Commit graph

15366 commits

Author SHA1 Message Date
Ronald Cron d85e98d6f1 psa: config: Add CBC-MAC
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-25 16:02:26 +01:00
Ronald Cron e1f5516025 psa: config: Improve handling of not supported ECC curves
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-25 16:02:19 +01:00
Mateusz Starzyk 5172605c49 Move URL matching regex to method definition.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-25 14:50:57 +01:00
Ronald Cron 51a3b7d79c psa: config: Add CAMELLIA to the list of possible CMAC ciphers
Camellia-CMAC is valid PSA configuration.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-25 14:25:46 +01:00
Mateusz Starzyk c8f4489fa5 Use raw string + binary matching for URL regex.
Long URLs are allowed only if they are alone on their lines.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-25 14:06:50 +01:00
Ronald Cron b9df5ceb8f psa: config: Fix AEAD/CMAC algorithms and ciphers inter-dependencies
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-25 11:01:21 +01:00
Ronald Cron 29394a1c7c
Merge pull request #4252 from gilles-peskine-arm/fix-ubsan-in-psa-cipher-tests
Fix NULL+0 in test code
2021-03-25 10:16:00 +01:00
Ronald Cron 9e3926a295 psa: config: Remove check on ARIA in GCM prerequisites
ARIA is not supported yet through the PSA API.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 15:57:21 +01:00
Mateusz Starzyk 9ee8166148 Compile URL matching regex before using it in the loop.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-24 12:51:15 +01:00
Mateusz Starzyk 6e47055a0b Allow changelog entries to have URLs exceeding 80 char limit.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-24 12:25:58 +01:00
Ronald Cron 4501c98fc2 psa: sign: Return INVALID_ARGUMENT instead of NOT_SUPPORTED
To run succesfully the test
"PSA sign: invalid algorithm for ECC key" of
test_suite_psa_crypto when ECDSA support is not included
in the library, always return INVALID_ARGUMENT
in case of an ECC key not used for ECDSA, whether
ECDSA support is present or not.

Then apply the same logic to RSA sign RSA and RSA/ECC
verify for the sake of consistency.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 12:05:51 +01:00
Ronald Cron 9f97c6ecdf Update PSA crypto test dependencies
Given the PSA_WANT_* config options added lately,
update set_psa_test_dependencies.py and run it
on test_suite_psa_crypto*.data files but the SE
and generated ones.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 09:26:44 +01:00
Ronald Cron 9838dc2702 tests: Fine tune handling of policy negative tests
Fine tune handling of policy negative tests when
setting automatically PSA crypto unit tests
dependencies.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 09:18:23 +01:00
Ronald Cron 6ac020d797 tests: Treat PSA_WANT_ECC_* as manual dependencies
For the time being, it is not possible to determine
the size of ECC keys from the arguments of all test
cases thus treat them as dependencies that are not
systematic. Such dependencies are not generated nor
deleted by set_psa_test_dependencies.py.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-24 09:03:56 +01:00
Gilles Peskine 0c510f36dd Fix NULL+0 in test code
Fix likely harmless undefined behavior in cipher tests pointed out by
UBSan with recent compilers (e.g. Clang 10). When the complete output
is empty, the output buffer is NULL. Adding an integer to a null
pointer is undefined behavior even when the integer is 0, so make a
special case for that.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-24 00:41:51 +01:00
Ronald Cron ee414c7383 Update dependencies in PSA test code
Replace MBEDTLS_* config options for which there is
an associated PSA_WANT_* to the PSA_WANT_* one. That
way the tests are also run when the dependency is
provided by a driver.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-23 16:47:46 +01:00
Ronald Cron 3d471814bc psa: Add missing PSA configs
Add missing PSA_WANT_CCM/GCM/CMAC. This completes
the set of PSA_WANT config options given the
current support of PSA crypto in Mbed TLS.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-03-23 16:47:46 +01:00
Ronald Cron 49eee980c3
Merge pull request #4250 from gilles-peskine-arm/psa-curves-fix-tests
PSA: don't run tests for unsupported curves
2021-03-23 16:31:35 +01:00
Gilles Peskine 71f45ba0e8 Fix unused parameter warning in some configurations
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 14:17:55 +01:00
Gilles Peskine defdc3bc53 SECP224K1 is not yet supported via the PSA API
Filed as https://github.com/ARMmbed/mbedtls/issues/3541. In the
meantime, disable the ssl-opt.sh test case that uses it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 13:59:58 +01:00
Gilles Peskine a1684f42d3 PSA: Reject curves that are not enabled in the PSA configuration
If an elliptic curve was enabled in the Mbed TLS classic API (#define
MBEDTLS_ECP_DP_xxx), but not enabled in the PSA configuration (#define
PSA_WANT_ECC_xxx), it would still work if you tried to use it through
PSA.

This is generally benign, but could be a security issue if you want to
disable a curve in PSA for some security reason (such as a known bug
in its implementation, which may not matter in the classic API if Mbed
TLS is running in a secure enclave and is only reachable from
untrusted callers through the PSA API). More urgently, this broke
test_suite_psa_crypto_not_supported.generated.

So if a curve is not enabled in the PSA configuration, ensure that
it's treated as unsupported through the PSA software implementation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 13:12:34 +01:00
Gilles Peskine 398413024d SECP224K1 is not yet supported via the PSA API
Filed as https://github.com/ARMmbed/mbedtls/issues/3541. In the
meantime, disable the feature.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 12:06:45 +01:00
Gilles Peskine 8276986c3e Curve448 is not yet supported via the PSA API
Filed as https://github.com/ARMmbed/mbedtls/issues/4249. In the
meantime, disable the feature.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 12:06:16 +01:00
Ronald Cron 63c3dc9395
Merge pull request #4158 from d3zd3z/pr/psa-config-ec
Create PSA configs for ECC curves
2021-03-22 17:35:04 +01:00
Gilles Peskine 01196d0464
Merge pull request #4214 from gilles-peskine-arm/psa-storage-format-test-types
PSA storage format test case generator
2021-03-22 12:16:17 +01:00
Ronald Cron 5cb08a8e61
Merge pull request #4202 from paul-elliott-arm/changelog_linelength_enforcement
Make assemble changelog script enforce line length
2021-03-19 12:26:31 +01:00
Paul Elliott d75773e941 Pythonify and fix reported line number
Use enumerate to give the line number and use the correct offset to
actually calculate it.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-18 18:09:34 +00:00
Gilles Peskine d08e538fa5
Merge pull request #4157 from stevew817/dispatch_hash_operations
Dispatch hash operations through the driver wrapper layer
2021-03-17 21:50:00 +01:00
Maulik Patel 3240c9d2ec Update tests for other invalid key operations.
Update expected return values of psa_get_key_attributes(),
psa_export_key() and other key api(s) to PSA_ERROR_INVALID_HANDLE
for invalid key.

Signed-off-by: Maulik  Patel <Maulik.Patel@arm.com>
2021-03-17 16:11:05 +00:00
Maulik Patel 02a1750098 Update tests for psa_close_key for invalid key.
Update expected return values of psa_close_key() to
PSA_ERROR_INVALID_HANDLE for invalid key handle operations.

Signed-off-by: Maulik  Patel <Maulik.Patel@arm.com>
2021-03-17 15:05:13 +00:00
Maulik Patel f65ad8ccc1 Update psa_open_key tests for invalid key.
Update expected return values of psa_open_key() to
PSA_ERROR_DOES_NOT_EXIST for invalid key handle operations.

Signed-off-by: Maulik  Patel <Maulik.Patel@arm.com>
2021-03-17 14:55:45 +00:00
Maulik Patel c1bfcdda58 Fix:4162 Return correct error type for invalid key
Return PSA_ERROR_INVALID_HANDLE instead of
PSA_ERROR_DOES_NOT_EXIST if invalid key is passed for some key
operations.

Signed-off-by: Maulik  Patel <Maulik.Patel@arm.com>
2021-03-17 13:41:07 +00:00
Gilles Peskine 6cc510ea89
Merge pull request #4075 from rrlapointe/dtls_demo_use_read_timeout
Actually use the READ_TIMEOUT_MS in the example DTLS client and server
2021-03-17 14:39:50 +01:00
Paul Elliott 2065a8d8af Reduce level of -Wformat-truncation
Reduce level of format truncation warnings due to issues with false
positives (an unknown size buffer is always treated as size 1)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-17 13:12:22 +00:00
Paul Elliott 29b641688d Fix printf format issue in programs
Fix issues that were missed as part of previous printf attribute
cleanup

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-03-17 13:08:10 +00:00
Gilles Peskine 0e7b6ebb64 Fix typos in comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-17 13:46:59 +01:00
TRodziewicz 782a7eab14 ecjpake_zkp_read() now returns ...BAD_INPUT_DATA when r len == 0 and test follows that
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-03-17 11:36:31 +01:00
Ronald Cron da3da94373
Merge pull request #4210 from gilles-peskine-arm/crypto_values-param-names
Fix parameter names after \p in include/psa
2021-03-17 10:17:18 +01:00
Gilles Peskine d86bc52d78 Cover encodings of algorithms without parameters
Generate test cases for all algorithms without parameters. Only the encoding
of the algorithm in the key metadata is covered: the test keys are not of a
type that permits the algorithm to be used in an operation.

This commit only covers algorithms without parameters. A subsequent commit
will generate algorithms with parameters.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-16 22:29:12 +01:00
David Brown 3298851d05 Fix alignment of PSA defines
When these names were changed, the definition got misaligned with the
rest of the fields.  Fix this alignment.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-03-16 10:44:22 -06:00
Gilles Peskine 74a7f93c94 Add BUGS.md
Instructions on how to report a bug.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-16 12:05:44 +01:00
Gilles Peskine 92042d9bc4 The 2.7 branch is retired
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-16 12:05:30 +01:00
Gilles Peskine 991bbe7f5e Mention the master branch as well
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-16 12:05:16 +01:00
Gilles Peskine a23df13e52 Minor presentation improvements
Minor wording improvement and cosmetic formatting improvements.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-16 12:04:44 +01:00
Steven Cooreman f8e45a4e98 Simplify compilation guards around hash driver testing
The hash driver entry points (and consequentially the hash driver core)
are now always compiled on when PSA_CRYPTO_DRIVER_TEST is turned on.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-16 11:07:55 +01:00
Gilles Peskine 01a622a1a4
Merge pull request #4197 from bensze01/psa_ccm_nonce_length
Correct the maximum generated nonce length for CCM
2021-03-16 10:10:41 +01:00
David Brown eed74df1ee Re-order PSA ECC configs
Arrange these to be in alphabetical order.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-03-15 15:53:57 -06:00
David Brown 44bfed596d Update PSA not supported generated data
Update this based on the output of the generator script.  The Brainpool
curves are now supported, since they are spelled properly in the config.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-03-15 15:40:10 -06:00
David Brown 110ea816ca psa: Fix name of BRAINPOOL configs
These should be WANT_ECC_BRAINPOOL_P_... not WANT_ECC_BP_...  Change to
match.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-03-15 15:30:28 -06:00
Ryan LaPointe dbb192d157 Fix inaccurate comment in sample DTLS server
Signed-off-by: Ryan LaPointe <ryan@ryanlapointe.org>
2021-03-15 16:43:27 -04:00