Commit Graph

10848 Commits

Author SHA1 Message Date
Gilles Peskine
89870eb123 Cosmetic improvements in SE driver tests 2019-07-24 13:44:03 +02:00
Gilles Peskine
28f8f3068f SE keys: ensure that functions that lack support properly error out
Introduce a new function psa_get_transparent_key which returns
NOT_SUPPORTED if the key is in a secure element. Use this function in
functions that don't support keys in a secure element.

After this commit, all functions that access a key slot directly via
psa_get_key_slot or psa_get_key_from_slot rather than via
psa_get_transparent_key have at least enough support for secure
elements not to crash or otherwise cause undefined behavior. Lesser
bad behavior such as wrong results or resource leakage is still
possible in error cases.
2019-07-24 13:30:31 +02:00
Gilles Peskine
573bbc1b4e Error out if a driver tries to store more than ITS can handle
Cast explicitly for the sake of MSVC which otherwise (usefully!) warns
about the truncation.
2019-07-23 20:23:16 +02:00
Gilles Peskine
831ac72338 Add transaction file and driver storage; new key file format
Update the storage architecture with the new features introduced for
secure element support:

* Lifetime field in key files.
* Slot number in key files for keys in a secure element.
* Transaction file (name and format).
* Persistent storage for secure element drivers (name and format).

The version number is not determined yet.
2019-07-23 19:32:21 +02:00
Gilles Peskine
105f67f0fa Move the definition of psa_key_attributes_t to crypto_types.h
psa_key_attributes_t is used in the SE driver HAL, so it must be
defined in a common header, not in the API-only header crypto.h.
2019-07-23 18:43:28 +02:00
Gilles Peskine
9dd125d8bb Fix overly complex Doxygen markup 2019-07-23 18:43:28 +02:00
Gilles Peskine
1d04b05fae Dear check-names, where you accept struct, also accept union. 2019-07-23 17:38:41 +02:00
Gilles Peskine
8b96cad204 SE drivers: implement persistent storage
Store the persistent data of secure element drivers.

This is fully implemented, but not at all tested.
2019-07-23 17:38:08 +02:00
Gilles Peskine
1df83d4f5b SE keys: implement persistent storage
For a key in a secure element, persist the key slot.

This is implemented in the nominal case. Failures may not be handled
properly.
2019-07-23 16:13:14 +02:00
Gilles Peskine
0e8d495bd9 Add the lifetime to the key storage format
Stored keys must contain lifetime information. The lifetime used to be
implied by the location of the key, back when applications supplied
the lifetime value when opening the key. Now that all keys' metadata
are stored in a central location, this location needs to store the
lifetime explicitly.
2019-07-23 14:46:52 +02:00
Gilles Peskine
bfd322ff34 Use a key attribute structure in the internal storage interface
Pass information via a key attribute structure rather than as separate
parameters to psa_crypto_storage functions. This makes it easier to
maintain the code when the metadata of a key evolves.

This has negligible impact on code size (+4B with "gcc -Os" on x86_64).
2019-07-23 13:31:54 +02:00
Gilles Peskine
274a2637f2 Make whitespace consistent 2019-07-23 11:29:06 +02:00
Gilles Peskine
6032673b39 Fix Doxygen reference
Pass doxygen.sh
2019-07-22 20:10:36 +02:00
Gilles Peskine
fc76265385 Do secure element key creation and destruction in a transaction
Key creation and key destruction for a key in a secure element both
require updating three pieces of data: the key data in the secure
element, the key metadata in internal storage, and the SE driver's
persistent data. Perform these actions in a transaction so that
recovery is possible if the action is interrupted midway.
2019-07-22 19:46:22 +02:00
Gilles Peskine
c8336cb8f9 Implement a transaction record storage for resilience
Implement a transaction record that can be used for actions that
modify more than one piece of persistent data (whether in the
persistent storage or elsewhere such as in a secure element).

While performing a transaction, the transaction file is present in
storage. If the system starts with an ongoing transaction, it must
complete the transaction (not implemented yet).
2019-07-22 19:46:22 +02:00
Gilles Peskine
5dc742c36a SE keys: smoke test import, export, destroy 2019-07-12 23:47:47 +02:00
Gilles Peskine
5d309672af SE keys: support import and export 2019-07-12 23:47:28 +02:00
Gilles Peskine
354f7671f4 SE keys: support destroy
When destroying a key in a secure element, call the driver's destroy
method and update the driver's persistent data in storage.
2019-07-12 23:46:38 +02:00
Gilles Peskine
cbaff467ef SE keys: allocate a slot before creating the key 2019-07-12 23:46:04 +02:00
Gilles Peskine
73167e128f SE keys: store the slot number in the memory slot 2019-07-12 23:44:37 +02:00
Gilles Peskine
8abe6a2d5c Driver table entries are now mutable
Since driver table entries contain the driver context, which is
mutable, they can't be const anymore.
2019-07-12 23:42:20 +02:00
Gilles Peskine
5243a202c3 Driver context manipulation functions
Create the driver context when registering the driver.

Implement some helper functions to access driver information.
2019-07-12 23:42:20 +02:00
Gilles Peskine
94cc42c28f Pass a writable pointer to the persistent data when needed
Most driver methods are not allowed to modify the persistent data, so
the driver context structure contains a const pointer to it. Pass a
non-const pointer to the persstent data to the driver methods that
need it: init, allocate, destroy.
2019-07-12 23:34:20 +02:00
Gilles Peskine
f2223c868d New driver method: allocate
Add a driver method to allocate a key slot for a key that is about to
be created.
2019-07-12 23:33:02 +02:00
Gilles Peskine
8597bc13e7 Pass the driver context to most driver methods
Pass the driver context to all driver methods except the ones that
operate on an already-setup operation context.

Rename `p_context` arguments to `op_context` to avoid confusion
between contexts.
2019-07-12 23:32:27 +02:00
Gilles Peskine
7a86da1d42 Define a driver context structure type
Define a structure that is to be instantiated once per driver
instance.

Define a driver initialization method and pass it the driver context.
2019-07-12 23:25:59 +02:00
Gilles Peskine
f03143a4d1 Change driver key slot numbers to 64 bits
This slightly increases storage requirements, but works in more use
cases. In particular, it allows drivers to treat choose slot numbers
with a monotonic counter that is incremented each time a key is
created, without worrying about overflow in practice.
2019-07-12 23:18:29 +02:00
Gilles Peskine
011e4284a1 Look up the SE driver when creating a key
When creating a key with a lifetime that places it in a secure
element, retrieve the appropriate driver table entry.

This commit doesn't yet achieve behavior: so far the code only
retrieves the driver, it doesn't call the driver.
2019-07-12 11:47:50 +02:00
Gilles Peskine
6e59c42d1d Split the secure element driver method table memory layout
Instead of having one giant table containing all possible methods,
represent a driver's method table as a structure containing pointers
to substructures. This way a driver that doesn't implement a certain
class of operations can use NULL for this class as a whole instead of
storing NULL for each method.
2019-07-12 11:47:50 +02:00
Gilles Peskine
f989dbe6d8 SE driver lookup functions
Expose the type of an entry in the SE driver table as an opaque type
to other library modules. Soon, driver table entries will have state,
and callers will need to be able to access this state through
functions using this opaque type.

Provide functions to look up a driver by its lifetime and to retrieve
the method table from an entry.
2019-07-12 11:47:50 +02:00
Gilles Peskine
e62b74e68f Add public-key export method 2019-07-12 11:47:50 +02:00
Gilles Peskine
1168ef947b
Merge pull request #167 from adrianlshaw/document_algorithms2
Documented some algorithms
2019-07-12 11:03:40 +02:00
Adrian L. Shaw
2282cfa660 Remove GMAC algorithm (for now)
It can't be implemented with the current version of the API
2019-07-11 15:51:45 +01:00
Adrian L. Shaw
fd2aed4d76 Document cipher modes 2019-07-11 15:47:40 +01:00
Jaeden Amero
93fe3a1a8f
Merge pull request #160 from yanesca/iotcrypt-790-update-tests-to-multipart-key-derivation
Iotcrypt 790 update tests to multipart key derivation
2019-07-04 17:19:36 +01:00
Gilles Peskine
2a38e2477a Slightly simplify derive_wrapping_key
No error can arise after the wrapping key is created, so remove the
corresponding cleanup code.
2019-07-04 14:41:07 +01:00
Gilles Peskine
4e2cc5353c Update key_ladder_demo to the current key derivation API 2019-07-04 14:41:00 +01:00
Janos Follath
343067e0d1 Add invalid_key_derivation test cases for TLS PRF
Add test_derive_invalid_key_derivation_state test cases for TLS 1.2 PRF.
2019-07-04 14:29:30 +01:00
Janos Follath
d958bb7aae Convert invalid_key_derivation_state to new API
Convert the test_derive_invalid_key_derivation_state() test to the new
KDF API.
2019-07-04 14:29:30 +01:00
Janos Follath
5ab0e0b601 Add derive_key_export test cases for TLS 1.2 PRF 2019-07-04 14:29:30 +01:00
Janos Follath
42fd888ab0 Convert derive_key_export to the new KDF API 2019-07-04 14:29:30 +01:00
Janos Follath
8d98a1e626 Add derive_key_exercise test cases for TLS 1.2 PRF 2019-07-04 14:29:30 +01:00
Janos Follath
e60c9052ec Convert derive_key_exercise to the new KDF API 2019-07-04 14:29:30 +01:00
Janos Follath
f2815eaec6 Refactor key derivation setup in tests 2019-07-04 14:29:00 +01:00
Janos Follath
e7e4706230 Add derive_full test cases for TLS 1.2 PRF 2019-07-04 14:22:27 +01:00
Janos Follath
47f27ed752 Convert derive_full test to the new KDF API 2019-07-04 14:22:27 +01:00
Janos Follath
46d9fbc4a9 Add test cases for exercise_key_derivation_key 2019-07-04 14:22:27 +01:00
Gilles Peskine
7607cd6e57 Convert exercise_key_derivation_key to the new KDF API 2019-07-04 14:22:27 +01:00
Jaeden Amero
c19dcebbdd
Merge pull request #154 from yanesca/iotcrypt-789-update-tls-prf-to-multipart
Update TLS 1.2 PRF to multipart API
2019-07-04 11:53:04 +01:00
Janos Follath
d6dce9f4f3 Fix zero-length seed or label in TLS 1.2 PRF
The psa_tls12_prf_set_seed() and psa_tls12_prf_set_label() functions did
not work on platforms where malloc(0) returns NULL.

It does not affect the TLS use case but these PRFs are used in other
protocols as well and might not be used the same way. For example EAP
uses the TLS PRF with an empty secret. (This would not trigger the bug,
but is a strong indication that it is not safe to assume that certain
inputs to this function are not zero length.)

The conditional block includes the memcpy() call as well to avoid
passing a NULL pointer as a parameter resulting in undefined behaviour.

The current tests are already using zero length label and seed, there is
no need to add new test for this bug.
2019-07-04 09:11:38 +01:00