Commit graph

2342 commits

Author SHA1 Message Date
Gilles Peskine 159ebf3b8e
Merge pull request #142 from ARMmbed/psa-metadata_validation
Algorithm and key type encoding validation
2018-09-24 10:38:39 +02:00
Jaeden Amero 3bfe5f0388
Merge pull request #150 from ARMmbed/psa-rsa-verify-error
Don't return INVALID_PADDING on an invalid RSA signature
2018-09-21 16:15:10 +01:00
Jaeden Amero 40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00
Gilles Peskine fa764b161b Add curve sizes to ECC curve metadata validation tests 2018-09-20 12:00:21 +02:00
Gilles Peskine 3052f53c37 Add block sizes to HMAC metadata validation tests 2018-09-20 12:00:21 +02:00
Gilles Peskine d9c8260f23 Add dependencies to metadata validation tests
If some algorithms are excluded in the build, it's ok for the corresponding
macros not to give the correct results. Therefore the corresponding test cases
should depend on the implementation of the algorithm. For example, it's ok for
PSA_HASH_MAX_SIZE to be less than PSA_HASH_SIZE(PSA_ALG_SHA_512) if we build
without SHA-512 support, and we indeed do this. It's even ok for an
implementation to return 0 for PSA_ALG_IS_HASH(PSA_ALG_SHA_512) if it doesn't
support SHA-512; we return 1 anyway but the tests are less
implementation-specific if we don't enforce it.

This commit adds dependencies on symbols that don't exist in Mbed TLS,
for algorithms that Mbed TLS doesn't implement. These are:
MBEDTLS_SHA512_256 for SHA-512/256, MBEDTLS_SHA3_C for SHA-3,
MBEDTLS_DSA_C and MBEDTLS_DSA_DETERMINISTIC for DSA, and
MBEDTLS_ECP_DP_xxx_ENABLED for elliptic curves that have a PSA
encoding but are not supported in Mbed TLS.
2018-09-20 12:00:21 +02:00
Gilles Peskine 49cd329908 Key type validation tests
For all key types, validate feature test macros (PSA_KEY_TYPE_IS_xxx).

For asymmetric keys (public key or key pair), validate the
corresponding public/pair type.

For ECC keys, validate GET_CURVE.
2018-09-20 12:00:21 +02:00
Gilles Peskine 17351eb7f2 Algorithm validation tests
For all algorithms, validate feature test macros (PSA_ALG_IS_xxx).

For hash algorithms, validate the exact hash size, and validate
xxx_GET_HASH macros on dependent algorithms.

For MAC algorithms, validate the MAC size. For AEAD algorithms,
validate the tag size.

There is a separate test case for each HMAC algorithm, which is
necessary because each has its own MAC size. For other hash-dependent
algorithms, there is no interesting variation to test here, so only
one hash gets tested.
2018-09-20 12:00:21 +02:00
Gilles Peskine 44fed61e01 Create infrastructure for metadata validation unit tests 2018-09-20 12:00:21 +02:00
Gilles Peskine daea26f70f Correct and simplify block-based cipher modes
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
2018-09-20 11:58:22 +02:00
Gilles Peskine 821adfe51c Add exercise tests for RSA public keys and for PSS 2018-09-17 14:33:43 +02:00
Gilles Peskine acec7b6fa1 exercise_export_key: fix public key case
Public keys are always exportable, even if their usage doesn't include
the EXPORT flag.
2018-09-17 14:33:43 +02:00
Gilles Peskine 81ba4abb02 Fix bad algorithm and key type values in some tests 2018-09-17 11:20:27 +02:00
itayzafrir 90d8c7a728 Ensure the module is initialized in key based functions 2018-09-16 12:15:47 +03:00
itayzafrir 0adf0fc31c Ensure the module is initialized in psa_generate_random 2018-09-16 12:15:46 +03:00
Jaeden Amero c0454a7369 Merge pull request #135 from ARMmbed/export_sanity_tests
Document asymmetric key export formats
2018-09-14 10:02:30 +01:00
Gilles Peskine dea46cf8f1 Clarify comment in test
In RSAPrivateKey, Version is an INTEGER. The version must be 0.
2018-09-14 10:02:29 +01:00
Gilles Peskine 8a1a8f31e3 Add test cases for PEM import
This is not a standard PSA feature, it's an extension provided by the
current implementation.
2018-09-14 10:02:29 +01:00
Gilles Peskine c6290c043e Minor documentation improvements 2018-09-14 10:02:29 +01:00
Gilles Peskine b67f308c4f Fix re-import size in import_export test with non-canonical input 2018-09-14 10:02:29 +01:00
Gilles Peskine ae3d2a2c26 Avoid non-standard C constructs
Don't rely on static initialization of a flexible array member, that's
a GNU extension. The previous code also triggered a Clang warning
"suggest braces around initialization of subobject" (-Wmissing-braces)
for `struct {char a[]} = {"foo"}`.
2018-09-14 10:02:29 +01:00
Gilles Peskine 8f609239d5 Do export sanity checks in import_export as well
This is not useful to validate the implementation when importing
canonical input, which is the case for most import/export test cases,
but it helps validate the sanity checks themselves.
2018-09-14 10:02:29 +01:00
Gilles Peskine dd2f95b855 Improve and augment export sanity checks
Implement sanity checks of exported public keys, using ASN.1 parsing.
Rewrite the sanity checks of key pairs using ASN.1 parsing, so as to
check more things with simpler code.
2018-09-14 10:02:29 +01:00
Jaeden Amero df3b74f168 Merge pull request #125 from ARMmbed/key_slot_index-fix
Fix off-by-one errors in key slot index limits
2018-09-14 10:02:29 +01:00
Gilles Peskine d14664a79b Move export key sanity check from generate to exercise
Move the code to perform sanity checks on the exported key from
generate_key to exercise_key. This way the sanity checks can be
performed after importing or deriving a key as well.

In addition to checking the exported key if its usage allows it, check
the exported public key if the key is asymmetric.
2018-09-14 10:02:29 +01:00
Gilles Peskine 9a05634558 psa_crypto_free: destroy the last slot
The last slot in the array was not freed due to an off-by-one error.

Amend the fill_slots test to serve as a non-regression test for this
issue: without this bug fix, it would cause a memory leak.
2018-09-14 10:02:29 +01:00
Gilles Peskine 996deb18cc Fix buffer overflow in the slot array
Slots are numbered from 1, but the slot array is a C array so it's
numbered from 0.

Add a non-regression test.
2018-09-14 10:02:29 +01:00
Gilles Peskine c32f0304db Fix bad key type constant that worked by accident 2018-09-14 10:02:29 +01:00
Darryl Green 10ccc641ac Add missing dependencies on MBEDTLS_ECDSA_C 2018-09-14 10:02:28 +01:00
Darryl Green efb52d53bf Add missing dependency on MBEDTLS_PKCS1_V15 2018-09-14 10:02:28 +01:00
Darryl Green 77b33b2926 Add missing dependencies on MBEDTLS_SHA256_C 2018-09-14 10:02:28 +01:00
Darryl Green 9c862253cc Add handling for zero-length buffers in tests
The buffer can be NULL if the length is zero, so we only check it's not NULL if the length is nonzero
2018-09-14 10:02:28 +01:00
Jaeden Amero 80e317af15 all.sh: Test the Mbed Crypto exporter
Ensure that the exporter creates a "crypto" folder where "make test"
runs and passes. Ensure that cleanup also runs without error.
2018-09-12 16:50:07 +03:00
Jaeden Amero 22e232ec04 Merge pull request #109 from ARMmbed/IAR-feature-psa
Ensure release testing job passes IAR tests
2018-09-12 16:50:07 +03:00
Gilles Peskine 9f900a8b25 Merge pull request #105 from ARMmbed/psa-derive_hkdf
PSA key derivation: simple-ish interface, HKDF
2018-09-12 16:50:07 +03:00
Gilles Peskine 08542d8037 Fix psa_generator_import_key for DES
In psa_generator_import_key, if generating a DES or 3DES key, set the
parity bits.

Add tests for deriving a DES key. Also test deriving an AES key while
I'm at it.
2018-09-12 16:50:07 +03:00
Gilles Peskine d54931c7c4 HKDF: be more robust if we reach the maximum ouptut length
In psa_generator_hkdf_read, return BAD_STATE if we're trying to
construct more output than the algorithm allows. This can't happen
through the API due to the capacity limit, but it could potentially
happen in an internal call.

Also add a test case that verifies that we can set up HKDF with its
maximum capacity and read up to the maximum capacity.
2018-09-12 16:50:05 +03:00
Gilles Peskine 0386fbaa70 Key derivation: test deriving a key from the KDF output 2018-09-12 16:48:24 +03:00
Gilles Peskine f24af9602f Key derivation with HKDF: add a few negative tests 2018-09-12 16:45:46 +03:00
Gilles Peskine 96ee5c70b9 HKDF: positive tests 2018-09-12 16:45:45 +03:00
Gilles Peskine ea0fb4975c Add framework for simple key derivation
New key type PSA_KEY_TYPE_DERIVE. New usage flag PSA_KEY_USAGE_DERIVE.
New function psa_key_derivation.

No key derivation algorithm is implemented yet. The code may not
compile with -Wunused.

Write some unit test code for psa_key_derivation. Most of it cannot be
used yet due to the lack of a key derivation algorithm.
2018-09-12 16:44:04 +03:00
Moran Peker f2ffdb87f6 Fix generate_key and hash_setup tests vectors
-Add depends_on MBEDTLS_CIPHER_MODE_CTR for CTR test_suite_psa_crypto
-Change bad type/hash alg parameter to *_CATEGORY_*
2018-09-12 16:41:12 +03:00
Moran Peker cb088e7059 Replace ssize_t by ptrdiff_t
ssize_t is a POSIX thing, not standard C
2018-09-12 16:41:12 +03:00
Gilles Peskine 731606c580 Add OAEP tests with non-empty labels 2018-09-12 16:41:12 +03:00
Gilles Peskine b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine 55c94dd500 Asymmetric encrypt/decrypt tests: check output length
In asymmetric_encrypt_decrypt, use the buffer size advertized by the
library for the ciphertext, and the length of the plaintext for the
re-decrypted output.

Test the output length if known. Require it to be 0 on error for
encrypt/decrypt functions. If the output length is unknown, test at
least that it's within the buffer limits.
2018-09-12 16:41:12 +03:00
Gilles Peskine 6842812188 Asymmetric encryption tests: allow label argument
Add a label argument to all asymmetric encryption test functions
(currently empty in all tests, but that will change soon).

In asymmetric_encrypt and asymmetric_decrypt, with an empty label,
test with both a null pointer and a non-null pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine 072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine 71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine f64ee8a7f1 Fix "unknown MAC algorithm" to actually use a MAC algorithm 2018-09-12 16:41:12 +03:00