Andrzej Kurek
3016de3eeb
pk_wrap: rework signature extraction to work with small r and s values
...
There is a probability that r will be encoded as 31 or less bytes in DER,
so additional padding is added in such case.
Added a signature-part extraction function to tidy up the code further.
2018-11-22 13:37:14 -05:00
Manuel Pégourié-Gonnard
7b7808cc76
Add tests for ECDSA verify with short r, s values
...
This is intended to test transcoding the signature to the format expected by
PSA (fixed-length encoding of r, s) when r and s have respectively:
- full length with initial null byte
- full length without initial null byte
- non-full length with initial null byte
- non-full length without initial null byte
The signatures were generated using:
programs/pkey/pk_sign tests/data_files/server5.key foo
where foo is an empty file, and with a variant of one of the following patches
applied:
diff --git a/library/ecdsa.c b/library/ecdsa.c
index abac015cebc6..e4a27b044516 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -305,7 +305,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
+ printf("\ngenerating r...\n");
+gen:
MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
#if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -317,6 +319,11 @@ mul:
MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
f_rng, p_rng, ECDSA_RS_ECP ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
+
+ size_t bits = mbedtls_mpi_bitlen( pr );
+ printf("%zu ", bits);
+ if( bits != 255 )
+ goto gen;
}
while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
or:
diff --git a/library/ecdsa.c b/library/ecdsa.c
index abac015cebc6..d704376e0c42 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -305,7 +305,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
+ printf("\ngenerating r...\n");
+gen:
MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
#if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -353,6 +355,11 @@ modn:
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
+
+ size_t bits = mbedtls_mpi_bitlen( s );
+ printf("%zu ", bits);
+ if( bits != 247 )
+ goto gen;
}
while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
with the value edited manually between each run to get the desired bit length.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
45fc464156
pk_wrap: improve error codes returned from ecdsa_verify_wrap
...
Use the shared PSA utilities to translate errors.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
ca6330992e
pk_wrap: switch to helper functions defined in psa_util.h
...
Remove duplicated helper functions.
Remove an unnecessary call to psa_crypto_init().
2018-11-22 13:37:14 -05:00
Andrzej Kurek
510ee70501
pk_wrap: test if a valid md_alg is passed to ecdsa_verify_wrap
...
Adjust tests to pass a valid algorithm
2018-11-22 13:37:14 -05:00
Andrzej Kurek
2f69b1a059
pk_wrap: destroy key slot on errors with policy or key importing
2018-11-22 13:37:14 -05:00
Andrzej Kurek
c097b0fded
pk_wrap: add a check for equal signature parts
2018-11-22 13:37:14 -05:00
Andrzej Kurek
f8c94a811a
pk_wrap: check if curve conversion is successful
2018-11-22 13:37:14 -05:00
Andrzej Kurek
6d49ae9223
pk_wrap: nullify the signature pointer on error in extract_ecdsa_sig
...
Fix a double free error in ecdsa_verify_wrap
2018-11-22 13:37:14 -05:00
Andrzej Kurek
1e3b6865d7
pk_wrap: cosmetic changes
...
Adjust whitespaces and variable names
2018-11-22 13:37:14 -05:00
Andrzej Kurek
39d1f4b29f
pk_wrap.c: add support for ecdsa signature verification using PSA
...
Use PSA internally to verify signatures.
Add a conversion to a raw signature format.
2018-11-22 13:37:14 -05:00
Andrzej Kurek
60ea0fc185
Remove trailing whitespace
2018-11-22 13:02:29 -05:00
Andrzej Kurek
593fccdf97
x509: remove unnecessary calls to psa_hash_abort
...
According to the documentation, it does not need to be called after a failed
psa_hash call.
2018-11-22 12:53:32 -05:00
Andrzej Kurek
78276b1c73
x509: use the PSA API to perform hashing operations
...
So far limited only to certificate verification withour CRL and CSR generation.
2018-11-22 12:53:32 -05:00
Andrzej Kurek
3bd69dda1a
pkwrite: add an explicit cast to size_t
2018-11-22 12:43:53 -05:00
Andrzej Kurek
d6d07909f2
Remove trailing whitespace
2018-11-22 12:43:53 -05:00
Andrzej Kurek
16d6000577
pkwrite: add a safety check before calculating the buffer size
2018-11-22 12:43:53 -05:00
Andrzej Kurek
2f31122585
Cosmetic changes
...
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
c3de438b8e
Add CSR write testing using opaque keys
...
Parse and verify CSR programatically instead of using predetermined data,
to not tamper with randomness in tests.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
6f249de706
pkwrite: add opaque key handling for public key exporting
...
Return early from mbedtls_pk_write_pubkey_der - public opaque key
exporting is expected to contain all of the needed data, therefore it shouldn't
be written again.
2018-11-22 12:43:53 -05:00
Gilles Peskine
30b4641011
Merge pull request #219 from ARMmbed/enable_entropy_injection
...
always compile mbedtls_psa_inject_entropy (#219 )
2018-11-22 17:50:54 +01:00
Netanel Gonen
596e65e1a5
Fix indentation
2018-11-22 18:41:43 +02:00
Manuel Pégourié-Gonnard
f83d31260d
Implement key_opaque option to ssl_client2
2018-11-22 16:41:07 +00:00
Manuel Pégourié-Gonnard
ca906fb8b9
Add option key_opaque to ssl_client2 (skeleton)
...
This is just the plumbing for the option itself, implementation of the option
will be the next commit.
2018-11-22 16:41:07 +00:00
Manuel Pégourié-Gonnard
e31411a814
Fix test that wasn't actually effective
...
psa_destroy_key() returns success even if the slot is empty.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
72d94be0de
Improve description of a test
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
2614562212
Add test utility function: wrap_as_opaque()
...
The new function is not tested here, but will be in a subsequent PR.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
29a1325b0d
Guard against PSA generating invalid signature
...
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
f4427678ae
Use shared function for error translation
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
1e48ebd306
Fix a compliance issue in signature encoding
...
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
615530728f
Improve documentation of an internal function
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
f127e6080e
Get rid of large stack buffers in PSA sign wrapper
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
fe8607350c
Add new macro to detemine ECDSA signature length
...
Revived from a previous PR by Gilles, see:
https://github.com/ARMmbed/mbedtls/pull/1293/files#diff-568ef321d275f2035b8b26a70ee9af0bR71
This will be useful in eliminating temporary stack buffers for transcoding the
signature: in order to do that in place we need to be able to make assumptions
about the size of the output buffer, which this macro will provide. (See next
commit.)
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
35a7ff9366
Improve documentation of mbedtls_pk_setup_opaque()
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
276cb64e6c
Align names to use "opaque" only everywhere
...
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
7d51255ca7
Implement pk_sign() for opaque ECDSA keys
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
99af2f0dd1
Add tests for unsupported operations/functions
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
07b103fe07
Implement can_do for opaque ECC keypairs
...
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
683632b78e
Add support for get_(bit)len on opaque keys
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
06c631859c
Add key generation to opaque test function
...
While at it, clarify who's responsible for destroying the underlying key. That
can't be us because some keys cannot be destroyed and we wouldn't know. So
let's leave that up to the caller.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
274f521b9a
Implement alloc/free wrappers for pk_opaque_psa
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
3bc2029a33
Clarify return value of pk_check_pair()
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
1ecf92c364
Skeleton for PK_OPAQUE_PSA
2018-11-22 16:39:39 +00:00
Hanno Becker
0110add3d6
Rename PSA test in ssl-opt.sh
2018-11-22 16:38:06 +00:00
Hanno Becker
5b6425a931
Remove superfluous quotes in ssl-opt.sh
2018-11-22 16:38:06 +00:00
Hanno Becker
fc20c14e76
Use PSA-based ciphers for record protections in TLS-1.2 only
...
Reasons:
- For the first release, we attempt to support TLS-1.2 only,
- At least TLS-1.0 is known to not work at the moment, as
for CBC ciphersuites the code in mbedtls_ssl_decrypt_buf()
and mbedtls_ssl_encrypt_buf() assumes that mbedtls_cipher_crypt()
updates the structure field for the IV in the cipher context,
which the PSA-based implementation currently doesn't.
2018-11-22 16:38:06 +00:00
Hanno Becker
329919eadf
Use PSA-based ciphers for SSL ticket protection
...
This commit modifies the default SSL ticket implementation
from `library/ssl_ticket.c` to use PSA-based cipher context
for ticket creation and parsing.
As in mbedtls_ssl_derive_keys() adapted in an earlier commit,
we allow fallback to the ordinary mbedtls_cipher_setup()
if the provided cipher is not known. We do this even though
we always call mbedtls_ssl_ticket_setup() with AES-GCM
in our own code since this function is public and might
be used with other ciphers by users.
2018-11-22 16:38:06 +00:00
Hanno Becker
4724645e28
Introduce macros for constants in SSL ticket implementation
2018-11-22 16:38:06 +00:00
Hanno Becker
f43177d1d0
Add runs for specific PSA-supported ciphersuites to ssl-opt.sh
...
So far, make sure we test the following ciphersuites
without any fallback to non-PSA ciphers:
TLS-ECDHE-ECDSA-WITH-AES-128-CCM
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
TLS-ECDHE-ECDSA-WITH-AES-256-CCM
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
2018-11-22 16:38:06 +00:00
Hanno Becker
2dd04907e2
Omit tests from ssl-opt.sh which force a disabled ciphersuite
2018-11-22 16:38:06 +00:00