is large enough to hold what
we want to print plus a terminating null byte.
2018-11-08 17:32:45 +00:00
Gilles Peskine
728944718a Fix a test case with incorrect dependency
Simplify the test case "PSA export a slot after a failed import of an
EC keypair": use an invalid private value for the specified curve. Now
the dependencies match the test data, so this fixes curves.pl.
2018-11-08 10:00:08 +01:00
Moran Peker
ce50007f90 Add tests of using cipher in bad state cases
- cipher setup after import key failure.
- cipher setup after set key policy but no key material
creation.
2018-11-07 16:20:07 +02:00
Moran Peker
3455009116 Add tests that check export failures after illegal behavior
- export a key after import key failure.
- export a key after the key was destroyed.
- export a key after set key policy but no key material
creation.
2018-11-07 16:19:34 +02:00
Moran Peker
28a38e6e38 Add tests that checks key management corner cases
- import a key into a non empty key slot.
- export a key from invalid slot number.
2018-11-07 16:18:24 +02:00
Simon Butcher
241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Simon Butcher
42ab4ae033 Merge remote-tracking branch 'public/pr/2167' into development-restricted-proposed 2018-11-07 12:54:45 +00:00