Commit Graph

8041 Commits

Author SHA1 Message Date
Hanno Becker
b0c05e242c Test PSA-based GCM cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
5cec718191 Adapt existing Cipher-GCM test cases to new param for auth_crypt_tv 2018-11-22 14:03:39 +00:00
Hanno Becker
a13272d6d2 Test PSA-based CCM cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
56150afd1a Implement PSA-based AEAD enc/dec cipher operations 2018-11-22 14:03:39 +00:00
Hanno Becker
f133640475 Add AEAD tag length to new mbedtls_cipher_setup_psa()
For AEAD ciphers, the information contained in mbedtls_cipher_info
is not enough to deduce a PSA algorithm value of type psa_algorithm_t.
This is because mbedtls_cipher_info doesn't contain the AEAD tag
length, while values of type psa_algorithm_t do.

This commit adds the AEAD tag length as a separate parameter
to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value
must be 0.

This approach is preferred over passing psa_algorithm_t directly
in order to keep the changes in existing code using the cipher layer
small.
2018-11-22 14:03:39 +00:00
Hanno Becker
884f6af590 Always configure PSA-based keys for encryption and decryption
Mbed TLS cipher layer allows usage of keys for other purposes
than indicated in the `operation` parameter of `mbedtls_cipher_setkey()`.
The semantics of the PSA Crypto API, in contrast, checks key
usage against the key policy.

As a remedy, this commit modifies the PSA key slot setup to
always allow both encryption and decryption.
2018-11-22 14:03:39 +00:00
Hanno Becker
e43164e8f1 Add AES-*-CBC test vectors for PSA-based cipher contexts 2018-11-22 14:03:39 +00:00
Hanno Becker
3c852a9c35 Implement PSA-based version of mbedtls_cipher_crypt() 2018-11-22 14:03:39 +00:00
Hanno Becker
d9ca5cfd60 Implement mbedtls_cipher_setkey() for PSA-based cipher contexts
This commit implements the internal key slot management performed
by PSA-based cipher contexts. Specifically, `mbedtls_cipher_setkey()`
wraps the provided raw key material into a key slot, and
`mbedtls_cipher_free()` destroys that key slot.
2018-11-22 14:03:39 +00:00
Hanno Becker
73f59fc3e9 Add PSA-specific cipher context 2018-11-22 14:03:39 +00:00
Hanno Becker
1cb36530be Add psa_enabled field to cipher ctx and add dummy implementations
This field determines whether a cipher context should
use an external implementation of the PSA Crypto API for
cryptographic operations, or Mbed TLS' own crypto library.

The commit also adds dummy implementations for the cipher API.
2018-11-22 14:03:39 +00:00
Hanno Becker
098c9de2af Add declaration and dummy-definition of mbedtls_cipher_setup_psa() 2018-11-22 14:03:39 +00:00
Hanno Becker
b1f0872ce6 Improve wording in documentation of mbedtls_cipher_setup() 2018-11-22 14:03:39 +00:00
Hanno Becker
d7503a72d0 Expand documentation of mbedtls_cipher_list() 2018-11-22 14:03:39 +00:00
Hanno Becker
21967c5bff Fix style in cipher.c 2018-11-22 14:03:39 +00:00
Hanno Becker
f4fb876be9 Fix style in cipher.h 2018-11-22 14:03:39 +00:00
Hanno Becker
c3d25b31ab Fix style in NUM_CIPHERS definition in cipher_wrap.c
Use brackets around `sizeof()` arguments as well as the entire macro.
2018-11-22 14:03:39 +00:00
Hanno Becker
e5a0450809 Fix style in definition of mbedtls_cipher_mode_t 2018-11-22 14:03:39 +00:00
Hanno Becker
6767cca100 Merge branch 'gcm_through_cipher_api_tests' into psa_cipher_ 2018-11-22 14:03:14 +00:00
Hanno Becker
c0c882cd67 Add missing dependencies in test_suite_cipher.gcm 2018-11-22 13:41:53 +00:00
Hanno Becker
f79aa9e3ca Adapt ChangeLog 2018-11-22 13:41:53 +00:00
Hanno Becker
ef42f22edd Add NIST AES GCM test vectors to single-step cipher API test suite
The test suites `test_suite_gcm.aes{128,192,256}_en.data` contains
numerous NIST test vectors for AES-*-GCM against which the GCM
API mbedtls_gcm_xxx() is tested.

However, one level higher at the cipher API, no tests exist which
exercise mbedtls_cipher_auth_{encrypt/decrypt}() for GCM ciphers,
although test_suite_cipher.function contains the test auth_crypt_tv
which does precisely that and is already used e.g. in
test_suite_cipher.ccm.

This commit replicates the test vectors from
test_suite_gcm.aes{128,192,256}_en.data in test_suite_cipher.gcm.data
and adds a run of auth_crypt_tv for each of them.

The conversion was mainly done through the sed command line

```
s/gcm_decrypt_and_verify:\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):
\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\)/auth_crypt_tv:
\1:\2:\4:\5:\3:\7:\8:\9/
```
2018-11-22 13:41:07 +00:00
Hanno Becker
e10f191543 Remove MBEDTLS_PSA_CRYPTO_SPM from config.pl
This configuration option has been removed by now.
2018-11-22 09:43:35 +00:00
Hanno Becker
6e02197e24 Refer to PSA through MBEDTLS_USE_PSA_CRYPTO, not USE_PSA, in all.sh 2018-11-21 21:08:43 +00:00
Hanno Becker
4d30776826 Remove double white space 2018-11-21 21:08:43 +00:00
Hanno Becker
186b65ac61 Use MBEDTLS_PSA_UTIL_H instead of MBEDTLS_PSA_COMPAT_H in psa_util.h
This is still an artifact from when psa_util.h was called psa_compat.h.
2018-11-21 21:08:43 +00:00
Hanno Becker
51560b62ed State explicitly that any API depending on PSA is unstable 2018-11-21 21:08:43 +00:00
Hanno Becker
f0cd6191ef Update VisualC files 2018-11-21 21:08:43 +00:00
Hanno Becker
f5f9ea26bb Improve documentation of mbedtls_psa_err_translate_pk() 2018-11-21 21:08:43 +00:00
Hanno Becker
010cf7eced Add AEAD tag length parameter to mbedtls_psa_translate_cipher_mode()
In case of AEAD ciphers, the cipher mode (and not even the entire content
of mbedtls_cipher_info_t) doesn't uniquely determine a psa_algorithm_t
because it doesn't specify the AEAD tag length, which however is included
in psa_algorithm_t identifiers.

This commit adds a tag length value to mbedtls_psa_translate_cipher_mode()
to account for that ambiguity.
2018-11-21 21:08:43 +00:00
Hanno Becker
000334f398 Add function to translate PSA errors to PK module errors 2018-11-21 21:08:43 +00:00
Hanno Becker
afebf5a153 Fix Doxygen annotation in psa_util.h 2018-11-21 21:08:43 +00:00
Hanno Becker
5a9942e7d2 Initialize PSA Crypto implementation in ssl_server2 2018-11-21 21:08:43 +00:00
Hanno Becker
b2b468ba45 Initialize PSA Crypto implementation in ssl_client2.c 2018-11-21 21:08:43 +00:00
Hanno Becker
1cfc5ddb11 Initialize PSA Crypto implementation at the start of each test suite 2018-11-21 21:08:43 +00:00
Hanno Becker
b26c1938d2 Make PSA utility functions static inline
Compilers warn about unused static functions.
2018-11-21 21:08:43 +00:00
Hanno Becker
5525126ed8 Add PSA-to-Mbed TLS translations for cipher module 2018-11-21 21:08:43 +00:00
Hanno Becker
87837b2ec6 Add internal header for PSA utility functions
This commit adds the header file mbedtls/psa_util.h which contains
static utility functions `mbedtls_psa_xxx()` used in the integration
of PSA Crypto into Mbed TLS.

Warning: These functions are internal only and may change at any time.
2018-11-21 21:08:42 +00:00
Manuel Pégourié-Gonnard
655c0a8d76 Add build using PSA to all.sh 2018-11-21 21:08:40 +00:00
Manuel Pégourié-Gonnard
aeefa49edd Add config option for X.509/TLS to use PSA 2018-11-21 21:03:14 +00:00
Simon Butcher
55517ae95f Merge remote-tracking branch 'public/pr/2146' into development-proposed 2018-11-21 16:27:47 +00:00
Gilles Peskine
bc554f66ef Document Mbed Crypto and the PSA API
Briefly explain that this is experimental, and document how to try it out.
2018-11-21 12:54:57 +00:00
Jaeden Amero
3f6470a517 psa: Add ChangeLog entry for adding Mbed Crypto 2018-11-21 12:54:57 +00:00
Jaeden Amero
acaabe796e crypto: Test without crypto as a submodule
Add a test to ensure that when the crypto submodule is not used, the crypto
library is not created and that libmbedcrypto.a does not contain symbols
from files contained within the crypto submodule.
2018-11-21 12:54:57 +00:00
Jaeden Amero
ed93bdc8aa crypto: Test with crypto as a submodule
- Check that libmbedcrypto was not built at the top level.
- Check that we've built libmbedcrypto with the correct files. Build
  libmbedcrypto with debug symbols and verify that files used are from the
  crypto submodule.
- Check that config.h is handled properly. Enable a feature at the top
  level that the crypto library submodule has disabled in its config.h, and
  check that the library symboles indicate that the feature is present in
  libmbedcrypto.
- Ensure basic functionality of the resulting build with a run of
  `make test` and `ssl-opt.sh`.
2018-11-21 12:54:57 +00:00
Jaeden Amero
ffeb1b8ab6 abi_check: Update submodules
When grabbing a fresh copy of a branch, it's required to also fetch the
submodule. Add fetching the submodule to abi_check.py.
2018-11-21 12:54:57 +00:00
Jaeden Amero
7acb0cf01e abi_check: Allow checking current checkout
Without a "--detach" option, git worktree will refuse to checkout a branch
that's already checked out. This makes the abi_check.py script not very
useful for checking the currently checked out branch, as git will error
that the branch is already checked out. Add the "--detach" option to check
out the new temporary worktree in detached head mode. This is acceptable
because we aren't planning on working on the branch and just want a
checkout to do ABI checking from.
2018-11-21 12:54:57 +00:00
Jaeden Amero
484ee33c35 psa: Add PSA Crypto configuration
Add an option that can enable the exposure of PSA Crypto APIs from
libmbedcrypto.
2018-11-21 12:54:57 +00:00
Jaeden Amero
30b340a760 crypto: Add mbedtls-psa as a submodule
mbedtls-psa contains an implementation of libmbedcrypto, including the PSA
Crypto API.
2018-11-21 12:54:57 +00:00
Jaeden Amero
4cb814e3a7 cmake: Use finer grained include directory
Using finer grained control over include directories will allow differnt
targets to use different include files. This will be useful when the
`crypto` subcomponent wants to use its own include files instead of or in
addition to the top level ones.
2018-11-20 18:46:43 +00:00