Commit graph

1374 commits

Author SHA1 Message Date
Jaeden Amero 40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00
Gilles Peskine daea26f70f Correct and simplify block-based cipher modes
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
2018-09-20 11:58:22 +02:00
Gilles Peskine 81ba4abb02 Fix bad algorithm and key type values in some tests 2018-09-17 11:20:27 +02:00
itayzafrir 90d8c7a728 Ensure the module is initialized in key based functions 2018-09-16 12:15:47 +03:00
itayzafrir 0adf0fc31c Ensure the module is initialized in psa_generate_random 2018-09-16 12:15:46 +03:00
Jaeden Amero c0454a7369 Merge pull request #135 from ARMmbed/export_sanity_tests
Document asymmetric key export formats
2018-09-14 10:02:30 +01:00
Gilles Peskine dea46cf8f1 Clarify comment in test
In RSAPrivateKey, Version is an INTEGER. The version must be 0.
2018-09-14 10:02:29 +01:00
Gilles Peskine 8a1a8f31e3 Add test cases for PEM import
This is not a standard PSA feature, it's an extension provided by the
current implementation.
2018-09-14 10:02:29 +01:00
Gilles Peskine c6290c043e Minor documentation improvements 2018-09-14 10:02:29 +01:00
Gilles Peskine b67f308c4f Fix re-import size in import_export test with non-canonical input 2018-09-14 10:02:29 +01:00
Gilles Peskine ae3d2a2c26 Avoid non-standard C constructs
Don't rely on static initialization of a flexible array member, that's
a GNU extension. The previous code also triggered a Clang warning
"suggest braces around initialization of subobject" (-Wmissing-braces)
for `struct {char a[]} = {"foo"}`.
2018-09-14 10:02:29 +01:00
Gilles Peskine 8f609239d5 Do export sanity checks in import_export as well
This is not useful to validate the implementation when importing
canonical input, which is the case for most import/export test cases,
but it helps validate the sanity checks themselves.
2018-09-14 10:02:29 +01:00
Gilles Peskine dd2f95b855 Improve and augment export sanity checks
Implement sanity checks of exported public keys, using ASN.1 parsing.
Rewrite the sanity checks of key pairs using ASN.1 parsing, so as to
check more things with simpler code.
2018-09-14 10:02:29 +01:00
Jaeden Amero df3b74f168 Merge pull request #125 from ARMmbed/key_slot_index-fix
Fix off-by-one errors in key slot index limits
2018-09-14 10:02:29 +01:00
Gilles Peskine d14664a79b Move export key sanity check from generate to exercise
Move the code to perform sanity checks on the exported key from
generate_key to exercise_key. This way the sanity checks can be
performed after importing or deriving a key as well.

In addition to checking the exported key if its usage allows it, check
the exported public key if the key is asymmetric.
2018-09-14 10:02:29 +01:00
Gilles Peskine 9a05634558 psa_crypto_free: destroy the last slot
The last slot in the array was not freed due to an off-by-one error.

Amend the fill_slots test to serve as a non-regression test for this
issue: without this bug fix, it would cause a memory leak.
2018-09-14 10:02:29 +01:00
Gilles Peskine 996deb18cc Fix buffer overflow in the slot array
Slots are numbered from 1, but the slot array is a C array so it's
numbered from 0.

Add a non-regression test.
2018-09-14 10:02:29 +01:00
Gilles Peskine c32f0304db Fix bad key type constant that worked by accident 2018-09-14 10:02:29 +01:00
Darryl Green 10ccc641ac Add missing dependencies on MBEDTLS_ECDSA_C 2018-09-14 10:02:28 +01:00
Darryl Green efb52d53bf Add missing dependency on MBEDTLS_PKCS1_V15 2018-09-14 10:02:28 +01:00
Darryl Green 77b33b2926 Add missing dependencies on MBEDTLS_SHA256_C 2018-09-14 10:02:28 +01:00
Darryl Green 9c862253cc Add handling for zero-length buffers in tests
The buffer can be NULL if the length is zero, so we only check it's not NULL if the length is nonzero
2018-09-14 10:02:28 +01:00
Jaeden Amero 22e232ec04 Merge pull request #109 from ARMmbed/IAR-feature-psa
Ensure release testing job passes IAR tests
2018-09-12 16:50:07 +03:00
Gilles Peskine 9f900a8b25 Merge pull request #105 from ARMmbed/psa-derive_hkdf
PSA key derivation: simple-ish interface, HKDF
2018-09-12 16:50:07 +03:00
Gilles Peskine 08542d8037 Fix psa_generator_import_key for DES
In psa_generator_import_key, if generating a DES or 3DES key, set the
parity bits.

Add tests for deriving a DES key. Also test deriving an AES key while
I'm at it.
2018-09-12 16:50:07 +03:00
Gilles Peskine d54931c7c4 HKDF: be more robust if we reach the maximum ouptut length
In psa_generator_hkdf_read, return BAD_STATE if we're trying to
construct more output than the algorithm allows. This can't happen
through the API due to the capacity limit, but it could potentially
happen in an internal call.

Also add a test case that verifies that we can set up HKDF with its
maximum capacity and read up to the maximum capacity.
2018-09-12 16:50:05 +03:00
Gilles Peskine 0386fbaa70 Key derivation: test deriving a key from the KDF output 2018-09-12 16:48:24 +03:00
Gilles Peskine f24af9602f Key derivation with HKDF: add a few negative tests 2018-09-12 16:45:46 +03:00
Gilles Peskine 96ee5c70b9 HKDF: positive tests 2018-09-12 16:45:45 +03:00
Gilles Peskine ea0fb4975c Add framework for simple key derivation
New key type PSA_KEY_TYPE_DERIVE. New usage flag PSA_KEY_USAGE_DERIVE.
New function psa_key_derivation.

No key derivation algorithm is implemented yet. The code may not
compile with -Wunused.

Write some unit test code for psa_key_derivation. Most of it cannot be
used yet due to the lack of a key derivation algorithm.
2018-09-12 16:44:04 +03:00
Moran Peker f2ffdb87f6 Fix generate_key and hash_setup tests vectors
-Add depends_on MBEDTLS_CIPHER_MODE_CTR for CTR test_suite_psa_crypto
-Change bad type/hash alg parameter to *_CATEGORY_*
2018-09-12 16:41:12 +03:00
Moran Peker cb088e7059 Replace ssize_t by ptrdiff_t
ssize_t is a POSIX thing, not standard C
2018-09-12 16:41:12 +03:00
Gilles Peskine 731606c580 Add OAEP tests with non-empty labels 2018-09-12 16:41:12 +03:00
Gilles Peskine b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine 55c94dd500 Asymmetric encrypt/decrypt tests: check output length
In asymmetric_encrypt_decrypt, use the buffer size advertized by the
library for the ciphertext, and the length of the plaintext for the
re-decrypted output.

Test the output length if known. Require it to be 0 on error for
encrypt/decrypt functions. If the output length is unknown, test at
least that it's within the buffer limits.
2018-09-12 16:41:12 +03:00
Gilles Peskine 6842812188 Asymmetric encryption tests: allow label argument
Add a label argument to all asymmetric encryption test functions
(currently empty in all tests, but that will change soon).

In asymmetric_encrypt and asymmetric_decrypt, with an empty label,
test with both a null pointer and a non-null pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine 072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine 71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine f64ee8a7f1 Fix "unknown MAC algorithm" to actually use a MAC algorithm 2018-09-12 16:41:12 +03:00
Gilles Peskine ef0cb40736 Fix bug in exercise_mac_key that almost always broke the SIGN case
That case isn't used in the test suite yet.
2018-09-12 16:41:12 +03:00
Gilles Peskine f969b3ac74 Change a generate_key test to exercise with PSS
This required tweaking exercise_signature_key to use a payload size
for the signature based on the algorithm, since our implementation of
PSS requires that the input size matches the hash size. This would
also be the case for PKCS#1 v1.5 with a specified hash.
2018-09-12 16:41:11 +03:00
Gilles Peskine 1c211b3e01 Fix some test dependencies
* No test depends on MBEDTLS_PK_C except via MBEDTLS_PK_PARSE_C, so
  remove MBEDTLS_PK_C and keep only MBEDTLS_PK_PARSE_C.
* Add MBEDTLS_PK_WRITE_C for pk export tests.
* Add MBEDTLS_GENPRIME for RSA key generation tests.
* Add dependencies to AEAD tests.
* Add missing dependencies to many RSA tests.
2018-09-12 16:41:11 +03:00
Gilles Peskine 66763a008a asymmetric_decrypt test: remove redundant argument
The expected output size is the size of the expected output, it
doesn't need to be passed separately.
2018-09-12 16:41:11 +03:00
Gilles Peskine d00444cf33 Improve test coverage of PKCS#1 v1.5 encrypt/decrypt
* Add a test for decryption with invalid padding.
* Add a test for encryption with input too large.
* In negative tests, pass input whose length matches the key length,
  unless that's what the test is about.
2018-09-12 16:41:11 +03:00
Gilles Peskine fe11951c16 Rename psa cipher functions to psa_cipher_xxx
Make function names for multipart operations more consistent (cipher
edition).

Rename symmetric cipher multipart operation functions so that they all
start with psa_cipher_:

* psa_encrypt_setup -> psa_cipher_encrypt_setup
* psa_decrypt_setup -> psa_cipher_decrypt_setup
* psa_encrypt_set_iv -> psa_cipher_set_iv
* psa_encrypt_generate_iv -> psa_cipher_generate_iv
2018-09-12 16:41:11 +03:00
Gilles Peskine 365b984e38 Add asymmetric_verify tests with public keys
Change most asymmetric_verify to use public keys (they were all using
key pairs before). Keep one test with an RSA key pair and one with an
EC key pair.
2018-09-12 16:41:11 +03:00
Gilles Peskine 656896e4c3 Add positive asymmetric encryption tests
Revise the test function asymmetric_encrypt_fail into
asymmetric_encrypt and use it for positive tests as well. Get the
expected output length from PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE. Check
the actual output length against test data.

Add positive test cases for encryption: one with an RSA public
key (this is the only test for encryption with a public key rather
than a key pair) and one with a key pair.
2018-09-12 16:41:11 +03:00
Gilles Peskine 89167cb597 Split psa_mac_setup -> psa_mac_{sign,verify}_setup
Make function names for multipart operations more consistent (MAC
setup edition).

Split psa_mac_setup into two functions psa_mac_sign_setup and
psa_mac_verify_setup. These functions behave identically except that
they require different usage flags on the key. The goal of the split
is to enforce the key policy during setup rather than at the end of
the operation (which was a bit of a hack).

In psa_mac_sign_finish and psa_mac_verify_finish, if the operation is
of the wrong type, abort the operation before returning BAD_STATE.
2018-09-12 16:41:11 +03:00
Gilles Peskine 6b530867e4 Test importing a key pair as a public key and vice versa 2018-09-12 16:41:11 +03:00
Gilles Peskine acd4be36fa Rename psa_mac_{finish,verify} -> psa_mac_{sign,verify}_finish
Make function names for multipart operations more consistent (MAC
finish edition).
2018-09-12 16:41:11 +03:00