Commit Graph

16272 Commits

Author SHA1 Message Date
gabor-mezei-arm
044fefcdfb
Add test case generation for usage extensions when loading keys
Add test cases validating that if a stored key only had the hash policy,
then after loading it psa_get_key_attributes reports that it also has the
message policy, and the key can be used with message functions.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 15:28:36 +02:00
gabor-mezei-arm
15c1f03f78
Add key usage policy extension support for key generation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 15:28:34 +02:00
gabor-mezei-arm
4d9fb73c99
Use different subslasses for the test data files
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 15:27:55 +02:00
gabor-mezei-arm
8b0c91c91f
Create a function for gather all the keys.
Prepare for using subclasses.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 15:27:55 +02:00
gabor-mezei-arm
d71659f447
Extend description generation
Add an extra optional parameter to generate a more detailed description
for test cases.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 15:27:55 +02:00
gabor-mezei-arm
0996080652
Use builder method pattern to generate a key
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-28 15:27:49 +02:00
Gilles Peskine
51e1936f83
Merge pull request #840 from yanesca/reject-low-order-points-early-x25519-restricted-2.x
[Backport 2.x] Reject low order points early x25519
2021-06-28 13:45:51 +02:00
gabor-mezei-arm
9ac4847a5d
Unify multipart cipher operation tester functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 18:30:38 +02:00
Dave Rodgman
78c601b529
Merge pull request #4717 from daverodgman/psa_cipher_and_mac_abort_on_error_2.x
Backport 2.x: Psa cipher and mac abort on error
2021-06-25 15:39:43 +01:00
Janos Follath
2667fb708e Fix unused parameter warning
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 15:36:55 +01:00
Janos Follath
ef15ce502c Add ChangeLog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:30 +01:00
Janos Follath
bc58902a32 Add prefix to BYTES_TO_T_UINT_*
These macros were moved into a header and now check-names.sh is failing.
Add an MBEDTLS_ prefix to the macro names to make it pass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
51ccd62a08 Fix ecp_check_pub() test cases
Negative x coordinate was tested with the value -1. It happens to be one
of the low order points both for Curve25519 and Curve448 and might be
rejected because of that and not because it is negative. Make sure that
x < 0 is the only plausible reason for the point to be rejected.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
be89c357ae Add ecp_check_pub tests for Curve 448
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
7d4ebddbb6 Reject low-order points on Curve448 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources (RFC
7748 say we MAY reject 0 as a result) and recommended by some to reject
those points (either to ensure contributory behaviour, or to protect
against timing attack when the underlying field arithmetic is not
constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
701742500d Add DoS test case for ecp_check_pub
A test case for which the loop would take practically forever if it was
reached. The point would be to validate that the loop is not reached.
The test case should cause the CI to time out if starting with the
current code, ecp_check_pubkey_mx() was changed to call
ecp_check_pubkey_x25519() first and run the mbedtls_mpi_size(() test
afterwards, which would make no semantic difference in terms of memory
contents when the function returns, but would open the way for a DoS.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
1c6a439783 Use mbedtls_mpi_lset() more
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:15 +01:00
Janos Follath
bc96a79854 Move mpi constant macros to bn_mul.h
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:59:01 +01:00
gabor-mezei-arm
43611b089b
Rename test functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:36 +02:00
gabor-mezei-arm
7aa1efd919
Remove duplicated tests
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
0e1d31bf06
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
d52c8dc783
Fix possible unreachable code
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
f4cc6c9064
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
3fd792d076
Add checks for buffer size
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
7fbea09847
Use local variable instead of an ouput parameter
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:50:35 +02:00
gabor-mezei-arm
52ae871b27
Initialize output buffer length to 0
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:21:11 +02:00
Janos Follath
d31a30c083 Remove redundant ecp_check_pub() tests
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:15:24 +01:00
Janos Follath
b4c676e6b3 Prevent memory leak in ecp_check_pubkey_x25519()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard
520f0a0ea0 Avoid complaints about undeclared non-static symbols
Clang was complaining and check-names.sh too

This only duplicates macros, so no impact on code size. In 3.0 we can
probably avoid the duplication by using an internal header under
library/ but this won't work for 2.16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard
ae48111294 Use more compact encoding of Montgomery curve constants
Base 256 beats base 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:24 +01:00
Manuel Pégourié-Gonnard
10b8e5a5c9 Use a more compact encoding of bad points
Base 10 is horrible, base 256 is much better.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:15:22 +01:00
gabor-mezei-arm
e81a0cf0b9
Fix changelog entry
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-25 15:09:40 +02:00
Manuel Pégourié-Gonnard
6a5f5745d0 Add test for check_pubkey for x25519
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:06:45 +01:00
Manuel Pégourié-Gonnard
f2268d1c17 Reject low-order points on Curve25519 early
We were already rejecting them at the end, due to the fact that with the
usual (x, z) formulas they lead to the result (0, 0) so when we want to
normalize at the end, trying to compute the modular inverse of z will
give an error.

If we wanted to support those points, we'd a special case in
ecp_normalize_mxz(). But it's actually permitted by all sources
(RFC 7748 say we MAY reject 0 as a result) and recommended by some to
reject those points (either to ensure contributory behaviour, or to
protect against timing attack when the underlying field arithmetic is
not constant-time).

Since our field arithmetic is indeed not constant-time, let's reject
those points before they get mixed with sensitive data (in
ecp_mul_mxz()), in order to avoid exploitable leaks caused by the
special cases they would trigger. (See the "May the Fourth" paper
https://eprint.iacr.org/2017/806.pdf)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-25 14:06:45 +01:00
Dave Rodgman
478ab5443b Use more standard label name
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-25 09:09:30 +01:00
Ronald Cron
132e8c3cab
Merge pull request #4715 from gilles-peskine-arm/psa_crypto_spm-from_platform_h-2.x
Backport 2.x: Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
Straightforward backport from development to developement_2.x plus one trivial commit, only one approval is enough.
2021-06-25 09:00:58 +02:00
Gilles Peskine
ee334d1b75 Update Visual Studio project
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-24 20:05:20 +02:00
Dave Rodgman
54f7351d12 Improve psa_hash_update negative test
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 18:14:52 +01:00
gabor-mezei-arm
dad6f3b5a0
Remove confising comments
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 17:29:09 +02:00
Dave Rodgman
d73e1b0ccd Tidy up logic in psa_mac_sign_finish
Simplify the logic in psa_mac_sign_finish.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:57 +01:00
Dave Rodgman
db861797c1 Correct coding style issues
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 16:20:53 +01:00
gabor-mezei-arm
22984de191
Remove comments
These comment cannot bring more information than the code does.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 17:20:22 +02:00
gabor-mezei-arm
c31505c351
Test struct initialization
Modify tests to test mbedtls_psa_cipher_operation_t,
mbedtls_transparent_test_driver_cipher_operation_t and
mbedtls_opaque_test_driver_cipher_operation_t struct initialization macros.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:58:27 +02:00
gabor-mezei-arm
f67d8af106
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:58:27 +02:00
gabor-mezei-arm
c5c8d38d80
Add test for one-shot cipher driver wrapper functions
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:58:27 +02:00
gabor-mezei-arm
8f8dc4c188
Add changelog entry
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
gabor-mezei-arm
fa990b5ffe
Dispatch cipher functions through the driver interface
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
gabor-mezei-arm
d086e6e14f
Add tests for one-shot hash cipher functions
Tests for psa_cipher_encrypt and psa_cipher_decrypt functions.
The psa_cipher_encrypt function takes no parameter for IV and always generates
it therefore there will be a randomness in the calculation and cannot be
validated by comparing the actual output with the expected output.
The function is tested by:
 - doing a prtially randomized test with an encryption then a decryption
   and validating the input with output of the decryption
 - validating against the multipart encryption
The combination of this two methods provides enough coverage like a
known answer test.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
gabor-mezei-arm
0ef3b85381
Implement one-shot cipher
Implement one-shot cipher APIs, psa_cipher_encrypt and psa_cipher_decrypt, introduced in PSA Crypto API 1.0.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-24 16:57:29 +02:00
Dave Rodgman
cccb05def4 Call abort on error in psa_mac/cipher setup
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-24 11:52:47 +01:00