In multipart cipher tests, test that each step of psa_cipher_update
produces output of the expected length. The length is hard-coded in
the test data since it depends on the mode.
The length of the output of psa_cipher_finish is effectively tested
because it's the total output length minus the length produced by the
update steps.
Test data obtained with Python+PyCrypto:
AES.new(key, mode=AES.MODE_CTR, counter=Crypto.Util.Counter.new(128, initial_value=0x2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a)).encrypt(plaintext.decode('hex')).encode('hex')
The output length can be equal to the input length.
This wasn't noticed at runtime because we happened to only test with
CBC with the first chunk being a partial block.
Some calls to psa_cipher_finish or psa_cipher_update append to a
buffer. Several of these calls were not calculating the offset into
the buffer or the remaining buffer size correctly.
This did not lead to buffer overflows before because the buffer sizes
were sufficiently large for our test inputs. This did not lead to
incorrect output when the test was designed to append but actually
wrote too early because all the existing test cases either have no
output from finish (stream cipher) or have no output from update (CBC,
with less than one block of input).
The test function pkcs1_rsaes_v15_encrypt gets its fake-random input
for padding from a test parameter. In one test case, the parameter was
too short, causing a fallback to rand(). The reference output depends
on this random input, so the test data was correct only for a platform
with one particular rand() implementation. Supply sufficient
fake-random input so that rand() isn't called.
Check generator validity (i.e. that alg has been initialized) before
allowing reads from the generator or allowing reads of the generator's
capacity.
This aligns our implementation with the documented error code behavior
in our crypto.h and the PSA Crypto API.
- Populate the ECDH private key slot with a fresh private EC key
designated for the correct algorithm.
- Export the public part of the ECDH private key from PSA and
reformat it to suite the format of the ClientKeyExchange message.
- Perform the PSA-based ECDH key agreement and store the result
as the premaster secret for the connection.
- Reformat the server's ECDH public key to make it suitable
for the PSA key agreement API. Currently, the key agreement
API needs a full SubjectPublicKeyInfo structure, while the
TLS ServerKeyExchange message only contains a ECPoint structure.
This is the first in a series of commits adding client-side
support for PSA-based ECDHE.
Previously, the state of an ECDHE key agreement was maintained
in the field mbedtls_ssl_handshake_params::ecdh_ctx, of type
::mbedtls_ecdh_context and manipulated through the ECDH API.
The ECDH API will be superseeded by the PSA Crypto API for key
agreement, which needs the following data:
(a) A raw buffer holding the public part of the key agreement
received from our peer.
(b) A key slot holding the private part of the key agreement.
(c) The algorithm to use.
The commit adds fields to ::mbedtls_ssl_handshake_params
representing these three inputs to PSA-based key agreement.
Specifically, it adds a field for the key slot holding the
ECDH private key, a field for the EC curve identifier, and
a buffer holding the peer's public key.
Note: Storing the peer's public key buffer is slightly
inefficient, as one could perform the ECDH computation
as soon as the peer sends its public key, either working
with in-place or using a stack-buffer to reformat the
public key before passing it to PSA. This optimization
is left for a later commit.
PSA spec now defines more generic PSA storage types instead of the ITS
specific ones. This is necessary in order to integrate with
the newer implementation of PSA ITS landing in Mbed OS soon.
Changes include the following:
- psa_status_t replaces psa_its_status_t
- psa_storage_info_t replaces psa_its_info_t
- psa_storage_uid_t replaces psa_its_uid_t
