Commit Graph

16579 Commits

Author SHA1 Message Date
Gilles Peskine
b3e87b6ab1 psa_crypto does not support XTS
The cipher module implements XTS, and the PSA API specifies XTS, but the PSA
implementation does not support XTS. It requires double-size keys, which
psa_crypto does not currently support.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
ae93ee6ddc Reject block cipher modes that are not implemented in Mbed TLS
Mbed TLS doesn't support certain block cipher mode combinations. This
limitation should probably be lifted, but for now, test them as unsupported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
b0537ba3b9 Reject invalid MAC and AEAD truncations
Reject algorithms of the form PSA_ALG_TRUNCATED_MAC(...) or
PSA_ALG_AEAD_WITH_SHORTENED_TAG(...) when the truncation length is invalid
or not accepted by policy in Mbed TLS.

This is done in KeyType.can_do, so in generate_psa_tests.py, keys will be
tested for operation failure with this algorithm if the algorithm is
rejected, and for storage if the algorithm is accepted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
d36ed48f19 Fix invalid argument enumeration when there are >=3 arguments
This bug had no impact since currently no macro has more than 2 arguments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
c77f16b356 Test more truncated MAC and short AEAD tag lengths
The current macro collector only tried the minimum and maximum expressible
lengths for PSA_ALG_TRUNCATED_MAC and PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG.
This was good enough for psa_constant_names, but it's weak for exercising
keys, in particular because it doesn't include any valid AEAD tag length.
So cover more lengths.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
8f3aad2ed4 exercise_key: support modes where IV length is not 16
Support ECB, which has no IV. The code also now supports arbitrary IV
lengths based on the algorithm and key type.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
4eb1c7e965 64-bit block ciphers are incompatible with some modes
Only allow selected modes with 64-bit block ciphers (i.e. DES).

This removes some storage tests and creates corresponding op_fail tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
0de11438bb Storage format tests: exercise operations with keys
In key read tests, add usage flags that are suitable for the key type and
algorithm. This way, the call to exercise_key() in the test not only checks
that exporting the key is possible, but also that operations on the key are
possible.

This triggers a number of failures in edge cases where the generator
generates combinations that are not valid, which will be fixed in subsequent
commits.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
930ccefba0 Abbreviate descriptions of generated PSA storage tests
This currently makes all the descriptions unambiguous even when truncated at
66 characters, as the unit test framework does.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
d79aef5f3c Unify the code to shorten expressions
The output of generate_psa_tests.py is almost unchanged: the differences are
only spaces after commas (now consistently omitted).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
d9af978f41 Refactor usage flag formatting and implication
When generating storage format tests, pass usage flags around as a list, and
format them as the last thing.

In Storagekey(), simplify the addition of implicit usage flags: this no
longer requires parsing.

The output is unchanged.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
6213a00ec1 Storage format tests: cover algorithms for each key type
In the generated storage format test cases, cover all supported
algorithms for each key type. This is a step towards exercising
the key with all the algorithms it supports; a subsequent commit
will generate a policy that permits the specified algorithms.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:48 +02:00
Gilles Peskine
989c13dece Remove ad hoc is_valid_for_signature method
Use the new generic is_public method.

Impact on generated cases: there are new HMAC test cases for SIGN_HASH. It
was a bug that these test cases were previously not generated.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 16:15:44 +02:00
Gilles Peskine
a16d8fcee9
Merge pull request #5697 from gilles-peskine-arm/psa-test-op-fail-2.28
Backport 2.28: PSA: systematically test operation failure
2022-04-15 10:52:50 +02:00
Gilles Peskine
37f6d01b94
Merge pull request #5737 from mpg/clean-compat-sh-2.28
[backport 2.28] clean up compat.sh
2022-04-14 14:04:34 +02:00
Manuel Pégourié-Gonnard
6abc6259d5 Add comment in compat.sh about callers
Also update comments about default versions and excludes while at it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:29:01 +02:00
Manuel Pégourié-Gonnard
b623832176 Fix compat.sh invocation in basic-built-test.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:12:10 +02:00
Gilles Peskine
03efa0b8d3 Fix ARIA support in test driver configuration
Deduce MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA for the driver build from its value
from the core build, as is done for other key types. This had not been done
correctly when adding ARIA support to the PSA subsystem.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 17:15:56 +02:00
Gilles Peskine
186331875a test_psa_crypto_config_accel_cipher: deactivate CMAC
We don't yet support all combinations of configurations. With all.sh as it
currently stands, component_test_psa_crypto_config_accel_cipher results in a
build where PSA_WANT_ALG_CMAC is disabled but CMAC operations succeed
nonetheless, going via the driver. With the systematic testing of
not-supported operations, this now results in a test failure.

The code in all.sh does not respect the principle documented in
df885c052c:

> The PSA_WANT_* macros have to be the same as the ones
> used to build the Mbed TLS library the test driver
> library is supposed to be linked to as the PSA_WANT_*
> macros are used in the definition of structures and
> macros that are shared by the PSA crypto core,
> Mbed TLS drivers and the driver test library.

Disable PSA_WANT_ALG_CMAC completely in this test component. This is not
wrong and it makes the test component pass.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 17:15:56 +02:00
Gilles Peskine
d81b5ae238
Merge pull request #5717 from daverodgman/backport_2.28-alert_reentrant
Backport 2.28 - make mbedtls_ssl_send_alert_message() reentrant
2022-04-12 11:05:26 +02:00
Dave Rodgman
50b677d9e5
Merge pull request #5713 from tom-cosgrove-arm/pr-2479-backport-2.28
Backport 2.28: Fix spelling of 'features' in comment
2022-04-11 09:50:36 +01:00
Dave Rodgman
c2d1938a0d
Merge pull request #5720 from tom-cosgrove-arm/adamwolf-reasonable-2.28
Backport 2.28: Fix spelling of 'reasonable' in comments
2022-04-11 09:47:26 +01:00
Manuel Pégourié-Gonnard
9cd8831472
Merge pull request #5721 from tom-cosgrove-arm/roneld-1805-2.28
Backport 2.28: Fix Shared Library compilation issue with Cmake
2022-04-11 09:31:21 +02:00
Gilles Peskine
27ad033a96
Merge pull request #5718 from AndrzejKurek/timeless-struggles-2-28
Backport 2.28: Remove the dependency on MBEDTLS_TIME_H from the timing module
2022-04-08 18:43:12 +02:00
Ron Eldor
b283228ea3 Fix shared library link error with cmake on Windows
Set the library path as the current binary dir

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-04-08 17:16:13 +01:00
Adam Wolf
ef30d90cf0 Fix spelling of 'reasonable' in comments
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-04-08 17:02:33 +01:00
Gilles Peskine
7ece768578 Seed the PRNG even if time() isn't available
time() is only needed to seed the PRNG non-deterministically. If it isn't
available, do seed it, but pick a static seed.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 08:34:50 -04:00
Andrzej Kurek
263d8f7e61 Remove the dependency on MBEDTLS_HAVE_TIME from MBEDTLS_TIMING_C
The timing module might include time.h on its own when on
a suitable platform, even if MBEDTLS_HAVE_TIME is disabled.

Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 08:34:41 -04:00
Andrzej Kurek
2603fec329 Remove dummy timing implementation
Having such implementation might cause issues for those that
expect to have a working implementation.
Having a compile-time error is better in such case.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 08:28:50 -04:00
Dave Rodgman
28fd4cd8e9 Update ChangeLog.d/alert_reentrant.txt
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:58:19 +01:00
Hanno Becker
a349cfd585 Add ChangeLog entry
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:06:37 +01:00
Hanno Becker
d9c66c0509 Make alert sending function re-entrant
Fixes #1916

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-04-08 12:06:14 +01:00
Jacob Schloss
1882b9a8cd Fix spelling of 'features' in comment
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-04-08 11:48:57 +01:00
Gilles Peskine
e29a837ed3
Merge pull request #5705 from AndrzejKurek/off-by-one-ssl-opt-2-28
Backport 2.28 - Fix an off-by-one error in ssl-opt.sh
2022-04-07 16:20:58 +02:00
Andrzej Kurek
363553b5e4 Fix an off-by-one error in ssl-opt.sh
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 13:38:15 -04:00
Gilles Peskine
dbeaad3e0c Add missing logic for accelerated ECB under MBEDTLS_PSA_CRYPTO_CONFIG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
bc79582105 Fix psa_mac_verify() returning BUFFER_TOO_SMALL
It doesn't make sense for psa_mac_verify() to return
PSA_ERROR_BUFFER_TOO_SMALL since it doesn't have an output buffer. But this
was happening when requesting the verification of an unsupported algorithm
whose output size is larger than the maximum supported MAC size, e.g.
HMAC-SHA-512 when building with only SHA-256 support. Arrange to return
PSA_ERROR_NOT_SUPPORTED instead.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
449e02e909 If a cipher algorithm is not supported, fail during setup
In some cases, a cipher operation for an unsupported algorithm could succeed
in psa_cipher_{encrypt,decrypt}_setup() and fail only when input is actually
fed. This is not a major bug, but it has several minor downsides: fail-late
is harder to diagnose for users than fail-early; some code size can be
gained; tests that expect failure for not-supported parameters would have to
be accommodated to also accept success.

This commit at least partially addresses the issue. The only completeness
goal in this commit is to pass our full CI, which discovered that disabling
only PSA_WANT_ALG_STREAM_CIPHER or PSA_WANT_ALG_ECB_NO_PADDING (but keeping
the relevant key type) allowed cipher setup to succeed, which caused
failures in test_suite_psa_crypto_op_fail.generated in
component_test_psa_crypto_config_accel_xxx.

Changes in this commit:
* mbedtls_cipher_info_from_psa() now returns NULL for unsupported cipher
  algorithms. (No change related to key types.)
* Some code that is only relevant for ECB is no longer built if
  PSA_WANT_ALG_ECB_NO_PADDING is disabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
161c5ee5ff Use a plausible input size with asymmetric verification
Otherwise the error status can be PSA_ERROR_INVALID_SIGNATURE instead of the
expected PSA_ERROR_NOT_SUPPORTED in some configurations. For example, the
RSA verification code currently checks the signature size first whenever
PSA_KEY_TYPE_RSA_PUBLIC_KEY is enabled, and only gets into
algorithm-specific code if this passes, so it returns INVALID_SIGNATURE even
if the specific algorithm is not supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
c2fc241e46 Test attempts to use a public key for a private-key operation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
739c98c5e8 Make psa_key_derivation_setup return early if the key agreement is not supported
Otherwise the systematically generated algorithm-not-supported tests
complain when they try to start an operation and succeed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
ea0d95e27b Make psa_key_derivation_setup return early if the hash is not supported
Otherwise the systematically generated algorithm-not-supported tests
complain when they try to start an operation and succeed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
cdacf0431b Simplify is_kdf_alg_supported in psa_key_derivation_setup_kdf
No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
23cb12ef9f A key agreement algorithm can contain a key derivation
PSA_ALG_KEY_AGREEMENT(..., kdf) is a valid key derivation algorithm
when kdf is one.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
d096445dfe In NOT_SUPPORTED test case descriptions, show what is not supported
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
35409be6aa Add a few manual test cases
They're redundant with the automatically generated test cases, but it's
useful to have them when debugging issues with the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
f8b6b503b4 Systematically generate test cases for operation setup failure
The test suite test_suite_psa_crypto_op_fail now runs a large number
of automatically generated test cases which attempt to perform a
one-shot operation or to set up a multi-part operation with invalid
parameters. The following cases are fully covered (based on the
enumeration of valid algorithms and key types):
* An algorithm is not supported.
* The key type is not compatible with the algorithm (for operations
  that use a key).
* The algorithm is not compatible for the operation.

Some test functions allow the library to return PSA_ERROR_NOT_SUPPORTED
where the test code generator expects PSA_ERROR_INVALID_ARGUMENT or vice
versa. This may be refined in the future.

Some corner cases with algorithms combining a key agreement with a key
derivation are not handled properly. This will be fixed in follow-up
commits.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
390543381c Add knowledge of the compatibility of key types and algorithms
Determine key types that are compatible with an algorithm based on
their names.

Key derivation and PAKE are not yet supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
0dacd4d266 Add knowledge of algorithms
Determine the category of operations supported by an algorithm based
on its name.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00
Gilles Peskine
a218047245 Generate test cases for hash operation failure
Test that hash operation functions fail when given a hash algorithm
that is not supported or an algorithm that is not a hash.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-05 15:19:16 +02:00