Commit graph

8294 commits

Author SHA1 Message Date
Gilles Peskine 1dfb1ba684 Add a test case for key agreement with a following KDF
There was no test case of ECDH with anything other than
PSA_ALG_SELECT_RAW. Exercise the code path from ECDH through a
"proper" KDF.

ECDH shared secret copied from an existing test, HKDF output
calculated with Cryptodome.
2018-11-16 16:09:27 +01:00
Gilles Peskine 346797d7b9 Add missing cleanup on failure in psa_key_agreement
If psa_key_derivation_internal() fails, it's up to the caller to clean
up. Do this, and add a note at the top of
psa_key_derivation_internal() and its auxiliary functions.

There is no non-regression test because at the moment the only way to
trigger an error is a borderline low-memory condition and we don't
have the means to trigger this.
2018-11-16 16:09:27 +01:00
Gilles Peskine a05219c70b Add some missing compilation guards
Add missing checks for defined(MBEDTLS_MD_C) around types and
functions that require it (HMAC, HKDF, TLS12_PRF).

Add missing checks for defined(MBEDTLS_ECDSA_DETERMINISTIC) around
code that calls mbedtls_ecdsa_sign_det().

Add missing checks for defined(MBEDTLS_ECDH_C) around ECDH-specific
functions.
2018-11-16 16:09:24 +01:00
Hanno Becker 353e45361d Don't call memcpy() with 0-length arguments
The standard prohibits calling memcpy() with NULL pointer
arguments, even if the size argument is 0.

The TLS-1.2 PRF generator setup function previously called
memcpy() with the label and salt as the source, even if
they were of length 0, as exercised by the derive_key_policy
test case in the PSA crypto test suite.

This commit adds guards around the memcpy() calls so that they
are only executed of salt or label have positive length, respectively.
2018-11-16 11:24:59 +00:00
Hanno Becker 3b339e2342 Simplify psa_generator_tls12_prf_generate_next_block() 2018-11-16 11:24:59 +00:00
Hanno Becker 580fba1431 Dynamically allocate A(i) + seed buffer for TLS-1.2 PRF 2018-11-16 11:24:59 +00:00
Hanno Becker 24658c4ba1 Add test vectors for TLS 1.2 PRF
Taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
2018-11-16 11:24:59 +00:00
Hanno Becker c8a41d71cb Add implementation of TLS-1.2 PRF 2018-11-16 11:24:55 +00:00
Hanno Becker 79250c255f Add identifiers for TLS-1.2 PRF
This commit adds KDF algorithm identifiers `PSA_ALG_TLS12_PRF(HASH)`
to the PSA crypto API. They represent the key derivation functions
used by TLS 1.2 for the PreMasterSecret->MasterSecret and
MasterSecret->KeyBlock conversions.
2018-11-16 11:12:01 +00:00
Jaeden Amero ab81a6c312
Merge pull request #151 from ARMmbed/psa-key_agreement-ecdh
Key agreement: basic framework and ECDH
2018-11-16 10:23:09 +00:00
Gilles Peskine 99d0259987 Improve documentation the shared secret format for FFDH 2018-11-15 17:48:15 +01:00
Gilles Peskine d171e78b46 Document the peer_key format for psa_key_agreement 2018-11-15 17:48:15 +01:00
Gilles Peskine 6c6a023f99 More tweaks on EC-related wording
Use m for the bit size of the field order, not q which is
traditionally the field order.

Correct and clarify the private key representation format as has been
done for the private key and ECDH shared secret formats.
2018-11-15 17:48:15 +01:00
Gilles Peskine 7b5b4a01a4 Correct description of the ECDH shared secret
The endianness actually depends on the curve type.

Correct the terminology around "curve size" and "order of the curve".
I tried to find a formulation that is comprehensible to programmers
who do not know the underlying mathematics, but nonetheless correct
and precise.

Use similar terminology in other places that were using "order of the
curve" to describe the bit size associated with the curve.
2018-11-14 21:17:16 +01:00
Gilles Peskine b408661be9 ECDH: check that the keys are on the same curve
In psa_key_agreement_ecdh, check that the public key is on the same
curve as the private key. The underlying mbedtls API doesn't check.

If the curves don't match, psa_key_agreement_ecdh is practically
guaranteed to return INVALID_ARGUMENT anyway, because way the code is
written, the public point is interpreted on the curve of the private
point, and it is rejected because the point is not on the curve. This
is why the test case "PSA key agreement setup: ECDH, raw: public key
on different curve" passed even before adding this check.
2018-11-14 21:17:16 +01:00
Gilles Peskine c7998b78b8 Factor common code into key_agreement_with_self 2018-11-14 21:17:16 +01:00
Gilles Peskine f5f442a50c More accurate description of the shared secret for ECDH
Don't refer to the "curve size", call it the "size of the order of the
curve".
2018-11-14 21:17:16 +01:00
Gilles Peskine 88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine 714e16b37a Add import/export test of EC public key 2018-11-14 21:17:16 +01:00
Gilles Peskine 3ec8ed8b51 Add multipart key agreement tests
Add test cases that do key agreement with raw selection in pieces, to
validate that selection works even when the application doesn't read
everything in one chunk.
2018-11-14 21:15:37 +01:00
Gilles Peskine bf49197c9b key_agreement_capacity: test the actual capacity as well
After testing that the advertized capacity is what the test data says,
read that many bytes to test that this is also actual capacity.
2018-11-14 21:15:37 +01:00
Gilles Peskine 10df341436 Factor usage_to_exercise into its own function 2018-11-14 21:15:37 +01:00
Gilles Peskine fc411f1ac1 Use ASSERT_ALLOC in key agreement tests 2018-11-14 21:15:37 +01:00
Gilles Peskine 211a436f2e Document that key agreement produces a maximum-capacity generator 2018-11-14 21:15:37 +01:00
Gilles Peskine 79dd6229e4 Clarify the format of the (EC)DH shared secret 2018-11-14 21:15:37 +01:00
Gilles Peskine 2607bca666 Give "DH" and "DHM" as alternative names
Be consistent about calling it just "Diffie-Hellman", except once
where I state that "Diffie-Hellman-Merkle" is an alternative name.
2018-11-14 21:15:37 +01:00
Gilles Peskine 1d7c082124 Fix a memory leak in a test 2018-11-14 21:15:37 +01:00
Gilles Peskine b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine 5968559a9c Key agreement test functions 2018-11-14 21:15:37 +01:00
Gilles Peskine 01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine 8feb3a886d Support key derivation with non-predefined capacity
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine 751d965dfc Implement PSA_ALG_SELECT_RAW 2018-11-14 21:15:37 +01:00
Gilles Peskine cce18aec4c Split off psa_key_derivation_internal
Refactor psa_key_derivation to prepare for key agreement algorithms
which need to plug into key derivation after argument validation.
2018-11-14 21:15:37 +01:00
Gilles Peskine 93098fd996 Key agreement: macros for finite-field Diffie-Hellman, ECDH
Declare macros to represent key agreement algorithms.
2018-11-14 21:15:37 +01:00
Gilles Peskine e8f0e3dc3c New algorithm category: key selection
A key selection algorithm is similar to a key derivation algorithm in
that it takes a secret input and produces a secret output stream.
However, unlike key derivation algorithms, there is no expectation
that the input cannot be reconstructed from the output. Key selection
algorithms are exclusively meant to be used on the output of a key
agreement algorithm to select chunks of the shared secret.
2018-11-14 21:15:37 +01:00
Gilles Peskine 92587dbf2b Write missing bit of the documentation of psa_key_derivation 2018-11-14 21:15:37 +01:00
Jaeden Amero c11be0943e
Merge pull request #196 from ARMmbed/psa-remove-rsa_get_bitlen-2
remove mbedtls_rsa_get_bitlen
2018-11-13 17:55:14 +00:00
Gilles Peskine e19b7d54d0 Revert "New function mbedtls_rsa_get_bitlen"
This reverts commit 1d26709dbd.
2018-11-12 19:14:34 +01:00
Gilles Peskine 64a43ce48e Revert "fixup! New function mbedtls_rsa_get_bitlen"
This reverts commit c939f6fcba.
2018-11-12 19:14:34 +01:00
Gilles Peskine 86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine aac64a2839 Remove support for non-byte-aligned RSA keys
Remove the need for an extra function mbedtls_rsa_get_bitlen. Use
mbedtls_rsa_get_len, which is only correct for keys whose size is a
multiple of 8. Key sizes that aren't a multiple of 8 are extremely
rarely used, so in practice this is not a problematic limitation.
2018-11-12 18:37:42 +01:00
Gilles Peskine 9eaab02607
Merge pull request #193 from ARMmbed/dev/Patater/fix-snprintf-truncation
psa: test: Fix truncation of message by snprintf
2018-11-08 18:56:58 +01:00
Jaeden Amero 594a330eb7 psa: test: Fix truncation of message by snprintf
We had only allocated 40 bytes for printing into, but we wanted to print 46
bytes. Update the buffer to be 47 bytes, which is large enough to hold what
we want to print plus a terminating null byte.
2018-11-08 17:32:45 +00:00
Jaeden Amero db2717b091
Merge pull request #192 from ARMmbed/psa-fix-curves-20181108
Fix curves.pl
2018-11-08 10:06:55 +00:00
Gilles Peskine 728944718a Fix a test case with incorrect dependency
Simplify the test case "PSA export a slot after a failed import of an
EC keypair": use an invalid private value for the specified curve. Now
the dependencies match the test data, so this fixes curves.pl.
2018-11-08 10:00:08 +01:00
Jaeden Amero 30b90cb406
Merge pull request #175 from ARMmbed/coverage_tests
add tests that increase key slot management code coverage slightly
2018-11-07 16:59:17 +00:00
Moran Peker ce50007f90 Add tests of using cipher in bad state cases
- cipher setup after import key failure.
- cipher setup after set key policy but no key material
creation.
2018-11-07 16:20:07 +02:00
Moran Peker 3455009116 Add tests that check export failures after illegal behavior
- export a key after import key failure.
- export a key after the key was destroyed.
- export a key after set key policy but no key material
creation.
2018-11-07 16:19:34 +02:00
Moran Peker 28a38e6e38 Add tests that checks key management corner cases
- import a key into a non empty key slot.
- export a key from invalid slot number.
2018-11-07 16:18:24 +02:00
Jaeden Amero 0d1caacf55
Merge pull request #189 from ARMmbed/psa-fix-asymmetric_apis_coverage-test_data
Fix test data in an old format
2018-11-06 16:07:51 +00:00