From 326e474a6de5c13fce47220a3259c2fc299dec7b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 30 Sep 2020 17:01:18 +0200 Subject: [PATCH 1/3] Add basic test cases for Curve25519 Test import and key generation, each followed by a key agreement. Only good cases in this commit. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto.data | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 2c6924a4d..cab66cd16 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -2549,6 +2549,14 @@ PSA raw key agreement: ECDH brainpoolP512r1 (RFC 7027) depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED:MBEDTLS_ECDH_C raw_key_agreement:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):"16302ff0dbbb5a8d733dab7141c1b45acbc8715939677f6a56850a38bd87bd59b09e80279609ff333eb9d4c061231fb26f92eeb04982a5f1d1764cad57665422":"049d45f66de5d67e2e6db6e93a59ce0bb48106097ff78a081de781cdb31fce8ccbaaea8dd4320c4119f1e9cd437a2eab3731fa9668ab268d871deda55a5473199f2fdc313095bcdd5fb3a91636f07a959c8e86b5636a1e930e8396049cb481961d365cc11453a06c719835475b12cb52fc3c383bce35e27ef194512b71876285fa":"a7927098655f1f9976fa50a9d566865dc530331846381c87256baf3226244b76d36403c024d7bbf0aa0803eaff405d3d24f11a9b5c0bef679fe1454b21c4cd1f" +PSA raw key agreement: X25519 (RFC 7748: Alice) +depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECDH_C +raw_key_agreement:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a":"de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f":"4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742" + +PSA raw key agreement: X25519 (RFC 7748: Bob) +depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECDH_C +raw_key_agreement:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):"5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb":"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a":"4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742" + PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: capacity=8160 depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDH_C:MBEDTLS_SHA256_C key_agreement_capacity:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":8160 @@ -2710,6 +2718,10 @@ depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECDSA_C # doesn't fully relate the curve with its size. generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_ERROR_NOT_SUPPORTED +PSA generate key: ECC, Curve25519, good +depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECDH_C +generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS + PSA generate key: RSA, default e generate_key_rsa:512:"":PSA_SUCCESS From 360e2c41d8211e43ed2a729e4947db6f9d050c31 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 24 Jul 2020 02:03:20 +0200 Subject: [PATCH 2/3] List Montgomery curves in mbedtls_ecp_curve_list() mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names "x25519" and "x448". These curves support ECDH but not ECDSA. This was meant ever since the introduction of mbedtls_ecdsa_can_do() in 0082f9df6f26b982f74a3301399f66ba7a6eb039, but 2c69d10bac678d0d86615de3d01b3d5bbb4b8c45 had removed the claim that Montgomery curves support ECDH except through Everest. Signed-off-by: Gilles Peskine --- ChangeLog.d/ecp_curve_list.txt | 5 +++++ library/ecp.c | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/ecp_curve_list.txt diff --git a/ChangeLog.d/ecp_curve_list.txt b/ChangeLog.d/ecp_curve_list.txt new file mode 100644 index 000000000..55745d38d --- /dev/null +++ b/ChangeLog.d/ecp_curve_list.txt @@ -0,0 +1,5 @@ +Bugfix + * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names + "x25519" and "x448". These curves support ECDH but not ECDSA. If you need + only the curves that support ECDSA, filter the list with + mbedtls_ecdsa_can_do(). diff --git a/library/ecp.c b/library/ecp.c index 5d00de5cf..05a0b0175 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -546,8 +546,11 @@ static const mbedtls_ecp_curve_info ecp_supported_curves[] = #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" }, #endif -#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) +#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) { MBEDTLS_ECP_DP_CURVE25519, 29, 256, "x25519" }, +#endif +#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) + { MBEDTLS_ECP_DP_CURVE448, 30, 448, "x448" }, #endif { MBEDTLS_ECP_DP_NONE, 0, 0, NULL }, }; From 2acbed387d25b3ab40f90d13ce0c0eb389961ff8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 30 Sep 2020 18:55:42 +0200 Subject: [PATCH 3/3] psa_generate_key: remove the bit-size sanity check In psa_generate_key_internal() for ECC keys, remove the check that the bit-size according to Mbed TLS is equal to the requested bit-size. This check was necessary back when the PSA API encoded curves and key sizes independently, in order to reject combinations such as SECP256R1 with a 512-bit size. Since the curve encoding changed to specifying a curve family and a size separately, the Mbed TLS curve id (grp_id) and the curve data (curve_info) are now determined from the size, and checking that (curve_info->bit_size == bits) is now only a redundant sanity check. This check is actually buggy, because PSA Crypto and Mbed TLS don't have exactly the same notion of key size. PSA thinks Curve25519 is 255-bit and secp224k1 is 225-bit, but Mbed TLS thinks they're 256-bit and 224-bit respectively. Removing the check allows key generation to work for these curves. Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_generate_key-curve25519.txt | 3 +++ library/psa_crypto.c | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/psa_generate_key-curve25519.txt diff --git a/ChangeLog.d/psa_generate_key-curve25519.txt b/ChangeLog.d/psa_generate_key-curve25519.txt new file mode 100644 index 000000000..24b6fcfe2 --- /dev/null +++ b/ChangeLog.d/psa_generate_key-curve25519.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix psa_generate_key() returning an error when asked to generate + an ECC key pair on Curve25519 or secp244k1. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 931e2e915..3182a0acf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -6110,8 +6110,6 @@ static psa_status_t psa_generate_key_internal( return( PSA_ERROR_NOT_SUPPORTED ); if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); - if( curve_info->bit_size != bits ) - return( PSA_ERROR_INVALID_ARGUMENT ); mbedtls_ecp_keypair_init( &ecp ); ret = mbedtls_ecp_gen_key( grp_id, &ecp, mbedtls_ctr_drbg_random,