Commit graph

2551 commits

Author SHA1 Message Date
Gilles Peskine 178c9aa966 Key derivation: forbid output_key without input_key
If none of the inputs to a key derivation is a
PSA_KEY_DERIVATION_INPUT_SECRET passed with
psa_key_derivation_input_key(), forbid
psa_key_derivation_output_key(). It usually doesn't make sense to
derive a key object if the secret isn't itself a proper key.
2019-09-24 18:39:03 +02:00
Gilles Peskine 1a2904c49a derive_input test function: Try output afterwards
After passing some inputs, try getting one byte of output, just to
check that this succeeds (for a valid sequence of inputs) or fails
with BAD_STATE (for an invalid sequence of inputs). Either output a
1-byte key or a 1-byte buffer depending on the test data.

The test data was expanded as follows:
* Output key type (or not a key): same as the SECRET input if success
  is expected, otherwise NONE.
* Expected status: PSA_SUCCESS after valid inputs, BAD_STATE after any
  invalid input.
2019-09-24 18:39:03 +02:00
Gilles Peskine 2058c07724 derive_input test function: More logical parameter order
No behavior change.
2019-09-24 18:39:03 +02:00
Gilles Peskine b8965193a0 Use the constant PSA_KEY_TYPE_NONE rather than 0
No behavior change, just a readability improvement.
2019-09-24 18:39:03 +02:00
Gilles Peskine 593773d9f2 Consistently abort key derivation operations on input error 2019-09-24 18:39:03 +02:00
Gilles Peskine 224b0d656a Key derivation: allow both keys and direct inputs
Allow a direct input as the SECRET input step in a key derivation, in
addition to allowing DERIVE keys. This makes it easier for
applications to run a key derivation where the "secret" input is
obtained from somewhere else. This makes it possible for the "secret"
input to be empty (keys cannot be empty), which some protocols do (for
example the IV derivation in EAP-TLS).

Conversely, allow a RAW_DATA key as the INFO/LABEL/SALT/SEED input to a key
derivation, in addition to allowing direct inputs. This doesn't
improve security, but removes a step when a personalization parameter
is stored in the key store, and allows this personalization parameter
to remain opaque.

Add test cases that explore step/key-type-and-keyhood combinations.
2019-09-24 18:39:03 +02:00
Gilles Peskine 6842ba4d7a PSA crypto KDF: test bytes/key input independently of the step type
This commit only makes derive_input more flexible so that the key
derivation API can be tested with different key types and raw data for
each input step. The behavior of the test cases remains the same.
2019-09-24 18:39:03 +02:00
Gilles Peskine 6ddb4d8434 Improve descriptions of derive test cases
Systematically use "PSA key derivation setup" for derive_setup. This
resolves the ambiguity between derive_setup and derive_input calls.
2019-09-24 18:37:19 +02:00
Gilles Peskine 0a048b2833
Merge pull request #270 from gilles-peskine-arm/test_outcome_file-crypto-fix
Fix test case descriptions
2019-09-24 15:54:54 +02:00
Ron Eldor af7724e985 Fix endianity issue when reading uint32
The uint32 is given as a bigendian stream, in the tests, however,
the char buffer that collected the stream read it as is,
without converting it. Add a temporary buffer, to call `greentea_getc()`
8 times, and then put it in the correct endianity for input to `unhexify()`.
2019-09-24 11:23:15 +03:00
Ron Eldor 635888b287 Reduce stack usage of test_suite_pkcs1_v15
Reduce the stack usage of the `test_suite_pkcs1_v15` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-24 11:22:51 +03:00
Ron Eldor 6fd1aa050e Increase test suite timeout
Increase the test suite timeouit from 180 seconds, to 800 seconds,
since some tests consume more time, even if all tests are skipped.
2019-09-24 11:22:23 +03:00
Ron Eldor 5b8f120fca Reduce stack usage of test_suite_pkcs1_v21
Reduce the stack usage of the `test_suite_pkcs1_v21` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the size sent to the API to sizeof output.
2019-09-24 11:22:04 +03:00
Ron Eldor fdc15bd581 Reduce stack usage of test_suite_rsa
Reduce the stack usage of the `test_suite_rsa` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the data size to decrypt in the data file.
2019-09-24 11:21:36 +03:00
Ron Eldor 58e3f69dd3 Reduce stack usage of test_suite_pk
Reduce the stack usage of the `test_suite_pk` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-24 11:21:21 +03:00
Gilles Peskine 7e88e13d94 Test data: replace "::" by ":"
The current test generator code accepts multiple colons as a
separator, but this is just happenstance due to how the code, it isn't
robust. Replace "::" by ":", which is more future-proof and allows
simple separator-based navigation.
2019-09-20 16:01:59 +02:00
Gilles Peskine efa2ac879d Uniquify test case descriptions
Make check-test-cases.py pass.

Prior to this commit, there were many repeated test descriptions, but
none with the same test data and dependencies and comments, as checked
with the following command:

    for x in tests/suites/*.data; do perl -00 -ne 'warn "$ARGV: $. = $seen{$_}\n" if $seen{$_}; $seen{$_}=$.' $x; done

Wherever a test suite contains multiple test cases with the exact same
description, add " [#1]", " [#2]", etc. to make the descriptions
unique. We don't currently use this particular arrangement of
punctuation, so all occurrences of " [#" were added by this script.

I used the following ad hoc code:

import sys

def fix_test_suite(data_file_name):
    in_paragraph = False
    total = {}
    index = {}
    lines = None
    with open(data_file_name) as data_file:
        lines = list(data_file.readlines())
        for line in lines:
            if line == '\n':
                in_paragraph = False
                continue
            if line.startswith('#'):
                continue
            if not in_paragraph:
                # This is a test case description line.
                total[line] = total.get(line, 0) + 1
                index[line] = 0
            in_paragraph = True
    with open(data_file_name, 'w') as data_file:
        for line in lines:
            if line in total and total[line] > 1:
                index[line] += 1
                line = '%s [#%d]\n' % (line[:-1], index[line])
            data_file.write(line)

for data_file_name in sys.argv[1:]:
    fix_test_suite(data_file_name)
2019-09-20 15:59:31 +02:00
Gilles Peskine 44393c81aa psa_crypto: Add an ECDH+HKDF test with longer output
A test case for 32+0 was present three times, evidently overeager
copy-paste. Replace the duplicates by test cases that read more than
32 bytes, which exercises HKDF a little more (32 bytes is significant
because HKDF-SHA-256 produces output in blocks of 32 bytes).

I obtained the test data by running our implementation, because we're
confident in our implementation now thanks to other test cases: this
data is useful as a non-regression test.
2019-09-20 15:59:28 +02:00
Gilles Peskine d9be186a39 psa_crypto: Fix OAEP test
There's a SHA256 test without a label and one with a label, so do the
same for SHA384.
2019-09-20 15:59:24 +02:00
Gilles Peskine d17cf9d0c4 psa_crypto: Remove duplicate test case
Nothing seems to be missing in its stead.
2019-09-20 15:59:17 +02:00
Gilles Peskine 52c7d998af psa_crypto_se_driver_hal: Fix copypasta in test cases
Before: say CCM twice, do GCM twice.
After: say CCM and do CCM, then say GCM and do GCM.
2019-09-20 15:59:00 +02:00
Gilles Peskine f3eddd68bb pkcs1_v21: Fix copypasta in test case
There should have been a good-saltlen test case and a bad-saltlen test
case for both sizes 522 and 528, but the 522-bad-saltlen test case was
missing and the 528-good-saltlen test case was repeated. Fix this.
2019-09-20 15:58:54 +02:00
Gilles Peskine c5dce20b4e cipher.nist_kw: Fix duplicate test case
There are two test vectors in RFC 5649. There was only one in our test
suite, run twice. Put the second test vector instead of repeating the
first.
2019-09-20 15:58:48 +02:00
Gilles Peskine bfcb69cd5c blowfish: Fix encrypt test case that should have been decrypt
Test vector #15 was encrypted twice. Decrypt it the second time.
2019-09-20 15:58:36 +02:00
Gilles Peskine e07960cf40 aria: Remove duplicate test cases
No data seems to be missing, just some duplicated cases, perhaps due
to naming inconsistencies "ECB_Xxcrypt" vs "ECB Xxcrypt" which I also
fixed.
2019-09-20 15:58:27 +02:00
Gilles Peskine 95758f8d61 *.data: remove semicolons from test case descriptions
Don't use semicolons in test case descriptions. The test outcome file
is a semicolon-separated CSV file without quotes to keep things
simple, so fields in that file may not contain semicolons.
2019-09-19 15:26:57 +02:00
Gilles Peskine a291413a1e
Merge pull request #257 from gilles-peskine-arm/psa-remove_zero_length_keys
Forbid zero-length keys
2019-09-19 13:07:41 +02:00
Gilles Peskine 51dcc24998 Test outcome file support: test suites
If the environment variable MBEDTLS_TEST_OUTCOME_FILE is set, then for
each test case, write a line to the file with the given name, of the
form

    PLATFORM;CONFIGURATION;TEST SUITE;TEST CASE DESCRIPTION;PASS/FAIL/SKIP;CAUSE

PLATFORM and CONFIGURATION come from the environment variables
MBEDTLS_TEST_PLATFORM and MBEDTLS_TEST_CONFIGURATION.

Errors while writing the test outcome file are not considered fatal,
and are not reported except for an error initially opening the file.
This is in line with other write errors that are not checked.
2019-09-18 17:44:29 +02:00
Gilles Peskine 47b7540fec Give a type name to test_info
Make it possible to pass test_info around rather than always refer to the
global variable.
2019-09-18 17:44:29 +02:00
Gilles Peskine 31fccc80a5 Fix typo in message 2019-09-18 17:44:29 +02:00
Gilles Peskine 3c1c8ea3e7 Prefer unsigned types for non-negative numbers
Use size_t for some variables that are array indices.
Use unsigned for some variables that are counts of "small" things.
2019-09-18 17:44:29 +02:00
Jaeden Amero 914a5071b4 Bump Mbed TLS version to 2.19.1 2019-09-18 13:42:36 +01:00
Hanno Becker 6dfa665398 X.509: Add numerous negative parsing tests for CertificatePolicy ext
This commit adds multiple test cases to the X.509 CRT parsing test suite
exercising the stack's behaviour when facing CertificatePolicy extensions
that are malformed for a variety of reasons. It follows the same scheme
as in other negative parsing tests: For each ASN.1 component, have test
cases for (a) unexpected tag, (b) missing length, (c) invalid length
encoding, (d) length out of bounds.
2019-09-17 13:10:42 +01:00
Hanno Becker c15ff98455 X.509: Adapt negative parsing test for no data in CrtPolicy ext
This commit modifies the test

   X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, data missing)

which exercises the behaviour of the X.509 CRT parser when facing a
CertificatePolicy extension with empty data field.

The following adaptations are made:
- The subject ID and issuer ID are modified to have length 0.
  The previous values `aa` and `bb` are OK, but a generic ASN.1
  parser will try to interpret them as ASN.1 tags and fail. For
  maintainability, it's therefore better to use something that
  can be parsed as ASN.1, and an empty ID is the easiest solution
  here.
- The TBS part of the certificate wasn't followed by signature
  algorithm and signature fields, which makes the test incompatible
  with future changes swapping to breadth-first parsing of
  certificates.
2019-09-17 13:10:42 +01:00
Hanno Becker 7b8330a9c7 X.509: Move negative tests for CertificatePolicy parsing
This commit moves the X.509 negative parsing tests for the
CertificatePolicy extension to the place where negative
testing of other extensions happens.
2019-09-17 13:10:42 +01:00
Hanno Becker 82a1fe5fcc X.509: Remove CRT policy parsing test 'bool len missing'
Judging from its name, the purpose of the test

   TBSCertificate v3, ext CertificatePolicies tag, bool len missing

in test_suite_x509parse.data is to exercise the X.509 parsing stack's
behaviour when parsing a CertificatePolicy extension which lacks the
length field of the boolean 'Criticality' value.

However, the test fails at an earlier stage due to a mismatch of inner
and outer length of the explicit ASN.1 extensions structure.

Since we already have tests exercising

- mismatch of inner and outer length in the extensions structure, namely
  'X509 CRT ASN1 (TBS, inv v3Ext, inner tag invalid)'
- missing length of the 'Criticality' field in an extension, namely
  'X509 CRT ASN1 (TBS, inv v3Ext, critical length missing)'

and since for both tests there's no relevance to the use of the
policy extension OID, the test

  'TBSCertificate v3, ext CertificatePolicies tag, bool len missing'

can be dropped.
2019-09-17 13:10:42 +01:00
k-stachowiak 9b88efc378 Check len against buffers size upper bound in PSA tests 2019-09-13 15:26:53 +02:00
Gilles Peskine 89cc74f447 Fix signature size checks in psa_asymmetric_verify for RSA
The signature must have exactly the same length as the key, it can't
be longer. Fix #258

If the signature doesn't have the correct size, that's an invalid
signature, not a problem with an output buffer size. Fix the error code.

Add test cases.
2019-09-13 11:39:11 +02:00
Gilles Peskine 4019f0e914 Immediately reject 0-size signature buffer when signing
In psa_asymmetric_sign, immediately reject an empty signature buffer.
This can never be right.

Add test cases (one RSA and one ECDSA).

Change the SE HAL mock tests not to use an empty signature buffer.
2019-09-12 22:05:59 +02:00
Gilles Peskine 043b281714 Add a few test cases for non-byte-aligned raw data keys
Add tests for derivation.

Test both 7 bits and 9 bits, in case the implementation truncated the
bit size down and 7 was rejected as 0 rather than because it isn't a
multiple of 8.

There is no corresponding test for import because import determines
the key size from the key data, which is always a whole number of bytes.
2019-09-12 19:05:00 +02:00
Gilles Peskine a782b95806 Add test cases for zero-length keys
Check that zero-length keys cannot be imported, generated or derived.
2019-09-12 19:01:52 +02:00
Gilles Peskine 491181bd9d Remove test cases that use zero-length keys
If there isn't already a test with a raw data key of the now-minimal
length (1 byte), change the test case to a 1-byte key.
2019-09-12 18:50:58 +02:00
Gilles Peskine 2dedcc5989 Change X.509 test cases to not rely on asn1parse limitations
Tweak test data for one test case to not rely on mbedtls_asn1_get_int
lacking support for leading zeros. Instead, use a number that is
actually out of range for int.

Tweak test data for one test case to not rely on
mbedtls_asn1_get_bitstring_null rejecting bitstrings shorter than two
octets. Instead, try bit strings that are genuinely invalid, or have a
nonzero number of unused bits.

Add a test case with a correct empty signature. This is commented out
because asn1parse currently does not support this. Uncomment it when
asn1parse is updated to support this.
2019-09-11 17:23:07 +02:00
Gilles Peskine 2cd8ecc08b New test helper macro ASSERT_ALLOC_WEAK
The new macro ASSERT_ALLOC_WEAK does not fail the test case if the
memory allocation fails. This is useful for tests that allocate a
large amount of memory, but that aren't useful on platforms where
allocating such a large amount is not possible.

Ideally this macro should mark the test as skipped. We don't yet have
a facility for that but we're working on it. Once we have a skip
functionality, this macro should be changed to use it.
2019-09-11 15:46:45 +02:00
Gilles Peskine a902303587 Test mbedtls_asn1_store_named_data 2019-09-11 15:46:45 +02:00
Gilles Peskine 9311cf5093 asn1write: test NULL, OID and AlgorithmIdentifier 2019-09-11 15:46:45 +02:00
Gilles Peskine 91d8d023c2 Fix typo that prevented mbedtls_asn1_write_len tests from running 2019-09-11 15:46:45 +02:00
Gilles Peskine 3f37dca794 asn1write: Test short and large buffers more systematically
Use the test-many-sizes framework for string writes as
well (previously, it was only used for booleans and integers). This
way, more edge cases are tested with less test code.

This commit removes buffer overwrite checks. Instead of these checks,
run the test suite under a memory sanitizer (which we do in our CI).
2019-09-11 15:46:45 +02:00
Gilles Peskine 3a032c36c1 Add test cases for BOOLEANs and INTEGERs
Omit negative integers and MPIs that would result in values that look
like negative INTEGERs, since the library doesn't respect the
specifications there, but fixing it has a serious risk of breaking
interoperability when ASN.1 is used in X.509 and other
cryptography-related applications.
2019-09-11 15:46:44 +02:00
Gilles Peskine 27d806fab4 Add ASN.1 parsing tests
Add self-contained ASN.1 parsing tests, so that ASN.1 parsing is not
solely tested through X.509 and TLS.

The tests cover every function and almost complete line coverage in
asn1parse.c.

A few test cases containing negative and edge case INTEGER values are
deliberately deactivated because the historical library behavior is at
odds with official specifications, but changing the behavior might
break interoperability.

Other than that, these tests revealed a couple of minor bugs which
will be fixed in subsequent commits.
2019-09-11 15:46:44 +02:00
Gilles Peskine 5605591cc1 Report step number when a test case fails
Allow test code to declare a "step number". Report the current step
number when a test fails.
2019-09-11 15:46:44 +02:00
Ron Eldor 5a0f45b61b Modify tests
1. Rephrase test description and move it to the section where
all other same tests are located.
2. Add another test for short key.
2019-09-11 14:09:08 +03:00
Ron Eldor 16cca804fb Add non regression test
Add a test that adds a very long key for an unsupported algorithm.
2019-09-11 10:14:48 +03:00
Hanno Becker bf2dacb8fe Fix memory leak in CSR test suite on failure 2019-09-06 07:44:37 -04:00
Hanno Becker 2fcdd7446e Fix a memory leak in x509write test suite
This leak wasn't discovered by the CI because the only test in
all.sh exercising the respective path enabled the custom memory
buffer allocator implementations of calloc() and free(), hence
bypassing ASan.
2019-09-06 07:44:37 -04:00
Janos Follath 651eac8c5e Make tests use the new deterministic ECDSA function
In preparation of deprecating the old and less secure deterministic
ECDSA signature function we need to remove it from the test. At the
same time, the new function needs to be tested. Modifying the tests
to use the new function achieves both of these goals.
2019-09-05 11:18:58 +01:00
Jaeden Amero c04305f036 Merge remote-tracking branch 'crypto/development' into development-restricted
* crypto/development: (863 commits)
  crypto_platform: Fix typo
  des: Reduce number of self-test iterations
  Fix -O0 build for Aarch64 bignum multiplication.
  Make GNUC-compatible compilers use the right mbedtls_t_udbl again on Aarch64 builds.
  Add optimized bignum multiplication for Aarch64.
  Enable 64-bit limbs for all Aarch64 builds.
  HMAC DRBG: Split entropy-gathering requests to reduce request sizes
  psa: Use application key ID where necessary
  psa: Adapt set_key_id() for when owner is included
  psa: Add PSA_KEY_ID_INIT
  psa: Don't duplicate policy initializer
  crypto_extra: Use const seed for entropy injection
  getting_started: Update for PSA Crypto API 1.0b3
  Editorial fixes.
  Cross reference 'key handles' from INVALID_HANDLE
  Update documentation for psa_destroy_key
  Update documentation for psa_close_key
  Update psa_open_key documentation
  Remove duplicated information in psa_open_key
  Initialize key bits to max size + 1 in psa_import_key
  ...
2019-09-05 11:11:38 +01:00
Jaeden Amero 4013b98df0
Merge pull request #166 from k-stachowiak/IOTCRYPT-440-add-missing-dec_empty_buf-tests
Add missing dec_empty_buf tests
2019-09-04 10:18:11 +01:00
Darryl Green fe997c646b Update library version to 2.19.0 2019-08-30 13:02:16 +01:00
Jaeden Amero 21db2a94a4
Merge pull request #229 from k-stachowiak/IOTCRYPT-791-remove-legacy-psa-key-derivation
Remove legacy psa key derivation
2019-08-29 11:31:23 +01:00
Jaeden Amero 4e0db5642a Merge branch 'mbedtls-2.18' into development
Bring Mbed TLS 2.18.0 and 2.18.1 release changes back into the
development branch. We had branched to release 2.18.0 and 2.18.1 in
order to allow those releases to go out without having to block work on
the `development` branch.

Manually resolve conflicts in the Changelog by moving all freshly addded
changes to a new, unreleased version entry.

Reject changes to include/mbedtls/platform.h made in the mbedtls-2.18
branch, as that file is now sourced from Mbed Crypto.

* mbedtls-2.18:
  platform: Include stdarg.h where needed
  Update Mbed Crypto to contain mbed-crypto#152
  CMake: Add a subdirectory build regression test
  README: Enable builds as a CMake subproject
  ChangeLog: Enable builds as a CMake subproject
  Remove use of CMAKE_SOURCE_DIR
  Update library version to 2.18.0
2019-08-27 11:18:28 +01:00
Hanno Becker f9b3303eb9 Introduce specific error for ver/cfg mismatch on deserialization
This commit introduces a new SSL error code

  `MBEDTLS_ERR_SSL_VERSION_MISMATCH`

which can be used to indicate operation failure due to a
mismatch of version or configuration.

It is put to use in the implementation of `mbedtls_ssl_session_load()`
to signal the attempt to de-serialize a session which has been serialized
in a build of Mbed TLS using a different version or configuration.
2019-08-23 12:51:21 +03:00
Hanno Becker fe1275e3fe Improve test for detection of ver/cfg corruption in serialized data
This commit improves the test exercising the behaviour of
session deserialization when facing an unexpected version
or config, by testing ver/cfg corruption at any bit in the
ver/cfg header of the serialized data; previously, it had
only tested the first bit of each byte.
2019-08-23 12:51:21 +03:00
Hanno Becker 363b646dd8 Use US spelling 'serialize' instead of UK spelling 'serialise' 2019-08-23 12:51:21 +03:00
Hanno Becker bb54d5a3b1 Use consistent spelling of 'serialise/serialize' in SSL test suite 2019-08-23 12:51:21 +03:00
Hanno Becker 861d0bbbf2 Add negative tests for unexpected ver/cfg in session deserialization 2019-08-23 12:51:21 +03:00
Manuel Pégourié-Gonnard aa75583ced Re-enable test that now works with new format
Previously the test didn't work because of embedded pointer values that
are not predictable. Now it works as we no longer serialize such values.
2019-08-23 12:50:17 +03:00
Manuel Pégourié-Gonnard ee13a732d6 Fix serialization tests for !SSL_KEEP_PEER_CERT
The chosen fix matches what's currently done in the baremetal branch - except
the `#ifdef` have been adapted because now in baremetal the digest is not kept
if renegotiation is disabled.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 686adb4d54 Normalize spelling to serialiZation
We have explicit recommendations to use US spelling for technical writing, so
let's apply this to code as well for uniformity. (My fingers tend to prefer UK
spelling, so this needs to be fixed in many places.)

sed -i 's/\([Ss]eriali\)s/\1z/g' **/*.[ch] **/*.function **/*.data ChangeLog
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 1f6033a479 Fix undeclared dependency on FS_IO in test code
Found by 'all.sh test_no_platform' and by 'tests/scripts/test-ref-configs.pl'.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 220403b954 Fix style issues and typos in test code 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard b40799035b Fix another wrong check for errors in test code 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard f9deaece43 Add test that save-load is the identity
This test works regardless of the serialisation format and embedded pointers
in it, contrary to the load-save test, though it requires more maintenance of
the test code (sync the member list with the struct definition).
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 6b840704c4 Fix populate_session() and its usage in tests
Not checking the return value allowed a bug to go undetected, fix the bug and
check the return value.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard a3d831b9e6 Add test for session_load() from small buffers
This uncovered a bug that led to a double-free (in practice, in general could
be free() on any invalid value): initially the session structure is loaded
with `memcpy()` which copies the previous values of pointers peer_cert and
ticket to heap-allocated buffers (or any other value if the input is
attacker-controlled). Now if we exit before we got a chance to replace those
invalid values with valid ones (for example because the input buffer is too
small, or because the second malloc() failed), then the next call to
session_free() is going to call free() on invalid pointers.

This bug is fixed in this commit by always setting the pointers to NULL right
after they've been read from the serialised state, so that the invalid values
can never be used.

(An alternative would be to NULL-ify them when writing, which was rejected
mostly because we need to do it when reading anyway (as the consequences of
free(invalid) are too severe to take any risk), so doing it when writing as
well is redundant and a waste of code size.)

Also, while thinking about what happens in case of errors, it became apparent
to me that it was bad practice to leave the session structure in an
half-initialised state and rely on the caller to call session_free(), so this
commit also ensures we always clear the structure when loading failed.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard f5fa0aa664 Add test for session_save() on small buffers 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 5b1674e0ba Disable test for load-save identity
This test appeared to be passing for the wrong reason, it's actually not
appropriate for the current implementation. The serialised data contains
values of pointers to heap-allocated buffers. There is no reason these should
be identical after a load-save pair. They just happened to be identical when I
first ran the test due to the place of session_free() in the test code and the
fact that the libc's malloc() reused the same buffers. The test no longer
passes if other malloc() implementations are used (for example, when compiling
with asan which avoids re-using the buffer, probably for better error
detection).

So, disable this test for now (we can re-enable it when we changed how
sessions are serialised, which will be done in a future PR, hence the name of
the dummy macro in depends_on). In the next commit we're going to add a test
that save-load is the identity instead - which will be more work in testing as
it will require checking each field manually, but at least is reliable.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 3caa6caf4a Improve load-save test with tickets and certs 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 6eac11b007 Start adding unit test for session serialisation
This initial test ensures that a load-save function is the identity. It is so
far incomplete in that it only tests sessions without tickets or certificate.
This will be improved in the next commits.
2019-08-23 12:48:41 +03:00
Darryl Green 74c932e596 Parametrize key bits in import mock test 2019-08-21 16:56:16 +01:00
Jaeden Amero 4abb40cab3 Clean up core storage between tests 2019-08-21 16:56:16 +01:00
Unknown f740b0abbb crypto_se_driver: add verification mock test 2019-08-21 16:56:16 +01:00
Unknown b7656a8a85 crypto_se_driver: add signing mock test 2019-08-21 16:56:16 +01:00
Unknown 136901c24c crypto_se_driver: add public key exporting test 2019-08-21 16:56:16 +01:00
Unknown 903b5da51c crypto_se_driver: add an error injection mechanism to the mocks 2019-08-21 16:56:16 +01:00
Unknown 9fd6b0cb6f crypto_se_driver: add key generation mock and test 2019-08-21 16:56:16 +01:00
Unknown c9ad5910aa crypto_se_driver: add mock tests
Mock key importing and exporting
2019-08-21 16:56:16 +01:00
Darryl Green 572a16e694 Merge branch 'psa-api-1.0-beta' into api-to-development 2019-08-21 10:31:12 +01:00
Jaeden Amero 89e7655691 Merge remote-tracking branch 'crypto/pr/212' into development
* crypto/pr/212: (337 commits)
  Make TODO comments consistent
  Fix PSA tests
  Fix psa_generate_random for >1024 bytes
  Add tests to generate more random than MBEDTLS_CTR_DRBG_MAX_REQUEST
  Fix double free in psa_generate_key when psa_generate_random fails
  Fix copypasta in test data
  Avoid a lowercase letter in a macro name
  Correct some comments
  Fix PSA init/deinit in mbedtls_xxx tests when using PSA
  Make psa_calculate_key_bits return psa_key_bits_t
  Adjust secure element code to the new ITS interface
  More refactoring: consolidate attribute validation
  Fix policy validity check on key creation.
  Add test function for import with a bad policy
  Test key creation with an invalid type (0 and nonzero)
  Remove "allocated" flag from key slots
  Take advantage of psa_core_key_attributes_t internally #2
  Store the key size in the slot in memory
  Take advantage of psa_core_key_attributes_t internally: key loading
  Switch storage functions over to psa_core_key_attributes_t
  ...
2019-08-16 11:02:31 +01:00
Jaeden Amero 70de9dc052 Remove unused cryptography test files 2019-08-15 15:44:50 +01:00
k-stachowiak 3794dec52b Change the expected error for two key derivation tests 2019-08-14 19:23:24 +02:00
Gilles Peskine 317f940304
Merge pull request #144 from gilles-peskine-arm/oss-fuzz-fix-build-crypto
Fix full build including non-boolean with Asan: crypto part
2019-08-14 15:30:18 +02:00
k-stachowiak 012dcc4b87 Remove PSA_PRE_1_0_KEY_DERIVATION and the corresponding code 2019-08-13 18:42:40 +02:00
Gilles Peskine 5da7b3e55c Drivers must have a psa_destroy_key method
Drivers that allow destroying a key must have a destroy method. This
test bug was previously not caught because of an implementation bug
that lost the error triggered by the missing destroy method.
2019-08-13 16:04:34 +02:00
Gilles Peskine 8fe253ae4a SE keys: test that psa_destroy_key removes the key from storage 2019-08-13 15:11:25 +02:00
Gilles Peskine 8df72f271f SE generate/sign/verify tests: also test export_public
Add a flow where the key is imported or fake-generated in the secure
element, then call psa_export_public_key and do the software
verification with the public key.
2019-08-09 16:43:36 +02:00
Gilles Peskine af906f852c RAM test driver: implement export_public 2019-08-09 16:43:36 +02:00
Gilles Peskine c068ded015 RAM test driver: improve key creation
Factor common code of ram_import and ram_fake_generate into a common
auxiliary function.

Reject key types that aren't supported by this test code.

Report the bit size correctly for EC key pairs.
2019-08-09 16:43:36 +02:00
Gilles Peskine eecadde6ad SE support: Test sign and verify hooks with a passthrough driver 2019-08-09 16:43:35 +02:00
Gilles Peskine 11792086cc SE keys: implement and smoke-test p_generate 2019-08-09 16:43:35 +02:00
Gilles Peskine f3801fff77 Update import_key and generate_key SE methods to the current API
The methods to import and generate a key in a secure element drivers
were written for an earlier version of the application-side interface.
Now that there is a psa_key_attributes_t structure that combines all
key metadata including its lifetime (location), type, size, policy and
extra type-specific data (domain parameters), pass that to drivers
instead of separate arguments for each piece of metadata. This makes
the interface less cluttered.

Update parameter names and descriptions to follow general conventions.

Document the public-key output on key generation more precisely.
Explain that it is optional in a driver, and when a driver would
implement it. Declare that it is optional in the core, too (which
means that a crypto core might not support drivers for secure elements
that do need this feature).

Update the implementation and the tests accordingly.
2019-08-09 16:43:35 +02:00
Gilles Peskine 49bd58274e Test the call to p_validate_slot_number when registering a key 2019-08-09 15:05:32 +02:00
Gilles Peskine d772958ffc New function mbedtls_psa_register_se_key
Register an existing key in a secure element.

Minimal implementation that doesn't call any driver method and just
lets the application declare whatever it wants.
2019-08-09 15:05:21 +02:00
Gilles Peskine e88c2c1338 Pass the key creation method to drivers
Pass the key creation method (import/generate/derive/copy) to the
driver methods to allocate or validate a slot number. This allows
drivers to enforce policies such as "this key slot can only be used
for keys generated inside the secure element".
2019-08-09 14:59:31 +02:00
Gilles Peskine b231d996a0
Merge pull request #202 from gilles-peskine-arm/psa-se_driver-choose_key_slot_number
Let applications create a key in a specific secure element slot
2019-08-09 14:29:54 +02:00
Gilles Peskine fdbc544b22
Merge pull request #192 from gilles-peskine-arm/psa-test-policy_bad_algorithm
Add some negative tests for policy checks
2019-08-09 13:32:45 +02:00
Janos Follath 849b05afb8 Fix PSA tests
The test framework has changed, but it did not cause any merge
conflicts. Still it affected new code in the tests.
2019-08-09 10:22:32 +01:00
Janos Follath 8aa7e9bc56 Merge branch 'psa-api-1.0-beta' into merge-psa-api-branch-into-development 2019-08-08 14:40:23 +01:00
Gilles Peskine 0a1104474b Test restarting after creating a key in a specific slot 2019-08-08 11:02:30 +02:00
Gilles Peskine 46d9439a5e Support slot_number attribute when creating a key
Allow the application to choose the slot number in a secure element,
rather than always letting the driver choose.

With this commit, any application may request any slot. In an
implementation with isolation, it's up to the service to filter key
creation requests and apply policies to limit which applications can
request which slot.
2019-08-08 11:02:30 +02:00
Gilles Peskine 5fe5e27591 Test slot_number attribute
Test the behavior of the getter/setter functions.

Test that psa_get_key_slot_number() reports a slot number for a key in
a secure element, and doesn't report a slot number for a key that is
not in a secure element.

Test that psa_get_key_slot_number() reports the correct slot number
for a key in a secure element.
2019-08-08 10:58:09 +02:00
Gilles Peskine 0c77b0e2f9
Merge pull request #198 from gilles-peskine-arm/psa-api-1.0-beta-merge_development_20190801
Merge mbed-crypto/development into psa-api-1.0-beta
2019-08-08 10:24:53 +02:00
Gilles Peskine bdc96fd636 Add tests to generate more random than MBEDTLS_CTR_DRBG_MAX_REQUEST
Add tests that call psa_generate_random() (possibly via
psa_generate_key()) with a size that's larger than
MBEDTLS_CTR_DRBG_MAX_REQUEST. This causes psa_generate_random() to
fail because it calls mbedtls_ctr_drbg_random() without taking the
maximum request size of CTR_DRBG into account.

Non-regression test for #206
2019-08-07 13:47:28 +02:00
Gilles Peskine b1f6c5fd4d Fix copypasta in test data 2019-08-07 13:37:22 +02:00
Gilles Peskine 49232e8b06 Avoid a lowercase letter in a macro name 2019-08-07 11:01:30 +02:00
Gilles Peskine 3963993e2a Merge 'mbedtls/development' into merge-crypto-development-20190806
Conflicts and changes:
* Files that do not exist in Mbed Crypto and have changed in Mbed TLS:
  These files should not exist in Mbed Crypto. Keep them deleted.
* tests/data_files/test-ca.server1.db: new file in Mbed TLS, don't create
  it in Mbed Crypto.
* tests/data_files/rsa_pkcs1_1024_clear.pem: do create this file in
  Mbed Crypto. I don't see why it would be kept out.
* tests/data_files/Makefile: don't take any of the changes in sections
  that have been removed in Crypto. Do take in the certificate
  expiration date updates and the extra .crt.der rules (even if Crypto
  doesn't actually use those certificates: removing them would be out
  of scope of the present merge).
* tests/suites/helpers.function: consecutive additions, take
  both (order indifferent).
2019-08-06 19:09:55 +02:00
Gilles Peskine 01655daeee
Merge pull request #2417 from RonEld/2734
Update soon to be expired crl
2019-08-03 13:38:14 +02:00
Gilles Peskine 82966d26c3
Merge pull request #2734 from hanno-arm/skip_test
Add TEST_ASSUME macro to allow skipping tests at runtime
2019-08-03 13:37:51 +02:00
Gilles Peskine 5386f6ba07 Fix PSA init/deinit in mbedtls_xxx tests when using PSA
In tests of mbedtls_cipher_xxx and mbedtls_pk_xxx with
MBEDTLS_USE_PSA_CRYPTO enabled, initialize and deinitialize the PSA
subsystem in every function. Before, the tests were only passing
because the first function to be called happened to call
psa_crypto_init() but not mbedtls_psa_crypto_free(). In some
configurations (not tested on CI), psa_crypto_init() was not called so
the tests using PSA failed.

Call PSA_DONE() at the end of each test function. This ensures that no
resources are leaked in the form of PSA crypto slot contents.
Incidentally, this also fixes a build error due to
test_helper_psa_done() being unused in test_suite_pk: the fact that it
wasn't used betrayed the missing calls to PSA_DONE().
2019-08-01 13:11:47 +02:00
Gilles Peskine 72c8c5b352 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190801
Conflict resolution:
* `scripts/config.pl`:
  Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch.
  Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from
  the development branch.
* `tests/scripts/all.sh`:
  Multiple instances of factoring a sequence of `config.pl` calls into
  a mere `config.pl baremetal` in the development branch, and a change in
  the composition of `baremetal` in the API branch. In each case, take the
  version from development.
* `tests/suites/test_suite_psa_crypto_slot_management.function`:
  A function became non-static in development and disappeared in the API
  branch. Keep the version from the API branch. Functions need to be
  non-static if they're defined but unused in some configurations,
  which is not the case for any function in this file at the moment.
* `tests/suites/test_suite_psa_crypto.function`:
  Consecutive changes in the two branches, reconciled.
2019-07-31 17:47:49 +02:00
Gilles Peskine 3825e14e65 Fix policy validity check on key creation.
Add a non-regression test.
2019-07-31 16:54:38 +02:00
Gilles Peskine 6edfa293c2 Add test function for import with a bad policy 2019-07-31 16:54:38 +02:00
Gilles Peskine 7c227aee5e Test key creation with an invalid type (0 and nonzero) 2019-07-31 16:54:38 +02:00
Gilles Peskine 4ed0e6f11a Switch storage functions over to psa_core_key_attributes_t 2019-07-31 14:15:27 +02:00
Jaeden Amero fe93bc4ed4
Merge pull request #187 from Patater/tls-development-20190722
Bring in changes from Mbed TLS as of 2019-07-22
2019-07-31 11:50:15 +01:00
Jaeden Amero 8dd1690993 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following operations:
- Reject changes related to building a crypto submodule, since Mbed
  Crypto is the crypto submodule.
- Reject X.509, NET, and SSL changes.
- Reject changes to README, as Mbed Crypto is a different project from
  Mbed TLS, with a different README.
- Avoid adding mention of ssl-opt.sh in a comment near some modified
  code in include/CMakeLists.txt (around where ENABLE_TESTING as added).
- Align config.pl in Mbed TLS with config.pl in Mbed Crypto where PSA
  options are concerned, to make future merging easier. There is no
  reason for the two to be different in this regard, now that Mbed TLS
  always depends on Mbed Crypto. Remaining differences are only the
  PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option and the absence of X.509,
  NET, and SSL related options in Mbed Crypto's config.pl.
- Align config.h in Mbed Crypto with Mbed TLS's copy, with a few notable
  exceptions:
  - Leave CMAC on by default.
  - Leave storage on by default (including ITS emulation).
  - Avoid documenting the PSA Crypto API as is in beta stage in
    documentation for MBEDTLS_PSA_CRYPTO_C.
  The only remaining differences are a lack of X.509, NET, and SSL
  options in Mbed Crypto's config.h, as well as an additional
  Mbed-Crypto-specific PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option.
  Documentation for the check params feature and related macros is also
  updated to match Mbed TLS's description.
- Reject tests/data_files/Makefile changes to generate DER versions of
  CRTs and keys, as none of those are used by Mbed Crypto tests.
- Add the "no PEM and no filesystem" test to all.sh, without ssl-opt.sh
  run, as Mbed Crypto doesn't have ssl-opt.sh. Also remove use of PSA
  Crypto storage and ITS emulation, since those depend on filesystem
  support.
- Reject addition of test when no ciphersuites have MAC to all.sh, as
  the option being tested, MBEDTLS_SSL_SOME_MODES_USE_MAC, is not
  present in Mbed Crypto.
- Use baremetal config in all.sh, as Mbed Crypto's baremetal
  configuration does exclude the net module (as it doesn't exist in Mbed
  Crypto)
- Reject cmake_subproject_build changes, continuing to link only
  libmbedcrypto.
- Reject changes to visualc and associated templates. Mbed Crypto
  doesn't need additional logic to handle submodule-sourced headers.
- Avoid adding fuzzers from Mbed TLS. The only relevant fuzzers are the
  privkey and pubkey fuzzers, but non-trivial work would be required to
  integrate those into Mbed Crypto (more than is comfortable in a merge
  commit).
- Reject addition of Docker wrappers for compat.sh and ssl-opt.sh, as
  those are not present in Mbed Crypto.
- Remove calls to SSL-related scripts from basic-in-docker.sh

Fix test errors by performing the following:
- Avoid using a link that Doxygen can't seem to resolve in Mbed Crypto,
  but can resolve in Mbed TLS. In documentation for
  MBEDTLS_CHECK_PARAMS, don't attempt to link to MBEDTLS_PARAM_FAILED.

* origin/development: (339 commits)
  Do not build fuzz on windows
  No booleans and import config
  Removing space before opening parenthesis
  Style corrections
  Syntax fix
  Fixes warnings from MSVC
  Add a linker flag to enable gcov in basic-build-test.sh
  Update crypto submodule to a revision with the HAVEGE header changes
  Test with MBEDTLS_ECP_RESTARTABLE
  Allow TODO in code
  Use the docstring in the command line help
  Split _abi_compliance_command into smaller functions
  Record the commits that were compared
  Document how to build the typical argument for -s
  Allow running /somewhere/else/path/to/abi_check.py
  tests: Limit each log to 10 GiB
  Warn if VLAs are used
  Remove redundant compiler flag
  Consistently spell -Wextra
  Fix parsing issue when int parameter is in base 16
  ...
2019-07-31 10:37:53 +01:00
Gilles Peskine c744d99386 Limit keys to 65528 bits
65528 bits is more than any reasonable key until we start supporting
post-quantum cryptography.

This limit is chosen to allow bit-sizes to be stored in 16 bits, with
65535 left to indicate an invalid value. It's a whole number of bytes,
which facilitates some calculations, in particular allowing a key of
exactly PSA_CRYPTO_MAX_STORAGE_SIZE to be created but not one bit
more.

As a resource usage limit, this is arguably too large, but that's out
of scope of the current commit.

Test that key import, generation and derivation reject overly large
sizes.
2019-07-30 20:58:33 +02:00
Gilles Peskine 7e0cff90b9 Move attribute fields to a substructure
Move the "core attributes" to a substructure of psa_key_attribute_t.
The motivation is to be able to use the new structure
psa_core_key_attributes_t internally.
2019-07-30 20:58:27 +02:00
Gilles Peskine b84b6a68c7 Add some negative tests for policy checks
Add a few test cases to ensure that alg=0 in policy does not allow
using the key for an operation.

Add a test case to ensure that ANY_HASH does not have a wildcard
meaning for HMAC.
2019-07-30 11:38:35 +02:00
Gilles Peskine fc321f1a5e SE keys: test that the bit size is saved and loaded correctly 2019-07-29 18:12:34 +02:00
Gilles Peskine 1801740a7c SE driver: report the bit size on key import
Add a parameter to the key import method of a secure element driver to
make it report the key size in bits. This is necessary (otherwise the
core has no idea what the bit-size is), and making import report it is
easier than adding a separate method (for other key creation methods,
this information is an input, not an output).
2019-07-29 18:07:09 +02:00
Gilles Peskine dc5bfe9784 SE keys: implement and test psa_get_key_attributes 2019-07-29 18:07:03 +02:00
k-stachowiak d8727230f7 Add negative tests for empty buffer decoding for certain ciphers 2019-07-29 17:46:29 +02:00
k-stachowiak c5899a0fca Fix dependencies for some GCM empty buffer decoding tests 2019-07-29 15:11:16 +02:00
k-stachowiak 8e88a8f4ea Remove redundant empty buffer decoding test 2019-07-29 15:09:29 +02:00
Jaeden Amero e0b4c433fe
Merge pull request #273 from k-stachowiak/IOTCRYPT-726-unchecked-return-ecjpake
Fix unchecked return value in the ECJPake module
2019-07-29 11:48:23 +01:00
Gilles Peskine 105736653f SE keys: test that no function goes crazy
Run all functions that take a key handle as input with a key that is
in a secure element. All calls are expected to error out one way or
another (not permitted by policy, invalid key type, method not
implemented in the secure element, ...). The goal of this test is to
ensure that nothing bad happens (e.g. invalid pointer dereference).

Run with various key types and algorithms to get good coverage.
2019-07-24 13:45:36 +02:00
Gilles Peskine d1cd766e96 SE keys: test NOT_SUPPORTED error from generate_key 2019-07-24 13:45:02 +02:00
Gilles Peskine 89870eb123 Cosmetic improvements in SE driver tests 2019-07-24 13:44:03 +02:00
Jaeden Amero b992313f47
Merge pull request #180 from simonqhughes/feature-psa-storage
PSA Storage: Add psa_trusted_storage_linux persistent storage support for v1.0.0 APIs
2019-07-24 11:19:32 +01:00
Simon D Hughes bda5a21112 Add psa_trusted_storage_linux persistent storage support for v1.0.0 APIs
The following provides more information on this PR:
- PSA stands for Platform Security Architecture.
- Add support for use of psa_trusted_storage_api internal_trusted_storage.h v1.0.0
  as the interface to the psa_trusted_storage_linux backend (i.e. for persistent
  storage when MBEDTLS_PSA_ITS_FILE_C is not defined). This requires changes
  to psa_crypto_its.h and psa_crypto_storage.c to migrate to the new API.
2019-07-23 17:30:37 +01:00
Gilles Peskine 8b96cad204 SE drivers: implement persistent storage
Store the persistent data of secure element drivers.

This is fully implemented, but not at all tested.
2019-07-23 17:38:08 +02:00
Gilles Peskine 1df83d4f5b SE keys: implement persistent storage
For a key in a secure element, persist the key slot.

This is implemented in the nominal case. Failures may not be handled
properly.
2019-07-23 16:13:14 +02:00
Gilles Peskine 0e8d495bd9 Add the lifetime to the key storage format
Stored keys must contain lifetime information. The lifetime used to be
implied by the location of the key, back when applications supplied
the lifetime value when opening the key. Now that all keys' metadata
are stored in a central location, this location needs to store the
lifetime explicitly.
2019-07-23 14:46:52 +02:00
Gilles Peskine bfd322ff34 Use a key attribute structure in the internal storage interface
Pass information via a key attribute structure rather than as separate
parameters to psa_crypto_storage functions. This makes it easier to
maintain the code when the metadata of a key evolves.

This has negligible impact on code size (+4B with "gcc -Os" on x86_64).
2019-07-23 13:31:54 +02:00
Gilles Peskine 66afcca5a9 entropy_nv_seed: cope with SHA-256
This test case was only executed if the SHA-512 module was enabled and
MBEDTLS_ENTROPY_FORCE_SHA256 was not enabled, so "config.pl full"
didn't have a chance to reach it even if that enabled
MBEDTLS_PLATFORM_NV_SEED_ALT.

Now all it takes to enable this test is MBEDTLS_PLATFORM_NV_SEED_ALT
and its requirements, and the near-ubiquitous MD module.
2019-07-19 17:08:48 +02:00
Gilles Peskine e39b903de5 entropy_nv_seed: clean up properly
Call mbedtls_entropy_free on test failure.

Restore the previous NV seed functions which the call to
mbedtls_platform_set_nv_seed() changed. This didn't break anything,
but only because the NV seed functions used for these tests happened
to work for the tests that got executed later in the .data file.
2019-07-19 17:08:48 +02:00
Gilles Peskine 9bb1f64706 Don't call memset after calloc
memset has undefined behavior when either pointer can be NULL, which
is the case when it's the result of malloc/calloc with a size of 0.
The memset calls here are useless anyway since they come immediately
after calloc.
2019-07-19 17:08:48 +02:00
Gilles Peskine 614faa26ac Test PSA functions against PSA_SUCCESS, not 0
Writing 0 instead of PSA_SUCCESS is correct, but bad form.
2019-07-19 17:08:35 +02:00
Gilles Peskine 69c0ea26c7 Test suites: cope with psa_crypto_init failure
psa_crypto_init() can fail. Do check its return code. Don't call it
before initializing local objects that are going to be cleaned up.
2019-07-19 17:08:35 +02:00
Jaeden Amero f7dca86522 Allow building with the -Wunused flag
Make some functions non-static, to avoid Wunused function warnings. Make
a function scoped variable block scoped instead, to avoid Wunused
variable warnings in some configurations.
2019-07-15 15:52:25 +01:00
Gilles Peskine 5dc742c36a SE keys: smoke test import, export, destroy 2019-07-12 23:47:47 +02:00
k-stachowiak 2cd9051d5f Add decoding empty buffer test calls for cipher modes that benefit from this 2019-07-12 14:54:04 +02:00
Jaeden Amero 8306508250 Merge remote-tracking branch 'origin/pr/2660' into development
* origin/pr/2660:
  Fix parsing issue when int parameter is in base 16
  Refactor receive_uint32()
  Refactor get_byte function
  Make the script portable to both pythons
  Update the test encoding to support python3
  update the test script
2019-07-11 16:17:38 +01:00
Adrian L. Shaw 2282cfa660 Remove GMAC algorithm (for now)
It can't be implemented with the current version of the API
2019-07-11 15:51:45 +01:00
Ron Eldor 9eeb8611b1 Update certificates to expire in 2029
Update certificates that expire on 2021, to prolong their validity,
to make tests pass three years ahead.
2019-07-10 16:46:34 +03:00
k-stachowiak 01b3be4aa8 Add a test for mlaformed ECJPAKE context 2019-07-08 14:34:27 +02:00
Hanno Becker e69d0150d7 Add TEST_ASSUME macro to allow skipping tests at runtime
This commit adds a macro TEST_ASSUME to the test infrastructure
which allows to skip tests based on unmet conditions determined
at runtime.
2019-07-05 13:39:09 +01:00
Jaeden Amero 93fe3a1a8f
Merge pull request #160 from yanesca/iotcrypt-790-update-tests-to-multipart-key-derivation
Iotcrypt 790 update tests to multipart key derivation
2019-07-04 17:19:36 +01:00
Janos Follath 343067e0d1 Add invalid_key_derivation test cases for TLS PRF
Add test_derive_invalid_key_derivation_state test cases for TLS 1.2 PRF.
2019-07-04 14:29:30 +01:00
Janos Follath d958bb7aae Convert invalid_key_derivation_state to new API
Convert the test_derive_invalid_key_derivation_state() test to the new
KDF API.
2019-07-04 14:29:30 +01:00
Janos Follath 5ab0e0b601 Add derive_key_export test cases for TLS 1.2 PRF 2019-07-04 14:29:30 +01:00
Janos Follath 42fd888ab0 Convert derive_key_export to the new KDF API 2019-07-04 14:29:30 +01:00
Janos Follath 8d98a1e626 Add derive_key_exercise test cases for TLS 1.2 PRF 2019-07-04 14:29:30 +01:00
Janos Follath e60c9052ec Convert derive_key_exercise to the new KDF API 2019-07-04 14:29:30 +01:00
Janos Follath f2815eaec6 Refactor key derivation setup in tests 2019-07-04 14:29:00 +01:00
Janos Follath e7e4706230 Add derive_full test cases for TLS 1.2 PRF 2019-07-04 14:22:27 +01:00
Janos Follath 47f27ed752 Convert derive_full test to the new KDF API 2019-07-04 14:22:27 +01:00
Janos Follath 46d9fbc4a9 Add test cases for exercise_key_derivation_key 2019-07-04 14:22:27 +01:00
Gilles Peskine 7607cd6e57 Convert exercise_key_derivation_key to the new KDF API 2019-07-04 14:22:27 +01:00
Jaeden Amero c19dcebbdd
Merge pull request #154 from yanesca/iotcrypt-789-update-tls-prf-to-multipart
Update TLS 1.2 PRF to multipart API
2019-07-04 11:53:04 +01:00
Janos Follath 0c1ed84258 Improve style 2019-06-28 15:10:06 +01:00
Gilles Peskine 651447905c Fix typo in invalid-lifetime test and add explicit test for 0 2019-06-26 20:01:35 +02:00
Gilles Peskine a8ade16ffd Gate secure element support by a separate config option
Secure element support has its own source file, and in addition
requires many hooks in other files. This is a nontrivial amount of
code, so make it optional (but default on).
2019-06-26 20:01:35 +02:00
Gilles Peskine 1468da76a5 Convert derive_output to the new KDF API 2019-06-26 09:15:08 +01:00
Janos Follath adbec81cc4 Remove the deprecated PSA_ALG_SELECT_RAW option
This change affects the psa_key_derivation_s structure. With the buffer
removed from the union, it is empty if MBEDTLS_MD_C is not defined.

We can avoid undefined behaviour by adding a new dummy field that is
always present or make the whole union conditional on MBEDTLS_MD_C.

In this latter case the initialiser macro has to depend on MBEDTLS_MD_C
as well. Furthermore the first structure would be either
psa_hkdf_key_derivation_t or psa_tls12_prf_key_derivation_t both of
which are very deep and would make the initialisation macro difficult
to maintain, therefore we go with the first option.
2019-06-26 09:15:08 +01:00
Janos Follath a27c927d4a Add test for psa_key_derivation_set_capacity
This commit restores the test coverage to the level before adapting the
derive_setup tests.
2019-06-26 09:15:08 +01:00
Janos Follath 16de4a4017 Adapt the derive_setup tests to the new API
Part of the tests are adapted in this commit, another part is already
covered by the derive_input tests and some of them are not applicable to
the new API (the new API does not request capacity at the setup stage).

The test coverage temporarily drops with this commit, the two test cases
conserning capacity will be re-added in a later commit.
2019-06-26 09:15:08 +01:00
Janos Follath ba3fab9074 Adapt derive_key_policy test to the new API 2019-06-26 09:15:08 +01:00
Janos Follath 4b7effd35a Add more tests for TLS 1.2 PRF input 2019-06-26 09:15:08 +01:00
Janos Follath 99dd6acdce Add test cases for derive_input
In the 1.0 API some functionality has been split from the
psa_key_derivation_setup() function and is now done with the
psa_key_derivation_input_*() functions. The new tests maintain the
existing test coverage of this functionality.
2019-06-26 09:15:08 +01:00
Janos Follath af3c2a0700 Add a test for psa_key_derivation_input 2019-06-26 09:15:08 +01:00
Janos Follath 71a4c9125b Add flag for removing deprecated API
Add the compile time option PSA_PRE_1_0_KEY_DERIVATION. If this is not
turned on, then the function `psa_key_derivation()` is removed.

Most of the tests regarding key derivation haven't been adapted to the
new API yet and some of them have only been adapted partially. When this
new option is turned off, the tests using the old API and test cases
using the old API of partially adapted tests are skipped.

The sole purpose of this option is to make the transition to the new API
smoother. Once the transition is complete it can and should be removed
along with the old API and its implementation.
2019-06-26 09:15:08 +01:00
Ron Eldor 72662a495c Refactor receive_uint32()
Call `greentea_getc()` 8 times, and then `unhexify` once, instead of
calling `receive_byte()`, which inside calls `greentea_getc()` twice,
for every hex digit.
2019-06-25 14:56:44 +03:00
Ron Eldor b220489422 Refactor get_byte function
Change implementation of `get_byte()` to call `unhexify()`.
2019-06-25 14:56:44 +03:00
Ron Eldor 5075f4df18 Update the test encoding to support python3
Since Python3 handles encoding differently than Python2,
a change in the way the data is encoded and sent to the target is needed.
1. Change the test data to be sent as hex string
2. Convert the characters to binary bytes.

This is done because the mbed tools translate the encoding differently
(mbed-greentea, and mbed-htrunner)
2019-06-25 14:56:01 +03:00
Gilles Peskine 7a52464fba Driver registration: more future-proof bad-version test 2019-06-24 19:58:12 +02:00
Gilles Peskine 55a6acfe4d Add negative tests for driver registration 2019-06-24 19:55:49 +02:00
Gilles Peskine 2c2243dc0b Smoke test for secure element driver registration 2019-06-24 14:29:28 +02:00
Jaeden Amero fd0f65459c Merge remote-tracking branch 'origin/pr/2697' into development
* origin/pr/2697:
  Update crypto submodule
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
  Don't systematically rebuild programs
2019-06-21 13:21:05 +01:00
Jaeden Amero aada0c7fd0 Merge remote-tracking branch 'origin/pr/2053' into development
* origin/pr/2053:
  Clarify ChangeLog entry for fix to #1628
  Add Changelog entry for clang test-ref-configs.pl fix
  Enable more compiler warnings in tests/Makefile
  Change file scoping of test helpers.function
2019-06-21 12:54:27 +01:00
Gilles Peskine 9e5bcbd8d1 Remove unused functions
These functions became obsolete when the key export format changed
from including the SubjectPublicKeyInfo to being just the key
material.
2019-06-20 13:01:56 +02:00
Gilles Peskine 3cff768ad4 Move the one non-crypto-specific PSA helper macro to a new header
Create a new header file psa_helpers.h and put the one helper macro
that isn't specific to PSA crypto there. Use this header file in the
ITS test suite.
2019-06-20 12:54:43 +02:00
Gilles Peskine 1838e82190 Rename psa_helpers.function to psa_crypto_helpers.h
This file isn't like the other .function files: it isn't concatenated
by a separate preprocessing script, but included via C preprocessing.

Rename this file to .h. This isn't a normal C header, because it
defines auxiliary functions. But the functions aren't big and we only
have one compilation unit per executable, so this is good enough for
what we're doing.
2019-06-20 12:40:56 +02:00
Gilles Peskine 982fe790c1 Remove unused functions
These functions became obsolete when the key export format changed
from including the SubjectPublicKeyInfo to being just the key
material.
2019-06-19 18:23:21 +02:00
Jaeden Amero c54ee936d7 Merge remote-tracking branch 'origin/pr/2443' into development
* origin/pr/2443: (25 commits)
  Fix documentation of X.509 parsing test
  Add X.509 CRT parsing test for mixed time-encodings
  Improve X.509 CRT parsing test names
  Add negative X.509 parsing tests for v3Ext in v1/v2 CRT
  Add negative X.509 parsing tests for IssuerID/SubjectID in v1 CRT
  Improve name of X.509 CRT parsing test
  Always use the same X.509 alg structure inside and outside of TBS
  Fix test dependencies in X.509 CRT parsing suite
  Fix non-DER length encoding in two X.509 CRT parsing tests
  Fix test case name formatting in X.509 parsing suite
  Use ASN.1 NULL TLVs when testing invalid tags
  Shorten X.509 CRT parsing test names
  Extend negative testing for X.509 Signature parsing
  Extend negative testing for X.509 SignatureAlgorithm parsing
  Extend negative testing for X.509 v3 Extension parsing
  Extend negative testing for X.509 SubjectID parsing
  Extend negative testing for X.509 IssuerID parsing
  Extend negative testing for X.509 SubjectPublicKeyInfo parsing
  Extend negative testing for X.509 Subject parsing
  Extend negative testing for X.509 Validity parsing
  ...
2019-06-14 15:29:14 +01:00
Jaeden Amero 7af080a9f9 Merge remote-tracking branch 'origin/pr/2442' into development
* origin/pr/2442:
  Correct placement of ChangeLog entry
  Improve documentation of mbedtls_x509_get_ext()
  Adapt ChangeLog
  Always return a high-level error code from X.509 module
  Obey bounds of ASN.1 substructures
2019-06-14 15:27:42 +01:00
Jaeden Amero 6b5dc689f7 Merge remote-tracking branch 'origin/pr/2430' into development
* origin/pr/2430:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Remove use of MD2 in further x509parse tests
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:49:31 +01:00
Jaeden Amero e1b02df515 Merge remote-tracking branch 'origin/pr/2260' into development
* origin/pr/2260:
  Update crypto submodule
  Remove heading spaces in tests/data_files/Makefile
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:46:48 +01:00
Gilles Peskine 9e23bea692 Make test suites compatible with #include <assert.h>
Don't use the macro name assert. It's technically permitted as long as
<assert.h> is not included, but it's fragile, because it means the
code and any header that it includes must not include <assert.h>.
2019-06-13 15:13:43 +02:00
Gilles Peskine e7655df7be Make test suites compatible with #include <assert.h>
Don't use the macro name assert. It's technically permitted as long as
<assert.h> is not included, but it's fragile, because it means the
code and any header that it includes must not include <assert.h>.
2019-06-13 15:12:23 +02:00
Hanno Becker 61cf9e3ca3 Fix documentation of X.509 parsing test 2019-06-13 13:32:44 +01:00
Jaeden Amero b1c72f56b1 Update library version to 2.18.0
Increase the SO versions of libmbedx509 and libmbedtls due to the
addition of fields in publicly visible (non-opaque) structs:
  - mbedtls_ssl_config
  - mbedtls_ssl_context
  - mbedtls_x509_crt
2019-06-11 17:19:35 +01:00
Jaeden Amero a3daa21d8c Merge remote-tracking branch 'origin/pr/2678' into development
* origin/pr/2678:
  Update crypto submodule to 1.1.0d2
  all.sh: Perform targeted EtM tests for MAC-less configs
  ssl: Don't access non-existent encrypt_then_mac field
2019-06-10 11:00:14 +01:00
Jaeden Amero b01314683a test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher
and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20
Encrypt and decrypt 0 bytes" test will test decryption of a 0 length
buffer.
2019-06-07 12:57:33 +01:00
Jaeden Amero 5ab80efa10 test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
2019-06-07 12:57:33 +01:00
Jaeden Amero 2353b542d9 test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher
and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20
Encrypt and decrypt 0 bytes" test will test decryption of a 0 length
buffer.
2019-06-06 11:56:54 +01:00
Jaeden Amero ab11889958 test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
2019-06-06 11:56:54 +01:00
Gilles Peskine dd413d3c92 Test shutdown without closing handles
Add some test cases that shut down and restart without explicitly
closing handles, and check that the handles are properly invalidated.
2019-06-05 16:38:42 +02:00
Gilles Peskine 76b29a77fb Close or destroy keys explicitly in tests 2019-06-05 16:38:42 +02:00
Gilles Peskine 1153e7bd57 Replace all calls to mbedtls_psa_crypto_free by PSA_DONE
Replace all calls to mbedtls_psa_crypto_free in tests by PSA_DONE.
This is correct for most tests, because most tests close open keys. A
few tests now fail; these tests need to be reviewed and switched back
to mbedtls_psa_crypto_free if they genuinely expected to end with some
slots still in use.
2019-06-05 16:38:42 +02:00
Gilles Peskine 952f40962a Create PSA-specific helper function file
Create a specific file for helper functions that are related to the
PSA API. The reason for a separate file is so that it can include
<psa/crypto.h>, without forcing this header inclusion into every test
suite. In this commit, psa_helpers.function doesn't need psa/crypto.h
yet, but this will be the case in a subsequent commit.

Move PSA_ASSERT to psa_helpers.function, since that's the sort of
things it's for.

Include "psa_helpers.function" from the PSA crypto tests.

In the ITS test, don't include "psa_helpers". The ITS tests are
meant to stand alone from the rest of the library.
2019-06-05 16:38:42 +02:00
Jaeden Amero 2de07f1dd1 ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.

    Compile [ 93.7%]: ssl_tls.c
    [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
    [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
    ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
         transform->encrypt_then_mac = session->encrypt_then_mac;
                  ^~

Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present.

Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.

Fixes d56ed2491b ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
2019-06-05 14:09:29 +01:00
Gilles Peskine d2d45c1738 Convert cipher and pk to PSA attribute-based key creation
This fixes the build under MBEDTLS_USE_PSA_CRYPTO.
2019-06-05 11:34:54 +02:00
Gilles Peskine baea7aac89 Convert remaining obsolete function call 2019-06-05 11:34:54 +02:00
Hanno Becker 7717c41adc Add X.509 CRT parsing test for mixed time-encodings 2019-06-04 17:26:46 +01:00
Hanno Becker 8671e81b7a Improve X.509 CRT parsing test names 2019-06-04 17:26:46 +01:00
Hanno Becker 04b10c073e Add negative X.509 parsing tests for v3Ext in v1/v2 CRT 2019-06-04 17:26:46 +01:00
Hanno Becker d51d4856e6 Add negative X.509 parsing tests for IssuerID/SubjectID in v1 CRT 2019-06-04 17:26:46 +01:00
Hanno Becker 7ca07e3459 Improve name of X.509 CRT parsing test 2019-06-04 17:26:46 +01:00
Hanno Becker 764fbdf97d Always use the same X.509 alg structure inside and outside of TBS 2019-06-04 17:26:46 +01:00
Hanno Becker 60dd6fc944 Fix test dependencies in X.509 CRT parsing suite
Most tests use an sha256WithRSAEncryption OID which isn't recognized
unless RSA and SHA-256 are enabled.
2019-06-04 17:26:43 +01:00
Hanno Becker 31af3b874b Fix non-DER length encoding in two X.509 CRT parsing tests
Lengths below 128 Bytes must be encoded as a single 'XX' byte in DER,
but two tests in the X.509 CRT parsing suite used the BER but non-DER
encoding '81 XX' (the first byte 10000001 indicating that the length
is to follow (high bit) and has length 1 byte (low bit)).
2019-06-04 17:26:06 +01:00
Hanno Becker 19db19e41f Fix test case name formatting in X.509 parsing suite 2019-06-04 17:25:44 +01:00
Hanno Becker 0f5acc18c5 Use ASN.1 NULL TLVs when testing invalid tags
Previously, a test exercising the X.509 CRT parser's behaviour
on unexpected tags would use a '00' byte in place of the tag
for the expected structure. This makes reviewing the examples
harder because the binary data isn't valid DER-encoded ASN.1.

This commit uses the ASN.1 NULL TLV '05 00' to test invalid
tags, and adapts surrounding structures' length values accordingly.
This eases reviewing because now the ASN.1 structures are still
well-formed at the place where the mismatch occurs.
2019-06-04 17:25:44 +01:00
Hanno Becker 2389d1684b Shorten X.509 CRT parsing test names 2019-06-04 17:25:40 +01:00
Hanno Becker 44199b69b4 Extend negative testing for X.509 Signature parsing 2019-06-04 17:19:47 +01:00
Hanno Becker 5f88a77e2d Extend negative testing for X.509 SignatureAlgorithm parsing 2019-06-04 17:19:47 +01:00
Hanno Becker 05987e33f1 Extend negative testing for X.509 v3 Extension parsing 2019-06-04 17:19:47 +01:00
Hanno Becker be3850a2b3 Extend negative testing for X.509 SubjectID parsing 2019-06-04 17:19:47 +01:00
Hanno Becker 9f06b50b66 Extend negative testing for X.509 IssuerID parsing 2019-06-04 17:19:47 +01:00
Hanno Becker bb955e5195 Extend negative testing for X.509 SubjectPublicKeyInfo parsing 2019-06-04 17:19:47 +01:00
Hanno Becker 28ae6b1ba8 Extend negative testing for X.509 Subject parsing 2019-06-04 17:19:46 +01:00
Hanno Becker 18459d420f Extend negative testing for X.509 Validity parsing 2019-06-04 17:19:46 +01:00
Hanno Becker 5e2cf38ff6 Extend negative testing for X.509 Issuer parsing 2019-06-04 17:19:46 +01:00
Hanno Becker a328fffdaa Extend negative testing for X.509 AlgorithmIdentifier parsing 2019-06-04 17:19:43 +01:00
Hanno Becker e7d8f96f9f Extend negative testing for X.509 Serial number parsing 2019-06-04 16:23:46 +01:00
Hanno Becker a9ef412cee Extend negative testing for X.509 Version parsing 2019-06-04 16:23:46 +01:00
Hanno Becker a5c481e384 Extend negative testing for X.509 TBS header parsing 2019-06-04 16:23:46 +01:00
Hanno Becker 6ccfb18ab1 Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level
error code where instead this error code should be wrapped by a
high-level X.509 error code as in the bulk of the module.

Specifically, the following functions are affected:
- mbedtls_x509_get_ext()
- x509_get_version()
- x509_get_uid()

This commit modifies these functions to always return an
X.509 high level error code.

Care has to be taken when adapting `mbetls_x509_get_ext()`:
Currently, the callers `mbedtls_x509_crt_ext()` treat the
return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to
gracefully detect and continue if the extension structure is not
present. Wrapping the ASN.1 error with
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check
accordingly would mean that an unexpected tag somewhere
down the extension parsing would be ignored by the caller.

The way out of this is the following: Luckily, the extension
structure is always the last field in the surrounding structure,
so if there is some data remaining, it must be an Extension
structure, so we don't need to deal with a tag mismatch gracefully
in the first place.

We may therefore wrap the return code from the initial call to
`mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove
the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG`
in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`.

This renders `mbedtls_x509_get_ext()` unsuitable if it ever
happened that an Extension structure is optional and does not
occur at the end of its surrounding structure, but for CRTs
and CRLs, it's fine.

The following tests need to be adapted:
- "TBSCertificate v3, issuerID wrong tag"
  The issuerID is optional, so if we look for its presence
  but find a different tag, we silently continue and try
  parsing the subjectID, and then the extensions. The tag '00'
  used in this test doesn't match either of these, and the
  previous code would hence return LENGTH_MISMATCH after
  unsucessfully trying issuerID, subjectID and Extensions.
  With the new code, any data remaining after issuerID and
  subjectID _must_ be Extension data, so we fail with
  UNEXPECTED_TAG when trying to parse the Extension data.
- "TBSCertificate v3, UIDs, invalid length"
  The test hardcodes the expectation of
  MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be
  wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now.

Fixes #2431.
2019-06-04 13:59:48 +01:00
Hanno Becker 12f62fb82c Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within
the substructure must exceed the bounds of the substructure.
Concretely, the `end` pointer passed to the ASN.1 parsing routines
must be updated to point to the end of the substructure while parsing
the latter.

This was previously not the case for the routines
- x509_get_attr_type_and_value(),
- mbedtls_x509_get_crt_ext(),
- mbedtls_x509_get_crl_ext().
These functions kept using the end of the parent structure as the
`end` pointer and would hence allow substructure fields to cross
the substructure boundary. This could lead to successful parsing
of ill-formed X.509 CRTs.

This commit fixes this.

Care has to be taken when adapting `mbedtls_x509_get_crt_ext()`
and `mbedtls_x509_get_crl_ext()`, as the underlying function
`mbedtls_x509_get_ext()` returns `0` if no extensions are present
but doesn't set the variable which holds the bounds of the Extensions
structure in case the latter is present. This commit addresses
this by returning early from `mbedtls_x509_get_crt_ext()` and
`mbedtls_x509_get_crl_ext()` if parsing has reached the end of
the input buffer.

The following X.509 parsing tests need to be adapted:
- "TBSCertificate, issuer two inner set datas"
  This test exercises the X.509 CRT parser with a Subject name
  which has two empty `AttributeTypeAndValue` structures.
  This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA`
  because the parser should attempt to parse the first structure
  and fail because of a lack of data. Previously, it failed to
  obey the (0-length) bounds of the first AttributeTypeAndValue
  structure and would try to interpret the beginning of the second
  AttributeTypeAndValue structure as the first field of the first
  AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error.
- "TBSCertificate, issuer, no full following string"
  This test exercises the parser's behaviour on an AttributeTypeAndValue
  structure which contains more data than expected; it should therefore
  fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds
  check, it previously failed with UNEXPECTED_TAG because it interpreted
  the remaining byte in the first AttributeTypeAndValue structure as the
  first byte in the second AttributeTypeAndValue structure.
- "SubjectAltName repeated"
  This test should exercise two SubjectAltNames extensions in succession,
  but a wrong length values makes the second SubjectAltNames extension appear
  outside of the Extensions structure. With the new bounds in place, this
  therefore fails with a LENGTH_MISMATCH error. This commit adapts the test
  data to put the 2nd SubjectAltNames extension inside the Extensions
  structure, too.
2019-06-04 10:15:09 +01:00
Hanno Becker 58fc28ce1a Rename server1.der to server1.crt.der 2019-06-03 17:46:56 +01:00
Hanno Becker e21387e014 Add build instructions to generate DER versions of CRTs and keys 2019-06-03 17:46:56 +01:00
Hanno Becker 8c07beeb84 Rename MBEDTLS_SSL_CID->MBEDTLS_SSL_DTLS_CONNECTION_ID in SSL suite 2019-06-03 16:07:50 +01:00
Hanno Becker a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker e2c2314ab4 Add missing dependencies in unit tests for CID-based record enc/dec
Changes generated via:
% sed -i '/.*CID [0-9]+[0-9]/{n;s/depends_on:/depends_on:MBEDTLS_SSL_CID:/}' test_suite_ssl.data
2019-06-03 14:47:36 +01:00
Hanno Becker 43c24b8da9 Fix missing compile-time guards around CID-only constants 2019-06-03 14:47:36 +01:00
Hanno Becker d856c82993 Add unit tests for record protection using CID 2019-06-03 14:47:36 +01:00
Hanno Becker 6c87b3f9df Record enc/dec tests: Don't take turns in sending / receiving roles
Part of the record encryption/decryption tests is to gradually
increase the space available at the front and/or at the back of
a record and observe when encryption starts to succeed. If exactly
one of the two parameters is varied at a time, the expectation is
that encryption will continue to succeed once it has started
succeeding (that's not true if both pre- and post-space are varied
at the same time).

Moreover, previously the test would take turns when choosing which
transform should be used for encryption, and which for decryption.

With the introduction of the CID feaature, this switching of transforms
doesn't align with the expectation of eventual success of the encryption,
since the overhead of encryption might be different for the parties,
because both parties may use different CIDs for their outgoing records.

This commit modifies the tests to not take turns between transforms,
but to always use the same transforms for encryption and decryption
during a single round of the test.
2019-06-03 14:47:36 +01:00
Hanno Becker 4a9b028c08 Correct name of X.509 parsing test for well-formed, ill-signed CRT 2019-06-03 14:45:21 +01:00
Hanno Becker 20a4ade3f5 Add test cases exercising successful verification of MD2/MD4/MD5 CRT 2019-06-03 14:45:21 +01:00
Hanno Becker 7b8abee4f5 Add test case exercising verification of valid MD2 CRT
The X.509 parsing test suite test_suite_x509parse contains a test
exercising X.509 verification for a valid MD4/MD5 certificate in a
profile which doesn't allow MD4/MD5. This commit adds an analogous
test for MD2.
2019-06-03 14:45:16 +01:00
Hanno Becker 2e0f71f977 Add instructions for MD[245] test CRTs to tests/data_files/Makefile 2019-06-03 14:22:53 +01:00
Hanno Becker ba698da57a Remove use of MD2 in further x509parse tests 2019-06-03 09:54:07 +01:00
Hanno Becker 32b48ea364 Convert further x509parse tests to use lower-case hex data 2019-06-03 09:48:39 +01:00
Hanno Becker 01346c645b Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:16:39 +01:00
Hanno Becker d0d78d7c4a Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:16:39 +01:00
Gilles Peskine 2938268fb4 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190524
Conflicts:
* library/ssl_cli.c, library/ssl_tls.c:
  Removed on the development branch. Keep them removed.
* include/psa/crypto_extra.h, library/psa_crypto_storage.c,
  tests/suites/test_suite_psa_crypto.data,
  tests/suites/test_suite_psa_crypto.function,
  tests/suites/test_suite_psa_crypto_persistent_key.data,
  tests/suites/test_suite_psa_crypto_slot_management.data,
  tests/suites/test_suite_psa_crypto_slot_management.function:
  Modified on the development branch only to implement the enrollment
  algorithm, which has been reimplemented on the API branch.
  Keep the API branch.
2019-05-29 09:57:29 +02:00
Gilles Peskine 3027ba6429 Enrollment algorithm in policy: add tests of psa_copy_key 2019-05-27 14:08:28 +02:00
Gilles Peskine bcdd44b9be Enrollment algorithm in policy: add support in psa_copy_key tests
Add parameters to psa_copy_key tests for the enrollment algorithm (alg2).

This commit only tests with alg2=0, which is equivalent to not setting
an enrollment algorithm.
2019-05-27 14:08:28 +02:00
Gilles Peskine b4e0cda8db Enrollment algorithm in policy: update persistent key tests
The storage format has changed, so update the test data accordingly.
2019-05-27 14:08:28 +02:00
Gilles Peskine 183442c854 Enrollment algorithm in policy: test persistent keys 2019-05-27 14:08:27 +02:00
Gilles Peskine 96f0b3b1d3 Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-27 14:08:27 +02:00
Gilles Peskine d3bb7bb2f2 Persistent key reload: test more metadata
In the tests for opening a persistent key after closing it, also read
back and check the key data if permitted by policy, and the key
policy.
2019-05-24 17:02:25 +02:00
Gilles Peskine 1ecf92c2f8 Align test functions to usage/alg parameter order
Manually cherry-picked from ca5bed742f
by taking that patch, replacing KEYPAIR by KEY_PAIR
throughout (renaming applied in this branch), and discarding parts
about import_twice in test_suite_psa_crypto (this test function was
removed from this branch).
2019-05-24 16:38:14 +02:00
Ron Eldor 56f071fb9e Add negative test for malformed SAN
Add a negative test for a malformed SAN extension.
2019-05-22 17:36:58 +03:00
Jaeden Amero 496c176d90
Merge pull request #266 from ARMmbed/psa-policy_alg2-poc
Keys may allow a second algorithm
2019-05-22 11:55:01 +01:00
Gilles Peskine 52315e4c16 Enrollment algorithm in policy: add tests of psa_copy_key 2019-05-21 18:31:59 +02:00
Gilles Peskine 705cbfd802 Enrollment algorithm in policy: add support in psa_copy_key tests
Add parameters to psa_copy_key tests for the enrollment algorithm (alg2).

This commit only tests with alg2=0, which is equivalent to not setting
an enrollment algorithm.
2019-05-21 18:31:59 +02:00
Gilles Peskine 468c96cccc Enrollment algorithm in policy: update persistent key tests
The storage format has changed, so update the test data accordingly.
2019-05-21 17:06:35 +02:00
Gilles Peskine 6fbfdb9e06 Enrollment algorithm in policy: test persistent keys 2019-05-21 17:06:35 +02:00
Gilles Peskine cbce4d8889 Persistent key reload: test more metadata
In the tests for opening a persistent key after closing it, also read
back and check the key data if permitted by policy, and the key
policy.
2019-05-21 17:06:35 +02:00
Gilles Peskine 2c86ebc2f8 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allowed to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-21 17:06:27 +02:00
Gilles Peskine 536e20571a New macro to get the bit size of an elliptic curve 2019-05-21 17:06:03 +02:00
Gilles Peskine ca5bed742f Align test functions to usage/alg parameter order 2019-05-21 17:06:03 +02:00
Gilles Peskine d6f371b1ba Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-21 17:06:03 +02:00
Jaeden Amero 3d07ffade2 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following operations:
    - Reject changes to files removed during the creation of Mbed Crypto
      from Mbed TLS.
    - Reject the addition of certificates that would not be used by any
      tests, including rejecting the addition of Makefile rules to
      generate these certificates.
    - Reject changes to error.c referencing modules that are not part of
      Mbed Crypto.

* origin/development: (80 commits)
  Style fix
  Fix test data
  Update test data
  Add some negative test cases
  Fix minor issues
  Add ChangeLog entry about listing all SAN
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Check that SAN is not malformed when parsing
  Documentation fixes
  Fix ChangeLog entry
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  ...
2019-05-21 08:57:44 +01:00
Jaeden Amero 31d1432233 Merge remote-tracking branch 'origin/pr/2530' into development
* origin/pr/2530: (27 commits)
  Style fix
  Fix test data
  Update test data
  Add some negative test cases
  Fix minor issues
  Add ChangeLog entry about listing all SAN
  Check that SAN is not malformed when parsing
  Documentation fixes
  Fix ChangeLog entry
  Fail in case critical crt policy not supported
  Update SAN parsing documentation
  change the type of hardware_module_name member
  Change mbedtls_x509_subject_alternative_name
  Add length checking in certificate policy parsing
  Rephrase x509_crt extension member description
  Rephrase changeLog entries
  Remove redundant memset()
  Propogate error when parsing SubjectAltNames
  Tidy up style in x509_info_subject_alt_name
  Print unparseable SubjectAlternativeNames
  ...
2019-05-20 18:02:25 +01:00
Jaeden Amero 9ebcf9b00a Merge remote-tracking branch 'origin/pr/2538' into development
* origin/pr/2538:
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  Add eap-tls key derivation in the examples.
  Add ChangeLog entry
  Add an extra key export function
  Have the temporary buffer allocated dynamically
  Zeroize secret data in the exit point
  Add a single exit point in key derivation function
2019-05-20 10:58:36 +01:00
Ron Eldor 76a9c4a81f Fix test data
Fix test data to test what it actually intends to test.
2019-05-20 11:58:59 +03:00
Ron Eldor 8a59d6b964 Update test data
Update the test data for the negative certificate policies
extension tests with correct lengths, to test the correct behaviour.
Add another test.
2019-05-19 14:11:20 +03:00
Gilles Peskine 35ef36b62f Rename psa_generate_random_key back to psa_generate_key
generate_key is a more classical name. The longer name was only
introduced to avoid confusion with getting a key from a generator,
which is key derivation, but we no longer use the generator
terminology so this reason no longer applies.

perl -i -pe 's/psa_generate_random_key/psa_generate_key/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine c93b80c350 Rename *KEYPAIR* to *KEY_PAIR*
Be consistent with PUBLIC_KEY.

perl -i -pe 's/KEYPAIR/KEY_PAIR/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine dcaefae849 Parametrize Diffie-Hellman keys by a group identifier
Parametrize finite-field Diffie-Hellman key types with a DH group
identifier, in the same way elliptic curve keys are parametrized with
an EC curve identifier.

Define the DH groups from the TLS registry (these are the groups from
RFC 7919).

Replicate the macro definitions and the metadata tests from elliptic
curve identifiers to DH group identifiers.

Define PSA_DH_GROUP_CUSTOM as an implementation-specific extension for
which domain parameters are used to specify the group.
2019-05-16 19:51:10 +02:00
Gilles Peskine be697d8324 Shorten the name of psa_key_agreement_raw_shared_secret
There is less of a risk of confusion with the KA+KDF function now.
2019-05-16 18:55:25 +02:00
Gilles Peskine cf7292e257 Wrap and reindent some lines
After renaming several identifiers, re-wrap and re-indent some lines
to make the code prettier.
2019-05-16 18:55:25 +02:00
Gilles Peskine 51ae0e4b79 Rename "generator" to "operation"
Generators are now key derivation operations.

Keep "random generator" intact.
2019-05-16 18:55:25 +02:00
Gilles Peskine cbe6650394 Rename generator-related internal identifiers
perl -pe 's/crypto_generator/key_derivation/gi' $(git ls-files)
    perl -pe 's/_generator/_key_derivation/gi' $(git ls-files)
2019-05-16 18:55:25 +02:00
Gilles Peskine 03410b5c5f Rename PSA_KDF_STEP_xxx -> PSA_KEY_DERIVATION_INPUT_xxx
More consistent with the new function names.
2019-05-16 18:55:25 +02:00
Gilles Peskine a99d3fbd05 Rename generator functions to psa_key_derivation_xxx
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology. Call a generator a key
derivation operation structure, since it behaves like other multipart
operation structures. Furthermore, the function names are not fully
consistent.

In this commit, I rename the functions to consistently have the prefix
"psa_key_derivation_". I used the following command:

    perl -i -pe '%t = (
        psa_crypto_generator_t => "psa_key_derivation_operation_t",
        psa_crypto_generator_init => "psa_key_derivation_init",
        psa_key_derivation_setup => "psa_key_derivation_setup",
        psa_key_derivation_input_key => "psa_key_derivation_input_key",
        psa_key_derivation_input_bytes => "psa_key_derivation_input_bytes",
        psa_key_agreement => "psa_key_derivation_key_agreement",
        psa_set_generator_capacity => "psa_key_derivation_set_capacity",
        psa_get_generator_capacity => "psa_key_derivation_get_capacity",
        psa_generator_read => "psa_key_derivation_output_bytes",
        psa_generate_derived_key => "psa_key_derivation_output_key",
        psa_generator_abort => "psa_key_derivation_abort",
        PSA_CRYPTO_GENERATOR_INIT => "PSA_KEY_DERIVATION_OPERATION_INIT",
        PSA_GENERATOR_UNBRIDLED_CAPACITY => "PSA_KEY_DERIVATION_UNLIMITED_CAPACITY",
        ); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files)
2019-05-16 18:55:21 +02:00
Jaeden Amero d35249e66f
Merge pull request #109 from gilles-peskine-arm/psa-key_attributes-set_persistent
Individual setters for persistent key attributes
2019-05-16 17:28:53 +01:00
Jaeden Amero 99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Ron Eldor 11818f2c17 Add some negative test cases
Add some invalid certificate tests for certifiate policies extension.
2019-05-16 18:17:02 +03:00
Jaeden Amero 16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero 76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero 826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Gilles Peskine c9d910bed6 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allow to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-16 00:18:48 +02:00
Gilles Peskine 6c9514427b New macro to get the bit size of an elliptic curve 2019-05-16 00:16:46 +02:00
Gilles Peskine 049c7535af Split long lines after psa_import_key refactoring 2019-05-15 23:16:07 +02:00
Gilles Peskine 73676cbc50 Put handle parameter last: psa_import_key
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00