Commit graph

3211 commits

Author SHA1 Message Date
Steven Cooreman ae3f13bf5e Add more test cases and fix AT_LEAST_THIS_LENGTH against base algorithm
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:40 +01:00
Steven Cooreman a96e2410e7 Test _AT_LEAST_THIS_LENGTH macros in the PSA Crypto metadata test suite
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:40 +01:00
Steven Cooreman 2c2efa488b Fix dependency-setting script and test dependencies for new tests
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:03:39 +01:00
Steven Cooreman 5d81481a1c Rename AEAD WITH_MINIMUM_LENGTH to AT_LEAST_THIS_LENGTH
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>

# Conflicts:
#	include/psa/crypto_values.h
#	tests/suites/test_suite_psa_crypto.data
2021-03-01 16:00:31 +01:00
Steven Cooreman caad49316b rename MAC_WITH_MINIMUM_LENGTH_TAG to AT_LEAST_THIS_LENGTH_MAC
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-03-01 16:00:31 +01:00
Steven Cooreman b3ce8156ce Add support for minimum-tag-length AEAD and MAC policies
Includes tests.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>

# Conflicts:
#	include/psa/crypto_values.h
#	tests/suites/test_suite_psa_crypto.function
2021-03-01 16:00:31 +01:00
gabor-mezei-arm ceface2247
Add test for ouput buffer size macros
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-03-01 13:57:21 +01:00
Gilles Peskine 574cf7b59f Clarify how a file descriptor could still be more than the limit
It can happen if the file descriptor was opened before lowering the limit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-01 11:43:56 +01:00
Gilles Peskine 97c57fe439 Fix sloppiness around stricly less-than vs less or equal
Fix sloppy wording around stricly less-than vs less or equal in
comments. Also fix an off-by-one error in a comparison which led to
calling setrlimit if the limit was exactly the minimum required for
the test, which was unnecessary but harmless.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-01 11:40:56 +01:00
Gilles Peskine 6667a78c9b Add test for mbedtls_net_poll beyond FD_SETSIZE
mbedtls_net_poll() and mbedtls_net_recv_timeout() rely on select(),
which represents sets of file descriptors through the fd_set type.
This type cannot hold file descriptors larger than FD_SETSIZE. Make
sure that these functions identify this failure code.

Without a proper range check of the file descriptor in the
mbedtls_net_xxx function, this test fails when running with UBSan:
```
net_poll beyond FD_SETSIZE ........................................ source/library/net_sockets.c:482:9: runtime error: index 16 out of bounds for type '__fd_mask [16]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/library/net_sockets.c:482:9 in
```
This is a non-regression test for
https://github.com/ARMmbed/mbedtls/issues/4169 .

The implementation of this test is specific to Unix-like platforms.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-25 15:56:48 +01:00
Gilles Peskine 1c0e48a2ce New test suite: net
A place to put tests for the net_sockets module (MBEDTLS_NET_C feature).

Start with a context smoke test.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-24 18:37:46 +01:00
Paul Elliott 448d54610c First pass at constant flow tests for base64
This contains working CF tests for encode, however I have not yet got
decode to pass the tests.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-02-24 15:32:42 +00:00
Gilles Peskine 5a7702e76d Fix some C function documentation in the test framework
The primary goal of this commit is to fix various comments where
`clang -Wdocumentation` identified a discrepancy between the actual
function parameters and the documented parameters. The discrepancies
were due to copypasta, formatting issues or documentation that had
diverged from the implementation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:36:07 +01:00
Gilles Peskine 6e0d5bd00d Increment the test step number when invalidating a key
This makes failure messages easier to understand.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:36:07 +01:00
Gilles Peskine 65048ad648 Destroy recorded persistent keys in PSA_DONE()
This ensures that test cases won't leave persistent files behind even
on failure, provided they use TEST_USES_KEY_ID(). Test cases that
don't use this macro are unaffected.

Tests that use PSA_DONE() midway and expect persistent keys to survive
must use PSA_SESSION_DONE() instead.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:36:07 +01:00
Gilles Peskine aae718caca New test helper to purge persistent key from memory
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:36:07 +01:00
Gilles Peskine 313ffb8f90 Move PSA storage cleanup out of the slot_management test suite
Merge the two identical definitions of TEST_USES_KEY_ID and
mbedtls_test_psa_purge_key_storage from
test_suite_psa_crypto_slot_management.function and
test_suite_psa_crypto_se_driver_hal.function into a single copy in
common test code so that it can be used in all test suites.

No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:36:07 +01:00
Gilles Peskine b9ad79417d Push back on divergence of duplicated code
Persistent storage common code from
test_suite_psa_crypto_slot_management.function had been duplicated in
test_suite_psa_crypto_se_driver_hal.function and the copy had slightly
diverged. Re-align the copy in preparation from moving the code to a
common module and using that sole copy in both test suites.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:29:38 +01:00
Gilles Peskine e95a643839 Prepare to move persistent storage cleanup to common code
Rename functions to mbedtls_test_xxx and make them non-static if
they're going to be exported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:29:38 +01:00
Gilles Peskine e78b00210a Move exercise_key and related functions to their own module
Move mbedtls_test_psa_exercise_key() (formerly exercise_key()) and
related functions to its own module. Export the few auxiliary
functions that are also called directly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:29:38 +01:00
Gilles Peskine 8e94efe4ba Move asn1_skip_integer to the asn1_helpers module
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:29:38 +01:00
Gilles Peskine ea38a926c1 Remove a redundant export step in import_export
exercise_export_key() exports the key and does sanity checks on the
result. Here we've already just exported the key, so just run the
sanity checks.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:29:38 +01:00
Gilles Peskine c18e25f6df Prepare to move exercise_key and friends to their own module
Rename functions to mbedtls_test_psa_xxx if they're going to be
exported. Declare functions as static if they're aren't meant to be
called directly from test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 20:29:38 +01:00
Gilles Peskine 3d979f781e Add init-free tests for entropy
These tests validate that an entropy object can be reused and that
calling mbedtls_entropy_free() twice is ok.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 21:24:02 +01:00
Gilles Peskine 914afe1fdb Add init-free tests for RSA
These tests are trivial except when compiling with MBEDTLS_THREADING_C
and a mutex implementation that are picky about matching each
mbedtls_mutex_init() with exactly one mbedtls_mutex_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine 7aba036154 Add missing cleanup in test function
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:24:03 +01:00
Gilles Peskine 2a4c598859 Detect and report mutex usage errors
If the mutex usage verification framework is enabled and it detects a
mutex usage error, report this error and mark the test as failed.

This detects most usage errors, but not all cases of using
uninitialized memory (which is impossible in full generality) and not
leaks due to missing free (which will be handled in a subsequent commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:08:14 +01:00
Gilles Peskine 1061ec6782 Mutex usage testing: set up wrapper functions
When using pthread mutexes (MBEDTLS_THREADING_C and
MBEDTLS_THREADING_PTHREAD enabled), and when test hooks are
enabled (MBEDTLS_TEST_HOOKS), set up wrappers around the
mbedtls_mutex_xxx abstraction. In this commit, the wrapper functions
don't do anything yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:08:14 +01:00
Gilles Peskine 1f186ff330 Add missing calls to USE_PSA_DONE
Some functions were not deinitializing the PSA subsystem. This could
lead to resource leaks at the level of individual test cases, and
possibly at the level of the whole test suite depending on the order
and selection of test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:08:14 +01:00
Gilles Peskine 9de97e21fe Make {USE_,}PSA_{INIT,DONE} available in all test suites
Make USE_PSA_INIT() and USE_PSA_DONE() available in all test suites in
all cases, doing nothing if MBEDTLS_USE_PSA_CRYPTO is disabled. Use
those in preference to having explicit
defined(MBEDTLS_USE_PSA_CRYPTO) checks (but there may still be places
left where using the new macros would be better).

Also provide PSA_INIT() by symmetry with PSA_DONE(), functional
whenver MBEDTLS_PSA_CRYPTO_C is enabled, but currently unused.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:08:14 +01:00
Dave Rodgman d6ee36ed04
Merge pull request #4110 from gilles-peskine-arm/psa-external-random-in-mbedtls
Expose the PSA RNG in mbedtls
2021-02-22 14:47:29 +00:00
Gilles Peskine bd21b18a1f
Merge pull request #4126 from gilles-peskine-arm/ccm-test-iv-overflow-warning
Silence gcc-10 warning in test_suite_ccm
2021-02-20 00:12:21 +01:00
Ronald Cron 8d5645a858 tests: psa driver wrapper: Fix sign/verify unit test dependency
In test_suite_psa_crypto_driver_wrappers test suite, the
sign/verify tests with software fallback tests should be run
only if the software fallback is available.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-18 15:45:12 +01:00
Gilles Peskine f68a9cf1e7 Fix test code under MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:58:29 +01:00
Gilles Peskine d169d60319 Skip dependency symbols that are not implemented
A temporary hack: at the time of writing, not all dependency symbols
are implemented yet. Skip test cases for which the dependency symbols are
not available. Once all dependency symbols are available, this comit
should be reverted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:58:29 +01:00
Gilles Peskine 60b29fea46 Define WANT symbols for always-supported key types
PSA_KEY_TYPE_RAW_DATA and PSA_KEY_TYPE_DERIVE are always supported.
Make this explicit by declaring PSA_WANT_KEY_TYPE_RAW_DATA and
PSA_WANT_KEY_TYPE_DERIVE unconditionally. This makes it easier to
infer dependencies in a systematic way.

Don't generate not-supported test cases for those key types. They
would always be skipped, which is noise and would make it impossible
to eventually validate that all test cases pass in at least one
configuration over the whole CI.

Don't remove the exception in set_psa_test_dependencies.py for now, to
get less noise in dependencies. This may be revised later if it is
deemed more important to be systematic.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:52 +01:00
Gilles Peskine 7f756876b9 Append the key size to ECC curve dependencies
ECC curve dependency symbols include the key size in addition to the
curve family. Tweak the dependencies once the key size is known.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine 7d112ae04c Check in test_suite_psa_crypto_not_supported.generated.data
This test data file is automatically generated. We could do that as
part of the build, since the only requirement is Python and we have a
requirement on Python to build tests anyway (to generate the .c file
from the .function file). However, committing the generating file into
the repository has less impact on build scripts, and will be necessary
for some of the files generated by generate_psa_tests.py (at least the
storage format stability tests, for which stability is guaranteed by
the fact that the generated file doesn't change). To keep things
simple, for now, let's commit all the files generated by
generate_psa_tests.py into the repository.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine 069346cdab New test suite for not-supported cases: key creation (import, generate)
To start with, test that key creation fails as intended when the key
type is not supported. This commit only covers psa_import_key and
psa_generate_key. A follow-up will cover psa_key_derivation_output_key.

My primary intent in creating this new test suite is to automatically
generate test cases by enumerating the key types and algorithms that
the library supports. But this commit only adds a few manually written
test cases, to get the ball rolling.

Move the relevant test cases of test_suite_psa_crypto.data that only
depend on generic knowledge about the API. Keep test cases that depend
more closely on the implementation, such as tests of non-supported key
sizes, in test_suite_psa_crypto.data.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 14:50:17 +01:00
Gilles Peskine cd2d648b00 Explain the "external RNG large" test case
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:46:06 +01:00
Gilles Peskine ddeb8896ff Exclude random_twice tests with MBEDTLS_TEST_NULL_ENTROPY
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:46:06 +01:00
Gilles Peskine e3ed802138 Expose mbedtls_psa_get_random()
Expose whatever RNG the PSA subsystem uses to applications using the
mbedtls_xxx API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-16 15:39:48 +01:00
Ronald Cron 010d7c72c3
Merge pull request #3744 from ronald-cron-arm/psa-generate-key-internal
Rework psa_generate_key
2021-02-16 13:29:21 +01:00
Gilles Peskine bb86d0c61c
Merge pull request #3995 from stevew817/feature/psa_configurable_static_ram_usage
Allow tweaking PSA_KEY_SLOT_COUNT
2021-02-16 12:52:24 +01:00
Ronald Cron d00f5e188a tests: psa: Remove generate key test case restriction
Now that the support for key generation in the transparent
test driver is at the same level as the support in the
Mbed TLS library, remove the restriction on the generate
key test case that was introduced by the work on key
import and export through the PSA driver interface.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:07:46 +01:00
Ronald Cron f619c68be9 psa: driver wrappers: Add generate key unit test with no fallback
Add a test in test_suite_psa_crypto_driver_wrappers that
when accelerators do not support the generation of a key
and there is no software fallback, the key generation
fails with the PSA_ERROR_NOT_SUPPORTED error code.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:07:46 +01:00
Steven Cooreman f49478b1ff Add missing test skip for ALT-implemented GCM
Bypass was applied to aead_encrypt and aead_decrypt cases, but not
aead_encrypt_decrypt.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 15:31:16 +01:00
Steven Cooreman 863470a5f9 Rename PSA_KEY_SLOT_COUNT to MBEDTLS_PSA_KEY_SLOT_COUNT
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 14:26:44 +01:00
Steven Cooreman 70f654a89c Fix a malformed define guard
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 10:51:43 +01:00
Ronald Cron 5cd00d28bf
Merge pull request #4092 from ronald-cron-arm/psa-crypto-client
Psa crypto client
2021-02-15 10:46:35 +01:00
Ronald Cron 7339335c7d
Merge pull request #3967 from bensze01/psa_macro_rename
PSA: Rename AEAD tag length macros
2021-02-12 16:33:21 +01:00
Manuel Pégourié-Gonnard b2024ef3bb
Merge pull request #4129 from chris-jones-arm/move-test-macros
Move test macros to macros.h
2021-02-12 10:17:28 +01:00
Bence Szépkúti a63b20d28b Rename AEAD tag length macros
This brings them in line with PSA Crypto API 1.0.0

PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH         -> PSA_ALG_AEAD_WITH_SHORTENED_TAG

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-02-11 11:39:31 +01:00
Ronald Cron 28a45ed8db tests: psa: Add macros to skip a test case
Add macros to skip a test case when hitting a
common alternative implementation limitation.

Add a macro for AES-192 and GCM with a nonce
length different from 12 bytes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-10 16:07:21 +01:00
Steven Cooreman 50f1f5e119 Use PSA_ALG_ macros to inspect AEAD base algorithm
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 2f09913aeb Set default IV for AES-GCM to 12 bytes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 82645b153d Allow skipping vectors w/ non-12-byte IV AES-GCM on ALT
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman d588ea1704 Allow skipping AES-192 for alternative implementations in PSA test suite
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 7c9e7da8d4 Add CAVS14.0 AES-GCM vectors to test more IV, tag and key lengths
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Ronald Cron 395889f9b7 psa: Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
when MBEDTLS_PSA_CRYPTO_C is defined and guard
PSA client code only with MBEDTLS_PSA_CRYPTO_CLIENT.

The definition of MBEDTLS_PSA_CRYPTO_CLIENT is done
in crypto_types.h before the definition of
psa_key_attributes_t. That way as PSA crypto client
code is related to key attributes we can be quite
confident that MBEDTLS_PSA_CRYPTO_CLIENT will be
defined when needed.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-09 15:36:08 +01:00
Gilles Peskine a0b4decff0
Merge pull request #4072 from gilles-peskine-arm/psa_import_ecc_key-not_supported
ECC import: more useful choice of INVALID_ARGUMENT vs NOT_SUPPORTED
2021-02-09 15:16:20 +01:00
Chris Jones a6d155fb47 Move test macros to macros.h
Move test macros previously located in `suites/helpers.function` to
`include/test/macros.h`. This makes these test infrastructure macros
available for use in other parts of the test infrastructure at compile
time as opposed to run time.

This commit is a simple cut and paste from one file to the other.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-09 12:09:33 +00:00
Gilles Peskine b168c0d2e6 More robust code to set the IV
Check that the source address and the frame counter have the expected
length. Otherwise, if the test data was invalid, the test code could
build nonsensical inputs, potentially overflowing the iv buffer.

The primary benefit of this change is that it also silences a warning
from compiling with `gcc-10 -O3` (observed with GCC 10.2.0 on
Linux/amd64). GCC unrolled the loops and complained about a buffer
overflow with warnings like:
```
suites/test_suite_ccm.function: In function 'test_mbedtls_ccm_star_auth_decrypt':
suites/test_suite_ccm.function:271:15: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
  271 |         iv[i] = source_address->x[i];
      |         ~~~~~~^~~~~~~~~~~~~~~~~~~~~~
suites/test_suite_ccm.function:254:19: note: at offset [13, 14] to object 'iv' with size 13 declared here
  254 |     unsigned char iv[13];
```
Just using memcpy instead of loops bypasses this warnings. The added
checks are a bonus.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-09 12:00:13 +01:00
Gilles Peskine 5d332f0274
Merge pull request #4105 from paul-elliott-arm/fix_test_leak
Fix for memory leak in ssl tests
2021-02-09 10:03:49 +01:00
Gilles Peskine 9189202156 Remove trail check in the generate_random test
The test function generate_random allocated a few extra bytes after
the expected output and checked that these extra bytes were not
overwritten. Memory sanity checks such as AddressSanitizer and
Valgrind already detect this kind of buffer overflow, so having this
test in our code was actually redundant. Remove it.

This has the benefit of not triggering a build error with GCC
(observed with 7.5.0 and 9.3.0) when ASan+UBSan is enabled: with the
previous code using trail, GCC complained about an excessively large
value passed to calloc(), which was (size_t)(-sizeof(trail)).
Thus this commit fixes #4122.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-08 19:50:26 +01:00
Gilles Peskine 2fa6b5f503 ECC import: more useful choice of INVALID_ARGUMENT vs NOT_SUPPORTED
Attempting to create an ECC key with a curve specification that is not
valid can plausibly fail with PSA_ERROR_INVALID_ARGUMENT ("this is not
a curve specification at all") or PSA_ERROR_NOT_SUPPORTED ("this may
be a curve specification, but not one I support"). The choice of error
is somewhat subjective.

Before this commit, due to happenstance in the implementation, an
attempt to use a curve that is declared in the PSA API but not
implemented in Mbed TLS returned PSA_ERROR_INVALID_ARGUMENT, whereas
an attempt to use a curve that Mbed TLS supports but for which support
was disabled at compile-time returned PSA_ERROR_NOT_SUPPORTED. This
inconsistency made it difficult to write negative tests that could
work whether the curve is implemented via Mbed TLS code or via a
driver.

After this commit, any attempt to use parameters that are not
recognized fails with NOT_SUPPORTED, whether a curve with the
specified size might plausibly exist or not, because "might plausibly
exist" is not something Mbed TLS can determine.

To keep returning INVALID_ARGUMENT when importing an ECC key with an
explicit "bits" attribute that is inconsistent with the size of the
key material, this commit changes the way mbedtls_ecc_group_of_psa()
works: it now works on a size in bits rather than bytes, with an extra
flag indicating whether the bit-size must be exact or not.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-08 18:43:26 +01:00
Gilles Peskine d945871c55
Merge pull request #3872 from gabor-mezei-arm/3275_use_PSA_ERROR_DATA_INVALID_where_warranted
Use PSA_ERROR_DATA_INVALID where warranted
2021-02-03 20:54:46 +01:00
Ronald Cron 540320bf7b
Merge pull request #4054 from chris-jones-arm/move-testing-functions
Move test infrastructure from `tests/suites/helpers.function` into `tests/src/helpers.c`
2021-02-03 19:01:54 +01:00
Gilles Peskine 077599ad85 New test suite for random generation
Test random generation as a whole. This is different from
test_suite_*_drbg and test_suite_entropy, which respectively test PRNG
modules and entropy collection.

Start with basic tests: good-case tests, and do it twice and compare
the results to validate that entropy collection doesn't repeat itself.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-03 18:55:39 +01:00
Paul Elliott c7b53747f7 Fix for memory leak in ssl tests
Fix for leaked buffers on error case in build_transforms() in
test_suite_ssl.function

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-02-03 16:15:05 +00:00
Steven Cooreman 10ec7804c5 Remove HAVE_RAM_AVAILABLE for derive_full and derive_output tests
Both tests do not require a lot of RAM, even though it may seem
like it at first sight. The derivation output is generated blockwise
from the KDF function, which only keeps state amounting to a couple
of blocks of the underlying hash primitive at a time.
There is never an allocation to keep the full derivation capacity in
memory...

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-03 15:21:04 +01:00
Steven Cooreman 83fdb70550 Convert 'large key' testing to accept insufficient memory errors
Since the tested service may run in a different context with a different heap.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-03 15:21:01 +01:00
Steven Cooreman 69967ce17e Get rid of half-baked HAVE_RAM_128K in favor of dynamic heap checking
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-03 15:19:20 +01:00
Ronald Cron 00c3e87422
Merge pull request #3933 from ronald-cron-arm/psa-import-export
Psa import export
2021-02-03 15:02:01 +01:00
Chris Jones 567e0ad8f1 Add documentation and minor style changes
Add doxygen style documentation to `mbedtls_test_fail`, `mbedtls_test_skip`,
`mbedtls_test_set_step` and `mbedtls_test_info_reset`. This should make it
easier to understand how the test infrastructure is used.

Also make some minor style changes to meet the coding standards and make it
more obvious that `mbedtls_test_info.step` was being incremented.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-03 12:07:01 +00:00
Chris Jones a5ab765832 Remove direct writing to test_info from *.function
Add a new function `mbedtls_test_info_reset()` to remove direct writes to
`mbedtls_test_info`. This change still allows values to be read directly
however all writes are now done inside of `helpers.c`.

Also slightly reordered code to make it easier to read.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-02 16:20:45 +00:00
Janos Follath bbd2bfb666
Merge pull request #4096 from gilles-peskine-arm/mpi_sub_abs-buffer_overflow-development
Fix buffer overflow in mbedtls_mpi_sub_abs negative case
2021-02-02 13:10:31 +00:00
Ronald Cron 1e87d5ba1d tests: psa: Fix export related tests
Fix some export related tests that were
relying on the fact that the size of the
output buffer was checked after other
parameters.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-02 11:49:08 +01:00
Ronald Cron 80eaa93b59 tests: psa: Reactivate and expand key management through test driver
The compilation guards in key_management.c are now
accelerator compilation guards (MBEDTLS_PSA_ACCEL_KEY_TYPE_xyz).

As a consequence when running the PSA driver wrapper
tests as part of test_psa_crypto_config_basic
and test_psa_crypto_drivers all.sh components all
key management cryptographic operations were handled by
the software builtin fallback, and not by the test driver
as intended in the first place.

This commits fixes this issue by:
. declaring an accelerator for ECC key pairs in
  test_psa_crypto_config_basic.
. declaring an accelerator for both ECC and RSA
  key pairs in test_psa_crypto_drivers.

It is possible to declare an accelerator for both
ECC and RSA key pairs in test_psa_crypto_drivers
and not in test_psa_crypto_config_basic because
in the case of test_psa_crypto_drivers the new
PSA configuration is not activated. That way,
the builtin fallback software implementation
is present to supply the transparent test driver
when some support is missing in it (mainly
RSA key generation).

Note that the declaration of accelerators does
much more than just "fixing" the execution flow of
driver wrapper tests, it makes all import and public
key export cryptographic operations in all unit
tests being handled by the transparent test driver
(provided that it supports the key type).

One test case related to key generation is
partially disabled. This will be fixed with the
rework of psa_generate_key along the lines
described in psa-crypto-implementation-structure.md.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-02 11:38:50 +01:00
Ronald Cron c9066e4488 psa: driver wrapper: Fix generate key unit test dependency
In test_suite_psa_crypto_driver_wrappers test suite, the
generate key with software fallback test should be run
only if the software fallback is available.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-02 11:29:08 +01:00
Gilles Peskine 43e89e1b15 Add mpi_sub_abs negative tests with a larger-in-size second operand
Add test cases for mbedtls_mpi_sub_abs() where the second operand has
more limbs than the first operand (which, if the extra limbs are not
all zero, implies that the function returns
MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

This exposes a buffer overflow (reported in #4042).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 17:28:03 +01:00
Gilles Peskine 612ffd2aa1 Fix copypasta in conditional directive in cipher_setup
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine 80a970806f No dependencies for storage format tests
Storage format tests that only look at how the file is structured and
don't care about the format of the key material don't depend on any
cryptographic mechanisms.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine b51d72f82e Run copy_fail even when the target policy is unsupported
The negative test cases for psa_copy_key() don't actually care whether
the target policy is supported. This is similar to _key_policy tests.
Add a similar rule.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine 0794572f96 More precise recognition of key policy negative tests
The test function asymmetric_signature_key_policy combines positive
and negative tests inside the code, so it doesn't take a status as its
last argument.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine d6dc40cae1 Update hash dependencies in PSA test code
Switch dependencies on MBEDTLS_xxx to PSA_WANT_xxx for hash
algorithms.

Add a missing dependency in bad_order functions (it was previously
expressed in the .data file, but this is no longer the case when
dependencies in the .data file are determined automatically).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:22:38 +01:00
Gilles Peskine 8405b5f60d Change PSA crypto test dependencies to PSA_WANT_xxx
Replace manually written dependencies on MBEDTLS_xxx with
PSA_WANT_xxx dependencies that are determined automatically from the
test data.

Run tests/scripts/set_psa_test_dependencies.py on
tests/suites/test_suite_psa_crypto*.data,
except for the dynamic secure element tests in
tests/suites/test_suite_psa_crypto_se_driver_hal*.data.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:21:40 +01:00
Gilles Peskine 6fea21d515 Declare a code dependency in the code instead of in the data
When using the test function persistent_key_load_key_from_storage with
DERIVE_KEY, there's a dependency on HKDF-SHA-256. Since this
dependency is in the code, declare it there rather than with the data.
If the depenency is not met, mark the test as skipped since it can't
create the key to be tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:19:26 +01:00
Ronald Cron 336678bccc tests: psa: Test PSA client-only code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-01 13:17:23 +01:00
Ronald Cron f7b666c508 tests: psa: Move PSA key attributes tests
Move PSA key attributes tests to their own
test suite to be able to run them when
MBEDTLS_PSA_CRYPTO_CLIENT is enabled but
not MBEDTLS_PSA_CRYPTO_C.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-01 13:17:23 +01:00
Janos Follath a209f34faf
Merge pull request #3996 from stevew817/feature/allow_reading_external_keys
Allow loading external wrapped keys
2021-01-29 13:34:11 +00:00
paul-elliott-arm a14d1642f4
Merge pull request #4008 from stevew817/bugfix/fix_dependencies
Fix warnings and dependencies when using _ALT in test
2021-01-29 12:24:54 +00:00
Ronald Cron 318515b384
Merge pull request #3984 from gabor-mezei-arm/3268_update_macros_for_ouput_buffer_size_renames
Rename existing support macros for output buffer sizes for PSA Crypto API 1.0.0
2021-01-29 09:31:59 +01:00
Steven Cooreman 29eecbf6e1 move _bad_order() test case dependencies to the function itself
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-28 19:41:25 +01:00
Steven Cooreman 107409f470 Apply review feedback
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-26 12:01:22 +01:00
gabor-mezei-arm cbcec21684
Rename output buffer size macros
Rename existing support macros for output buffer sizes for PSA Crypto API 1.0.0

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-01-21 13:17:25 +01:00
Chris Jones e60e2aeb74 Add mbedtls_ prefix to all public names in helpers.h
Adds the `mbedtls_` prefix to `test_result_t` and `test_info` and updates
any references to them. This is to follow the naming convention as these are
now declared in a public namespace.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-01-20 17:51:47 +00:00
Chris Jones 9634bb10d9 Move helper testing functions to tests/src/helpers.c
Moves the functions `test_fail`, `test_set_step`, `test_skip` and the struct
`test_info` from `tests/suites/helpers.function` to `tests/src/helpers.*`.
This is done to open these functions up to the API where they can be used by
other functions in the 'src' test infrastructure module.

As the functions are now contained within the src folder of the testing
infrastructure, the `mbedtls_` prefix has been added to the functions.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-01-20 15:56:42 +00:00
Chris Jones 1be34dafab Remove redundant test_info assignment
`test_fail` automatically sets `test_info.result`. This commit removes a case
where `test_info.result` was being manually set after `test_fail` was called.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-01-18 17:56:40 +00:00
Dave Rodgman 6fbff5b557
Merge pull request #3698 from darrenkrahn/development
Mark basic constraints critical as appropriate.
2021-01-17 18:06:18 +00:00
Darren Krahn 9c134cef35 Add build instructions for new test data.
Signed-off-by: Darren Krahn <dkrahn@google.com>
2021-01-13 22:04:45 -08:00
Steven Cooreman 9b31218109 Testing a maximum size key is RAM intensive, and should be dependent
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-11 17:59:36 +01:00
Steven Cooreman affc38c90d Make test cases that use PKCS7 padding dependent on it
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-11 17:56:19 +01:00
Steven Cooreman 98435ddf84 Allow loading wrapped keys even when SE support is compiled in
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-11 11:33:10 +01:00
Cédric Meuter d28b228c91 Removed the test verifying the saltlen input
- following the removal of the RSA_VALIDATE_RET() to check
  the salt length, this test is not necessary/required anymore
- negative salt length are caught later in the function

Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 18:21:30 +01:00
Cédric Meuter 333727f35a Added random material in the pkcs1 v21 salt length = max tests
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 16:31:09 +01:00
Cédric Meuter ff3db6a5cf Removed trailing whitespace
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 15:40:33 +01:00
Cédric Meuter 46bad3375f Added more negative test cases for pkcs1_rsassa_pss_sign
- removed the check on saltlen > 0 and added tests
  positive test cases for this.
- added negative test cases when even saltlen == 0
  is not enough. This allowed to uncover an underflow bu
  in the slen check (when olen-slen-2 is negative)
- fixed the saltlen check to avoid underflow
- added more test cases where saltlen is the maximum
  possible value and one above the maximum possible value
  (different hash, different key size)

Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 13:20:35 +01:00
Cédric Meuter 61adfd6ac0 Avoid duplicated test function between pkcs1_rsassa_pss_sign / sign_ext
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 13:20:05 +01:00
Cédric Meuter c5eea8f361 Improved description and fixed typo in test_suite_pkcs1_v21.data
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 13:19:40 +01:00
Cédric Meuter 6882b46299 Replaced legacy TEST_ASSERT( mbedtls_text_hexcmp() ) by ASSERT_COMPARE
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2021-01-10 13:19:25 +01:00
Gilles Peskine c85c20147b Don't call TEST_ASSERT in PSA_DONE
TEST_ASSERT jumps to the exit label, so it must not be called from
cleanup code executed after the exit label. It's legitimate (and
indeed very common) to call PSA_DONE in cleanup code, so PSA_DONE must
not jump to exit.

Define an auxiliary function test_fail_if_psa_leaking() that calls
test_fail() with the error message provided by
mbedtls_test_helper_is_psa_leaking(). This function currently needs to
be in helpers.function rather than in a PSA-specific helper file
because it calls test_fail which is defined in helpers.function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 20:49:42 +01:00
Gilles Peskine 6beb327a5e external_rng_failure_sign: more robust buffer management
Don't microoptimize memory usage in tests: use separate buffers for
the input and the output. Allocate the input buffer dynamically
because the size is a parameter of the test case. Allocate the output
buffer dynamically because it's generally good practice in tests so
that a memory sanitizer can detect a buffer overflow.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 20:16:26 +01:00
Gilles Peskine 3aa5a6414e Fix a test dependency
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 20:06:36 +01:00
Gilles Peskine 1631514b8e Add missing dependencies on key types
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:22:40 +01:00
Gilles Peskine ba0c1ffb72 Depend on the built-in implementation when injecting RNG failure
When verifying the impact of a forced RNG failure, depend on the built-in
implementation of the algorithm that uses randomization, whether it's
because the algorithm is randomized or because our implementation uses
randomization for (e.g.) blinding. An external implementation could use
its own randomness source which is not affected by the forced failure of
the RNG driver.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:22:40 +01:00
Gilles Peskine f547ce8daa MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG: negative tests
Under MBEDTLS_ERR_RSA_RNG_FAILED, add tests where the random generator
failed. This commit tests the following operations:

* psa_generate_random()
* psa_generate_key() for a symmetric key
* Deterministic signatures that use blinding (RSA PKCS#1v1.5,
  deterministic ECDSA).
* Randomized signatures (RSA PSS, randomized ECDSA).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:22:40 +01:00
Gilles Peskine 8ae012b603 Generalize test_suite_psa_crypto_entropy
Prepare it for testing aspects of entropy other than
MBEDTLS_PSA_INJECT_ENTROPY.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:21:18 +01:00
Gilles Peskine 76175ba785 Disable the insecure PSA test RNG by default
To reduce the risk of people accidentally using the test
implementation of mbedtls_psa_external_get_random(), which is
insecure, require the user to explicitly call
mbedtls_test_enable_insecure_external_rng() first.

Disabling the test implementation of mbedtls_psa_external_get_random()
will also allow negative testing for MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG,
which will be added in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:21:18 +01:00
Gilles Peskine f6be590bf6 Include psa_crypto_helpers.h in helpers.function
Include psa_crypto_helpers.h automatically if MBEDTLS_PSA_CRYPTO_C is
enabled, like helpers.h is included automatically.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:21:18 +01:00
Gilles Peskine 9a4baa1336 Remove unnecessary precautions around #include psa_crypto_helpers.h
psa_crypto_helpers.h no longer defines static functions, so it can be
included anywhere without worrying about unused functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 18:19:17 +01:00
Gilles Peskine a51e1dbe76
Merge pull request #3895 from gilles-peskine-arm/psa-external-random
Alternative random generator support for PSA
2021-01-06 17:09:11 +01:00
Cédric Meuter bc13cd9b1a Replaced ascii hex input by binary input for all key material
This results in smaller test binaries which is a plus on
target with limited resources.

Signed-off-by: Cédric Meuter <cedric.meuter@worldline.com>
2020-12-28 14:39:33 +01:00
Cédric Meuter d2dc1f1a83 Fixed test_suite_pkcs1_v21.data for build witout SHA35
The test suite assumed that if SHA512 was enabled, then
SHA384 was also available. This is not true. There is
config MBEDTLS_SHA512_NO_SHA384 which allows precisely
to add SHA512 and not SHA384.

This commits adds the necessary `depends_on` clause,
to avoid running the SHA384 tests when config
MBEDTLS_SHA512_NO_SHA384 is set.

Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2020-12-24 13:16:05 +01:00
Cédric Meuter 668a78d952 Added sppecific test cases for mbedtls_rsa_rsassa_pss_sign_ext()
- all positibe test cases were sampled from the CAVP test suite
  (SigGenPSS_186-2.txt, SigGenPSS_186-3.txt)
  Only kept one representative for each triple (modlen, sha, saltlen)
- two extra test cases were added to cover the maximum salt length
  (slen=olen-slen-2 and slen=(olen-slen-2)-1)
- in rsa.c, the salt intermediate buffer was too small to cover cases
  where slen > hlen. So reworked the code to generate the salt in the
  encoded message directly. This has the advantage to remove a memcpy
  and a memset.

Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2020-12-24 11:30:08 +01:00
Cédric Meuter a05cbecc90 Added tests for mbedtls_rsa_rsassa_pss_sign_ext()
- added some invalid param tests in test_suite_rsa
- added functional tests in test_suite_pkcs1_v21

Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
2020-12-24 10:07:41 +01:00
Gilles Peskine b2b64d3642 Rename psa_crypto_random.h to psa_crypto_random_impl.h
Make it clear that this is an abstraction of the random generator
abstraction, and not an abstraction of the PSA random generator.

mbedtls_psa_get_random and MBEDTLS_PSA_RANDOM_STATE are public-facing
definitions and will be moved in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-14 16:43:58 +01:00
Janos Follath 0cbdc61171 Bump version to Mbed TLS 2.25.0
Executed ./scripts/bump_version.sh --version 2.25.0 --so-crypto 6

Increasing the SO version of the crypto library, because the openless
API improvement came with API/ABI incompatibilities. For example
    - the size of psa_key_handle_t changed
    - the type of a parameter in 18 public functions has changed from
      psa_key_handle_t to mbedtls_svc_key_id_t

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 15:05:22 +00:00
Janos Follath a946dcf8b2 Merge branch 'development-restricted' into mbedtls-2.25.0r0-pr 2020-12-08 20:59:45 +00:00
Gilles Peskine 6d5c7bc69a
Merge pull request #3898 from paul-elliott-arm/fix_pem_write
Remove Extraneous bytes from buffer post pem write
2020-12-08 12:31:40 +01:00
Gilles Peskine 2b759626a9
Merge pull request #3948 from bensze01/update_psa_values
Update the values of PSA Crypto API macros to version 1.0.0
2020-12-08 11:03:33 +01:00
Bence Szépkúti cbe395332c Substitute PSA_ALG_STREAM_CIPHER into all files
Deprecate PSA_ALG_ARC4 and PSA_ALG_CHACHA20.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-08 00:01:31 +01:00
Bence Szépkúti c6a26c940c Update PSA Crypto persistent key storage tests
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-07 23:03:59 +01:00
Paul Elliott 557b8d663a Remove Extraneous bytes from buffer post pem write
In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 17:29:42 +00:00
Ronald Cron 771090659e
Merge pull request #3393 from geecrypt/development
Support set *_drbg reseed interval before seed
2020-12-07 14:29:52 +01:00
Janos Follath 3aae5d4ed7
Merge pull request #781 from mpg/cipher-auth-crypt-restricted
Fix buffer overflow with NIST-KW in cipher layer
2020-12-07 12:58:36 +00:00
Janos Follath 7973e2b358
Merge pull request #772 from chris-jones-arm/development-restricted
Fix Diffie-Hellman large key size DoS
2020-12-07 09:28:55 +00:00
Gilles Peskine 8a3d234859 Fail the test case immediately if cipher_reset_key fails
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 10:02:13 +01:00
Gilles Peskine a2971ea62c Simplify some buffer comparisons in tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:47 +01:00
Gilles Peskine 70edd689a8 cipher_auth_xxcrypt(): fix some null pointer handling
Make sure that if a buffer is allowed to be empty, a null pointer is
accepted if the buffer length is 0. This was already the case for most
but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}.

Make sure to pass NULL for an empty buffer in the tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 09:58:26 +01:00
Manuel Pégourié-Gonnard b23e31d86a Minor documentation/comment fixes
typos, overlong lines

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-07 09:57:35 +01:00
Gilles Peskine 56f943a184 Always test in-place addition and subtraction
Run all the addition and subtraction tests with the result aliased to
the first operand and with the result aliased to the second operand.
Before, only some of the aliasing possibilities were tested, for only
some of the functions, with only some inputs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-06 22:32:02 +01:00
Chris Jones e64a46f466 Fix exponentiation tests with MBEDTLS_MPI_MAX_BITS larger than 256
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:48:27 +00:00
Chris Jones 7c430305e3 Move dependancy to specific test cases
Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases
which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables
previous tests that were turned off accidentally.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 15:22:25 +00:00
Chris Jones 4592bd8982 Fix broken testing on numbers that may be greater than MPI_MAX_SIZE
Previously `mbedtls_mpi_exp_mod` was tested with values that were over
`MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only
taken when the exponent is large enough however, on builds where
`MBEDTLS_MPI_MAX_SIZE` is under the size of these test values.

This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to
safely test (notably this is the case in config-thread.h).

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 14:24:33 +00:00
Chris Jones e146bdcff9 Fix cases where exponentiation was not fully tested
In two test cases, the exponentiation computation was not being fully tested
as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the
case A is reduced to 0 and therefore the result of the computation will always
be 0.

This fixes that issue and therefore increases the test coverage to ensure
different computations are actually being run.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 11:52:40 +00:00
Chris Jones aa850cdfdc Reword test cases
Reword test cases to be easier to read and understand.
Adds comments to better explain what the test is doing.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 11:35:41 +00:00
Manuel Pégourié-Gonnard f215ef82af Test that auth_decrypt{,_ext}() zeroize on failure
The documentation says it does, so it should be tested.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:33:31 +01:00
Manuel Pégourié-Gonnard 86796bc8a5 Add check_param test for cipher_auth_xxcrypt_ext()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:10 +01:00
Manuel Pégourié-Gonnard 9b2a78966f Use exact-size buffers for testing auth_xxcrypt()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:10 +01:00
Manuel Pégourié-Gonnard 513c243317 Deprecate mbedtls_cipher_auth_xxcrypt()
This temporarily breaks all.sh '*deprecated*' (deprecated functions still used
in the library), which will be fix in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:09 +01:00
Manuel Pégourié-Gonnard f2ffbc4387 Stop supporting NIST_KW in cipher_auth_xxcrypt()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:09 +01:00
Manuel Pégourié-Gonnard 53f10e70fd Test cipher_auth_{en,de}crypt_ext()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:09 +01:00
Manuel Pégourié-Gonnard 89a8fe50fe Extract helper function for repeated test code
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:09 +01:00
Manuel Pégourié-Gonnard 4c1a1006df Improve comments/structure of auth_crypt test
We want to test both sets of functions (ext and non-ext) in turn, so goto exit
is not really and option.

Also, separate setting up the context (which is going to be the same for both
ext and non-ext functions) from setting up the buffers (which will vary).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-12-03 12:25:08 +01:00
Chris Jones a03f56fe8f Extend exponentiation test coverage
Add two further boundary tests for cases where both the exponent and modulus to
`mbedtls_mpi_exp_mod()` are `MBEDTLS_MPI_MAX_SIZE`, or longer, bytes long.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 11:20:33 +00:00
Gilles Peskine a282984c3d
Merge pull request #773 from paul-elliott-arm/discrepancy_cert
Add missing tag check to signature check on certificate load
2020-12-03 12:19:39 +01:00
Manuel Pégourié-Gonnard 489c058b52 Merge branch 'development' into development-restricted
* development: (488 commits)
  Fix removal of deprecated PSA constants
  Use GitHub-compatible table formatting
  Remove psa header files in uninstall part
  Change function casting in `ssl_calc_finished_tls_sha384`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Add changelog entry file to `ChangeLog.d`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Fix GCC warning about `test_snprintf`
  Fix mismatched function parameters (prototype/definition)
  Fix build failure on gcc-11
  Copyediting
  Clarifications around key import
  Fix copypasta
  A variable is unused in some configurations
  Rename test_driver_keygen to test_driver_key_management
  Move "internal use" sentence attached to the wrong function
  Added changelog
  Plug in the entry point for public key export through driver
  tests: psa: Reset key attributes where needed
  Improve/fix documentation
  ...
2020-12-03 09:59:42 +01:00
Chris Jones d10b331574 Test that overly large Diffie-Hellman keys are rejected
Adds test cases to ensure that `mbedtls_mpi_exp_mod` will return an error with
an exponent or modulus that is greater than `MBEDTLS_MPI_MAX_SIZE` in size.

Adds test cases to ensure that Diffie-Hellman will fail to make a key pair
(using `mbedtls_dhm_make_public`) when the prime modulus is greater than
`MBEDTLS_MPI_MAX_SIZE` in size.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-02 15:25:27 +00:00
Chris Jones 0c5875fd0c Test that overly large Diffie-Hellman keys are rejected
Add a test case to ensure `mbedtls_mpi_exp_mod` fails when using a key size
larger than MBEDTLS_MPI_MAX_SIZE.
Add a test case to ensure that Diffie-Hellman operations fail when using a key
size larger than MBEDTLS_MPI_MAX_SIZE.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-02 15:51:39 +00:00
Paul Elliott ca17ebfbc0 Add tag check to cert algorithm check
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.

Regression test added (one of the client certs modified accordingly)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-11-26 16:34:16 +00:00
gabor-mezei-arm 9209db0865
Update and add tests
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-11-26 15:54:35 +01:00
Gavin Acquroff 6aceb51e43 Support set *_drbg reseed interval before seed
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.

*_drbg_reseed_interval is now set in init() and free().

mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().

Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_CTR_DRBG_RESEED_INTERVAL.

Signed-off-by: gacquroff <gavina352@gmail.com>
2020-11-25 14:25:56 -08:00
Gilles Peskine 3cb1e296a4 Test mbedtls_mpi_fill_random
Positive tests: test that the RNG has the expected size, given that we
know how many leading zeros it has because we know how the function
consumes bytes and when the test RNG produces null bytes.

Negative tests: test that if the RNG is willing to emit less than the
number of wanted bytes, the function fails.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-25 17:30:44 +01:00
Rodrigo Dias Correa 80448aae2c Fix GCC warning about test_snprintf
GCC 11 generated the warnings because the parameter `ret_buf`
was declared as `const char[10]`, but some of the arguments
provided in `run_test_snprintf` are shorter literals, like "".

Now the type of `ret_buf` is `const char *`.
Both implementations of `test_snprintf` were fixed.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-25 01:13:12 -03:00
Gilles Peskine 82e57d1611 PSA: support HMAC_DRBG
Support using HMAC_DRBG instead of CTR_DRBG in the PSA subsystem.

Use HMAC_DRBG if CTR_DRBG is available. Choose between SHA-256 and
SHA-512 based on availability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine 4fc21fdeb6 Implement MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Implement support for MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.

For test purposes, write an implementation that uses libc rand().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine 9aaa3e164a
Merge pull request #3786 from stevew817/feature/generate_pubkey_in_driver
Add export_public_key entry point for drivers
2020-11-23 11:54:53 +01:00
Gilles Peskine c24023649e Rename test_driver_keygen to test_driver_key_management
```
perl -i -pe 's/test_driver_keygen/test_driver_key_management/g' tests/src/drivers/key_management.c tests/suites/test_suite_psa_crypto_driver_wrappers.function
```

Follow-up of c4813a6e80

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-22 19:23:27 +01:00
Gilles Peskine 662deb38d6
Merge pull request #3547 from ronald-cron-arm/psa-openless
Openless PSA crypto APIs implementation
2020-11-20 18:48:33 +01:00
Steven Cooreman b9b844220b Plug in the entry point for public key export through driver
Including test.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-11-20 17:31:24 +01:00
Ronald Cron 3a4f0e3cc4 tests: psa: Reset key attributes where needed
After a call to psa_get_key_attributes() to retrieve
the attributes of a key into a psa_key_attributes_t
structure, a call to psa_reset_key_attributes() is
mandated to free the resources that may be
referenced by the psa_key_attributes_t structure.
Not calling psa_reset_key_attributes() may result in
a memory leak.

When a test function calls psa_get_key_parameters()
the associated key attributes are systematically
reset in the clean-up part of the function with a
comment to emphasize the need for the reset and make
it more visible.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-20 13:57:26 +01:00
Ronald Cron 1d12d87d18 Improve/fix documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-20 13:57:15 +01:00
Ronald Cron ab79bd27b6 tests: slot mgmt: Improve key_slot_eviction_to_import_new_key test
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
Ronald Cron 9e12f8f425 tests: psa crypto: Fix lifetime_is_secure_element()
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
Ronald Cron 7d54f661d3 Miscellaneous coding style fixes
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-13 09:49:01 +01:00
Ronald Cron 19daca9b2e Prefer persistent over permanent
For consistency across the code base, prefer
persistent over permanent to qualify a key
stored in persistent storage.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-11 15:12:16 +01:00
Ronald Cron 77c89f5ad6 Fix several typos
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-11 15:12:14 +01:00
Ronald Cron a5b894f7e2 psa: mgmt: Add key slot reuse
When looking for an empty key slot to store
the description of a key, if all key slots
are in use, reuse the first encountered
and unaccessed key slot containing the
description of a permanent key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron 54b900827b psa: Forbid creation/registration of keys in vendor range
The identifier of keys created/registred should be in
the application range.

This is by spec for key creation.
This may change for registered key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron 65f38a3c2e Add key id check when creating a volatile key
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:19:59 +01:00
Ronald Cron d98059d599 psa: Fix tests/handling of lifetime incompatible with location
The lifetime of key attributes now encodes whether a key is
volatile/persistent or not AND its location.
Fix PSA code where the fact that the lifetime encodes
the key location was not taken into account properly.

Fix the impacted tests and add two non regression tests.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 18:18:15 +01:00
Ronald Cron f1ff9a83fa tests: psa: Use PSA_KEY_LIFETIME_IS_VOLATILE where it should
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron 390f607f7f Add tests checking owner of volatile keys
When key identifiers encode key owner, add tests
checking that:
. the key owner of an imported volatile key is
  the one specified.
. a key identifier of a volatile key with a valid
  PSA key identifier but the wrong owner is
  rejected.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron fc9c556127 Forbid volatile key identifiers for non volatile keys
Volatile key identifiers in the vendor range are
reserved to volatile keys thus don't allow them
for persistent keys when creating a key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron f67aefed3f tests: slot mgmt: Add psa_purge_key testing
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron 994b80546c tests: slot mgmt: Fix test data
For persistent keys there were two successive
INVALIDATE_BY_(CLOSING/DESTROYING) identical tests
where the comments of the second test rather
indicated that it should had been an
INVALIDATE_BY_(CLOSING/DESTROYING)_WITH_SHUTDOWN test.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:18:07 +01:00
Ronald Cron e7e86cfa3c tests: slot mgmt: Rename ways of invalidating keys
Rename ways of invalidating keys before introducing
key purging tests because the "CLOSE_BY" prefix doesn't
get on well with the purge operation.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:13:55 +01:00
Ronald Cron 3930997922 tests: slot mgmt: Add purge checks in volatile key lifecycle test
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron 5425a21fd2 tests: Adapt PSA tests to openless APIs
psa_key_handle_equal() is removed as not used
anymore.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron e4f6d5c5fe tests: Fix persistent slot lifecycle tests
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron 4184107d2e tests: Fix checks of volatile key identifier
Volatile keys have now a volatile non-null key
identifier.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron 432e19c7b2 tests: Fix error codes when using "invalid" handles
As handles are now key identifiers, a handle may be
valid now even if it does not refer to any key
known to the library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron 2d52eb2f78 tests: Fix invalid key identifier error code
PSA Crypto API spec defines the error code for
an invalid key identifier as PSA_ERROR_INVALID_HANDLE.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron c4d1b514ab Define handles as key identifiers
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.

The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron 47a85614ed Introduce psa_key_handle_equal inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron c26f8d467a Introduce psa_key_handle_is_null inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron 91e9515424 Introduce PSA_KEY_HANDLE_INIT macro
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Gilles Peskine db6e33e12a
Merge pull request #3826 from frestr/test/chachapoly_vector
PSA Crypto: Add zero-length input test vectors for ChaChaPoly
2020-11-03 23:17:00 +01:00
Steven Cooreman c4813a6e80 Rename 'keygen' to 'key management'
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-29 12:04:31 +01:00
Fredrik Strupe d61ed3c52f PSA Crypto: Add zero-length input test vectors for ChaChaPoly
Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-10-27 14:11:53 +01:00
Steven Cooreman 0452476eac Implement, plug in and test validate_key driver entry point
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Gilles Peskine 01fc209969
Merge pull request #3748 from torstenes/3740_PSA_key_storage_systematically_store_bits
Changes PSA key storage format to include key bits
2020-10-26 15:33:58 +01:00
Torstein Nesse 821f291d77 Ensure that all test vectors only contain one error.
Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>
2020-10-24 09:46:49 +02:00
Gilles Peskine 1b275cc5d0
Merge pull request #3772 from frestr/bugfix/ccm_add_length
Fix additional data length field check for CCM
2020-10-21 22:31:48 +02:00
Gilles Peskine 176fca03b4
Merge pull request #3793 from daverodgman/ccm_test_memory_fix
Fix memory allocation in ccm tests
2020-10-21 22:30:50 +02:00
Gilles Peskine b7eaa77e2a
Merge pull request #3743 from stevew817/bugfix/use_ecdh_key_in_streamlined_derivation
Fix PSA crypto inconsistencies in agreement+derivation
2020-10-21 13:25:21 +02:00
Torstein Nesse d9246559ca Update changelog entry, format specification, and correct test vectors
Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>
2020-10-21 11:17:09 +02:00
Ronald Cron 60ca77ca75
Merge pull request #3730 from gilles-peskine-arm/psa_generate_key-curve25519
Fix psa_generate_key on Curve25519
2020-10-21 09:03:00 +02:00
Steven Cooreman fa5e631d23 Apply review feedback
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-15 17:07:12 +02:00
Dave Rodgman 2e680348ad Fix memory allocation in ccm tests
The ccm tests were previously relying on unspecified behaviour in
the underlying implementation (i.e. that it rejects certain buffer
sizes without reading the buffer).

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2020-10-15 15:02:54 +01:00
Fredrik Strupe 5e940c6068 Fix additional data length field check for CCM
The CCM specification (NIST SP 800-38C) mandates that the formatting of
the additional data length l(a) changes when it is greater _or equal_ to
2^16 - 2^8 (>= 0xFF00). Since such lengths are not supported in mbed TLS,
the operation should fail in such cases.

This commit fixes an off-by-one error which allowed encryption/decryption
to be executed when l(a) was equal to 0xFF00, resulting in an
incorrect/non-standard length format being used.

Fixes #3719.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-10-08 12:09:44 +02:00
Torstein Nesse 162a1104be Changes PSA key storage format to include key bits
* Stores bits in psa_persistent_key_storage_format.
* psa_load_persistent_key_into_slot still imports plaintext keys which
  ensures that the bits value gets set.
* Updates key specification to match new implementation.
* Expands persistent store and load tests with to check for bits
  attribute.
* Removes bits storage from psa_se_key_data_storage_t.

Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>
2020-10-07 10:54:24 +02:00
Janos Follath 72ca39737f
Merge pull request #3723 from frestr/bugfix/invalid_argument_on_invalid_input
Use PSA_ERROR_INVALID_ARGUMENT for invalid cipher input sizes
2020-10-07 09:21:01 +01:00
Gilles Peskine ef94c4fcf4
Merge pull request #3474 from ronald-cron-arm/common-mbedtls_param_failed
Common mbedtls_param_failed()
2020-10-06 22:15:42 +02:00
Steven Cooreman 0ee0d52967 Fix PSA crypto inconsistencies in agreement+derivation
* #3742 After input of a key as SECRET in the derivation, allow the
        derivation result to be used as key.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-05 16:08:18 +02:00
Steven Cooreman ce48e85db9 Fix PSA crypto inconsistencies in agreement+derivation
* #3741 Allow key agreement inside derivation with a key that's allowed
        for the relevant agreement.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-05 16:02:45 +02:00
Gilles Peskine 326e474a6d Add basic test cases for Curve25519
Test import and key generation, each followed by a key agreement. Only
good cases in this commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-30 17:01:18 +02:00
Fredrik Strupe f90e3019dd Use PSA_ERROR_INVALID_ARGUMENT for invalid cipher input sizes
... as opposed to PSA_ERROR_BAD_STATE.

The spec on psa_cipher_finish() states that PSA_ERROR_INVALID_ARGUMENT
should be returned when:

"The total input size passed to this operation is not valid for this
particular algorithm. For example, the algorithm is a based on block
cipher and requires a whole number of blocks, but the total input size
is not a multiple of the block size."

Currently, there is a distinction between encryption and decryption
on whether INVALID_ARGUMENT or BAD_STATE is returned, but this is not
a part of the spec.

This fix ensures that PSA_ERROR_INVALID_ARGUMENT is returned
consistently on invalid cipher input sizes.

Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-09-30 12:26:58 +02:00
Darren Krahn e560be3ab4 Mark basic constraints critical as appropriate.
Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension
must be marked critical.

Signed-off-by: Darren Krahn <dkrahn@google.com>
2020-09-21 18:25:35 -07:00
Janos Follath 2a25904f45
Merge pull request #3568 from hanno-arm/tls13_experimental_key_schedule_1
TLS 1.3: Add HKDF-based key derivation functionality
2020-09-16 11:40:06 +01:00
Gilles Peskine dc57c25e30
Merge pull request #3527 from ronald-cron-arm/key-extended-id
PSA key identifiers rework
2020-09-15 16:06:06 +02:00
Steven Cooreman ef8575e1bf Apply review feedback
* Reworked the cipher context once again to be more robustly defined
* Removed redundant memset
* Unified behaviour on failure between driver and software in cipher_finish
* Cipher test driver setup function now also returns early when its status
  is overridden, like the other test driver functions
* Removed redundant test cases
* Added bad-order checking to verify the driver doesn't get called where
  the spec says it won't.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman 89e54f2edc Add mock and negative testing to cipher driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 17:00:47 +02:00
Steven Cooreman eca33c60f8 Add testing of fallback to cipher operations
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:35:33 +02:00
Steven Cooreman 5240e8b519 Style and language fixes from review
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:58 +02:00
Steven Cooreman acb5a100a7 Structify cipher test driver hook variables
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:58 +02:00
Steven Cooreman d53c1bf6f2 Exercise the AES-CTR multipart driver and check it gets called
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-14 16:31:58 +02:00
Gilles Peskine b1d3f2779b
Merge pull request #3480 from stevew817/feature/aes-ecb
Added support for AES-ECB to the PSA Crypto implementation
2020-09-14 14:45:14 +02:00
Gilles Peskine 6bf4f5fb65
Merge pull request #3585 from jdurkop/fix/undefined-reference-3294
Fix the build with MBEDTLS_USE_PSA_CRYPTO without ECDSA
2020-09-10 21:59:49 +02:00
Hanno Becker 29ea84e906 Avoid duplicated test case names in TLS 1.3 key schedule unit tests
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-09 13:52:40 +01:00
Hanno Becker 3eb3563c0b Fix TLS 1.3 key schedule unit test case name
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-09 12:47:56 +01:00
Hanno Becker 1413bd8ae9 Simplify identification of TLS 1.3 labels in unit test suite
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-09 12:46:09 +01:00
Hanno Becker 8c82bfdf22 Use TLS1_3_CONTEXT_[UN]HASHED in 1.3 key schedule tests
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-09 11:03:08 +01:00
Hanno Becker 81e91d46ad Add further unit tests for TLS 1.3 key schedule
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-09 10:58:49 +01:00
Hanno Becker 70d7fb0c2d Don't hardcode TLS 1.3 labels in test cases
ssl_tls1_3_keys.c exports a structure containing all labels used
in the TLS 1.3 key schedule, but the TLS 1.3 key scheduling unit
tests so far replicated those labels in the test file. In particular,
wrong label values in ssl_tls1_3_keys.c wouldn't have been caught
by the unit tests.

This commit modifies the TLS 1.3 key schedule unit tests to use
the TLS 1.3 labels as exported by ssl_tls1_3_keys.c. This not only
makes sure that those labels are correct, but also avoids hardcoding
their hex-encoding in the test file.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-09 10:17:37 +01:00
John Durkop d4efa8d0ac Fix pk_ec_test_vec() to use MBEDTLS_MD_NONE
The pk_ec_test_vec() was incorrectly using MBEDTLS_MD_SHA1 for the
parameter to mbedtls_pk_verify(). It should use MBEDTLS_MD_NONE since
that parameter is ignored for this test case.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-08 22:14:32 -07:00
Hanno Becker ab2ce23f92 Fix typo in SSL test suite
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 11:09:32 +01:00
Hanno Becker 493ea7f4ae Remove instances of camelCase in TLS 1.3 key schedule
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 11:08:06 +01:00
Hanno Becker fb08096b9b Use ASSERT_COMPARE instead of TEST_ASSERT( memcmp( ... ) == 0 )
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 11:07:42 +01:00
Hanno Becker f376cee8b4 Remove redundant dependency in TLS 1.3 key generation tests
The relevant test functions are already marked as depending on
`MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`, so there's no need
to re-state this dependency for each test case.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 10:53:45 +01:00
Hanno Becker 73c825ae4f Shorten include path in test_suite_ssl.function
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 10:52:58 +01:00
Hanno Becker 2d2c3eb687 Add tests for TLS 1.3 key evolution function
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 10:28:29 +01:00
Hanno Becker e4849d10a6 Add test vectors for TLS 1.3 Derive-Secret
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 10:28:28 +01:00
Hanno Becker 19498f8fbd Add test vectors for TLS 1.3 traffic key generation
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 10:28:28 +01:00
Hanno Becker 39ff4928ff Add test vectors for TLS 1.3 HKDF-Expand-Label
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-09-08 10:28:28 +01:00
Gilles Peskine 1ffec8f68f
Merge pull request #3501 from stevew817/feature/transparent_drivers_trial
Add partial implementation of accelerator API defined in #3493
2020-09-07 18:02:03 +02:00
Steven Cooreman 177deba54b Fix style and pull out ECB processing in separate function
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-07 17:14:14 +02:00
Steven Cooreman 0d7c64dd8f Changed test driver include folder to reflect it's a test driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-07 16:17:55 +02:00
Steven Cooreman 831c695787 Apply feedback from PR review
* Moved test data to .data file
* Bundled test driver hook variables in a struct
* Style fixes

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-07 14:01:52 +02:00
Gilles Peskine 853f9bd65e
Merge pull request #3625 from gilles-peskine-arm/test-fail-report-first
Report the first unit test failure, not the last one
2020-09-05 11:15:55 +02:00
Steven Cooreman 1cd39d5229 Use own define for building with test drivers
Trying to compile in the PSA accelerator test driver under MBEDTLS_TEST_HOOKS
turned out to be awkward regarding existing builds. We'll put it under a
custom (not in config.h) define instead, since it's something that only
should happen in test.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman 2a1664cb49 Add & splice in test driver for ECC keygen
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman 55ae2176ab Add and splice in signature verification through driver
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Steven Cooreman d57203d955 Add driver tests and run them through all.sh
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:27 +02:00
Gilles Peskine 0deccf1f3e Initialize ret from test code
The test function mbedtls_mpi_lt_mpi_ct did not initialize ret in test
code. If there was a bug in library code whereby the library function
mbedtls_mpi_lt_mpi_ct() did not set ret when it should, we might have
missed it if ret happened to contain the expected value. So initialize
ret to a value that we never expect.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-02 15:33:45 +02:00
Ronald Cron f1c9a55947 tests: psa: Add checks involving unknown key owner ids
Add checks involving unknown key owner identifiers
in tests related to SE and persistent keys.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron 81e005042e tests: psa: Add owner identifier as test parameter
To test the proper handling of owner identifier as of key
identifiers, add owner identifier(s) to tests having
key identifier(s) as test parameters. Just don't do it for
tests related to tests invalid values of key identifiers
as there is no owner identifier invalid values.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron 5731f6f5d7 tests: psa: Fix storage purge in se_driver_hal tests (2)
Delete key files based on declaration by test cases and
not based on a hardcoded list of identifiers as in
test_suite_psa_crypto_slot_management.function. This fixes
the fact that in case of error the file associated to the
key identifier PSA_KEY_ID_VENDOR_MAX was not purged
(register_key_smoke_test test function).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron 978d57d61e tests: psa: Fix storage purge in se_driver_hal tests (1)
Remove systematic deletion of key file associated to key
identifier 0 as this file is not created under the hood
anymore by the library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron ecfb237f23 Fix PSA code and unit tests
Fix PSA code and unit tests for the unit tests
to pass with key identifiers encoding owner
identifiers.

The changes in PSA code just make the enablement
of key identifiers encoding owner identifiers
platform independent. Previous to this commit,
such key identifiers were used only in the case
of PSA SPM platforms.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron 71016a9ea7 psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t
With PSA crypto v1.0.0, a volatile key identifier may
contain a owner identifier but no file is associated
to it. Thus rename the type psa_key_file_id_t to
mbedtls_svc_key_id_t to avoid a direct link with a
file when a key identifier involves an owner
identifier.

The new type name is prefixed by mbedtls to highlight
that the type is specific to Mbed TLS implementation
and not defined in the PSA Cryptography API
specification.

The svc in the type name stands for service as this
is the key identifier type from the point of view of
the service providing the Cryptography services.
The service can be completely provided by the present
library or partially in case of a multi-client service.

As a consequence rename as well:
. MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to
  MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
. PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT
. PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID
. psa_key_file_id_make to mbedtls_svc_key_id_make

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron 039a98b598 Define always psa_key_id_t as defined in PSA crypto spec
Define always psa_key_id_t as defined in the PSA
Cryptography API specification independently of
whether the MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration file is set or not.

As a consequence, get rid of `psa_app_key_id_t` that is
not needed anymore.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron 27238fcbd8 psa: Use psa_key_file_id_t as the key id type
The purpose of this commit and the following is for
psa_key_id_t to always be as defined by the PSA
Cryptography API specification.

Currently psa_key_id_t departs from its specification
definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration flag is set. In that configuration, it is set
to be equal to psa_key_file_id_t which in that configuration
encodes an owner identifier along the key identifier.

Type psa_key_file_id_t was meant to be the key identifier type
used throughout the library code. If
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it
includes both a key and owner identifier, otherwise it is
equal to psa_key_id_t.

It has not been the key identifier type throughout the
library so far because when the PSA Cryptography
specification was developped the library Doxygen
documentation was used to generate the PSA Cryptography API
specification thus the need to use psa_key_id_t and not
psa_key_file_id_t.

As this constraint does not hold anymore, move
to psa_key_file_id_t as the key identifier type throughout
the library code.

By the way, this commit updates the key identifier
initialization in the tests to be compatible with a
composit key identifier. A psa_key_id_make()
inline function is introduced to initialize key
identifiers (composit ot not) at runtime.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Gilles Peskine 349eadc58f Report the first failure, not the last one
If test_fail is called multiple times in the same test case, report
the location of the first failure, not the last one.

With this change, you no longer need to take care in tests that use
auxiliary functions not to fail in the main function if the auxiliary
function has failed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-31 10:09:57 +02:00
Victor Krasnoshchok b3129ba119
Refactoring after CR and new unit test #3175
Signed-off-by: Victor Krasnoshchok <ct3da21164@protonmail.ch>
2020-08-29 22:54:37 +03:00
Janos Follath 17ffc5da8d Bump version to Mbed TLS 2.24.0
Executed "./scripts/bump_version.sh --version 2.24.0"

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-08-26 16:22:57 +01:00
Janos Follath d2ce916b58 Merge branch 'development-restricted' 2020-08-26 14:15:34 +01:00
Gilles Peskine d4b9133850
Merge pull request #3611 from gilles-peskine-arm/psa-coverity-cleanups-202008
Minor fixes in PSA code and tests
2020-08-26 13:18:27 +02:00
Gilles Peskine 9e4d4387f0
Merge pull request #3433 from raoulstrackx/raoul/verify_crl_without_time
Always revoke certificate on CRL
2020-08-26 12:56:11 +02:00
Gilles Peskine a2e518daf5 Fix the documentation of has_even_parity
The documentation had the boolean meaning of the return value inverted.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 12:14:37 +02:00
Gilles Peskine ed9fbc6443 Clearer function name for parity check
Return a name that more clearly returns nonzero=true=good, 0=bad. We'd
normally expect check_xxx to return 0=pass, nonzero=fail so
check_parity was a bad name.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 11:16:50 +02:00
Gilles Peskine 6c75152b9f Explain the purpose of check_parity
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 10:24:26 +02:00
Gilles Peskine 34f063ca47 Add missing cleanup to hash multipart operation tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 10:24:13 +02:00
Gilles Peskine 29c4a6cf9f Add negative tests for MAC verification
Add negative tests for psa_mac_verify_finish: too large, too small, or
a changed byte.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine 090e16cb8b Don't destroy the key during a MAC verification operation
An early draft of the PSA crypto specification required multipart
operations to keep working after destroying the key. This is no longer
the case: instead, now, operations are guaranteed to fail. Mbed TLS
does not comply yet, and still allows the operation to keep going.
Stop testing Mbed TLS's non-compliant behavior.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine 8b356b5652 Test other output sizes for psa_mac_sign_finish
Test psa_mac_sign_finish with a smaller or larger buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine 5e65cec5e8 Simplify output bounds check in mac_sign test
Rely on Asan to detect a potential buffer overflow, instead of doing a
manual check. This makes the code simpler and Asan can detect
underflows as well as overflows.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine 3d404d677e Test PSA_MAC_FINAL_SIZE in mac_sign exactly
We expect PSA_MAC_FINAL_SIZE to be exact in this implementation, so
check it here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine cd65f4ccac Add empty-output-buffer test cases for single-part hash functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:11:23 +02:00
Gilles Peskine e92c68a878 Note that a failure in cleanup is intentional
In the cleanup code for persistent_key_load_key_from_storage(), we
only attempt to reopen the key so that it will be deleted if it exists
at that point. It's intentional that we do nothing if psa_open_key()
fails here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:11:23 +02:00
Gilles Peskine 64f13ef6ab Add missing cleanup to some multipart operation tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:11:23 +02:00
Gilles Peskine a09713c795 test cleanup: Annotate file removal after a failed creation
Let static analyzers know that it's ok if remove() fails here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 22:50:18 +02:00
Gilles Peskine 14613bcd75 Fix parity tests to actually fail the test on error
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 22:30:31 +02:00
Steven Cooreman ffecb7b982 Implement support for multipart ECB and add tests
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-25 17:00:24 +02:00
Janos Follath d4ac4e037b
Merge pull request #736 from mpg/cf-varpos-copy-dev-restricted
Constant-flow copy of HMAC from variable position
2020-08-25 14:35:55 +01:00
Steven Cooreman a6033e92af Style and language fixes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-25 12:32:22 +02:00
Manuel Pégourié-Gonnard 04b7488411 Fix potential use of uninitialised variable
If any of the TEST_ASSERT()s that are before the call to
mbedtls_pk_warp_as_opaque() failed, when reaching the exit label
psa_destroy_key() would be called with an uninitialized argument.

Found by Clang.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 10:45:51 +02:00
Gilles Peskine 0f343ac87f
Merge pull request #3528 from gufe44/helpers-redirect-restore-output
Fix bug in redirection of unit test outputs
2020-08-24 10:45:08 +02:00
Manuel Pégourié-Gonnard 8a79b9b68c Fix "unused function" warning in some configs
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-24 10:29:30 +02:00
gufe44 067f6e01f1 Fix bug in redirection of unit test outputs
Avoid replacing handle. stdout is defined as a macro on several platforms.

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-21 08:32:26 +02:00
Dan Handley abccfc1684 Merge development into development-restricted
* development:
  Update copyright notices to use Linux Foundation guidance
  Undef ASSERT before defining it to ensure that no previous definition has sneaked in through included files.
  Add ChangeLog entry for X.509 CN-type vulnerability
  Improve documentation of cn in x509_crt_verify()
  Fix comparison between different name types
  Add test: DNS names should not match IP addresses
  Remove obsolete buildbot reference in compat.sh
  Fix misuse of printf in shell script
  Fix added proxy command when IPv6 is used
  Simplify test syntax
  Fix logic error in setting client port
  ssl-opt.sh: include test name in log files
  ssl-opt.sh: remove old buildbot-specific condition
  ssl-opt.sh: add proxy to all DTLS tests

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-08-20 11:07:12 +01:00
Manuel Pégourié-Gonnard feb0396d20 Fix memory leak in test_suite_x509write with PSA crypto
The documentation of mbedtls_pk_wrap_as_opaque is quite clear:

 * \param handle    Output: a PSA key handle.
 *                  It's the caller's responsibility to call
 *                  psa_destroy_key() on that handle after calling
 *                  mbedtls_pk_free() on the PK context.

But the test failed to call psa_destroy_key().

While at it, also use PSA_DONE(): it ensures that if we fail to destroy the
key, we'll get an explicit error message about it without the need for
valgrind.

This is a preliminary to adding a valgrind-based test for constant-flow code:
we need to make sure the rest of the tests are fully valgrind-clean, which
they weren't.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-20 10:21:32 +02:00
Manuel Pégourié-Gonnard 7fe2c5f086 Add mbedtls_ssl_cf_memcpy_offset() with tests
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296

The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-19 11:56:02 +02:00
Bence Szépkúti 1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Raoul Strackx a4e86141f1 Always revoke certificate on CRL
RFC5280 does not state that the `revocationDate` should be checked.

In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.

https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
2020-08-17 09:05:03 +02:00
Gilles Peskine 71f4fa13bb
Merge pull request #721 from gilles-peskine-arm/x509parse_crl-empty_entry-development
Fix buffer overflow in x509_get_entries (oss-fuzz 24123)
2020-08-14 23:22:31 +02:00
Manuel Pégourié-Gonnard 8ca03a7b68
Merge pull request #3554 from mpg/x509-verify-non-dns-san-dev
X509 verify non-DNS SANs
2020-08-14 11:32:22 +02:00
Manuel Pégourié-Gonnard c4af324a4b Merge branch 'development' into development-restricted
* development: (55 commits)
  Log change as bugfix
  Add changelog entry
  Clarify updates to the persistent state in storage
  With multiple applicable transparent drivers, the order is unspecified
  Minor clarifications
  Give some examples of purpsoses of pure-software transparent driver
  Fix typos
  Add a link to the PSA API specification
  Explain locations vs lifetimes
  Initialize key pointer in ecdh to NULL
  Add buffer zeroization when ecp_write_key fails
  Simplified key slot deletion
  Style fixes
  Use arc4random_buf instead of rand on NetBSD
  Apply review feedback
  Update open question section about public key storage
  Remove the paragraph about declaring application needs
  Change driver persistent data to a callback interface
  Rework and expand key management in opaque drivers
  Fix typos and copypasta
  ...
2020-08-14 10:11:21 +02:00
Manuel Pégourié-Gonnard 7d2a4d873f Add test: DNS names should not match IP addresses
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-11 10:23:52 +02:00
Manuel Pégourié-Gonnard eaa0739143
Merge pull request #716 from mpg/ct-varlen-hmac
Add constant-flow variable-length HMAC function
2020-08-10 12:40:33 +02:00
Gilles Peskine 210bea38f3 Add the decomposition of the base case as a comment
Put the base good case first, then the bad cases derived from it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-06 17:12:03 +02:00
Steven Cooreman d4867877f1 Initialize key pointer in ecdh to NULL
Since it is being dereferenced by free on exit it should be inited to NULL.
Also added a small test that would trigger the issue.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-05 17:38:47 +02:00
Steven Cooreman 3fa684ed91 Allow importing Montgomery public keys in PSA Crypto
PSA Crypto was checking the byte length of a to-be-imported public ECP key
against the expected length for Weierstrass keys, forgetting that
Curve25519/Curve448 exists.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-30 15:35:14 +02:00
Ronald Cron d8902b6e3d tests: Replace "TEST_ASSERT(!memcmp ...)" by ASSERT_COMPARE
The usage of "!memcmp()" is at least not recommended
and better to use the macro dedicated for buffer
comparisons.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-30 14:18:02 +02:00
Manuel Pégourié-Gonnard ea6a740923
Merge pull request #717 from mpg/non-etm-cbc-negative-testing
Add negative tests for non-EtM CBC decryption
2020-07-22 13:33:49 +02:00
Manuel Pégourié-Gonnard e55653f085 Improve comments about padlen convention
The convention from the TLS RFC is a bit unusual, so even if the test
function's introductory comment mentions that we're taking the RFC's
definition, it doesn't hurt to repeat it in crucial places.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:42:57 +02:00
Manuel Pégourié-Gonnard c3219006ff Fix suboptimal use of ASSER_ALLOC()
Passing a length of 0 to it is perfectly acceptable, the macro was designed to
handle it correctly.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:19 +02:00
Manuel Pégourié-Gonnard ca8287cbaf Use test_set_step() in loop in cf_hmac test
We only have a single integer available for two nested loops, but the loop
sizes are small enough compared to the integer's range that we can encode both
indexes. Since the integer is displayed in decimal in case of errors, use a
power of 10 to pack the two indexes together.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:19 +02:00
Manuel Pégourié-Gonnard ed0e86428d Factor repeated condition to its own macro
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:19 +02:00
Manuel Pégourié-Gonnard 9670a59230 Start testing cf_hmac() for constant flow
Currently this breaks all.sh component test_memsan_constant_flow, just as
expected, as the current implementation is not constant flow.

This will be fixed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-22 11:31:18 +02:00
Manuel Pégourié-Gonnard b51f04466f Fix misleading comment in test function
Everything works at the byte level, not bit level. Flipping the lsb is just
one convenient way to corrupt a byte, but don't really care about individual
bits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-21 10:40:25 +02:00
Manuel Pégourié-Gonnard 864abbff4e Rework how lengths are expressed in CBC test
This is hopefully more readable in the .data file.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-21 10:37:14 +02:00
Gilles Peskine b2281e1cf0 x509parse_crl: more negative test cases
Add a few more negative test cases for mbedtls_x509_crl_parse.
The test data is manually adapted from the existing positive test case
"X509 CRL ASN1 (TBSCertList, sig present)" which decomposes as

305c
 3047                                   tbsCertList TBSCertList
  020100                                version INTEGER OPTIONAL
  300d                                  signatureAlgorithm AlgorithmIdentifier
   06092a864886f70d01010e
   0500
  300f                                  issuer Name
   310d300b0603550403130441424344
  170c303930313031303030303030          thisUpdate Time
  3014                                  revokedCertificates
   3012                                 entry 1
    8202abcd                            userCertificate CertificateSerialNumber
    170c303831323331323335393539        revocationDate Time
 300d                                   signatureAlgorithm AlgorithmIdentifier
  06092a864886f70d01010e
  0500
 03020001                               signatureValue BIT STRING

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-16 18:18:22 +02:00
Manuel Pégourié-Gonnard 4adc04a8a3 Give a constant a name in test function
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-16 10:00:48 +02:00
Manuel Pégourié-Gonnard 65a6fa3e26 Make cf_hmac() STATIC_TESTABLE
The test function now depends on MBEDTLS_TEST_HOOKS, which is enabled by
config.py full, and since there are already components in all.sh exercising
the full config, this test function is sill exercised even with this new
dependency.

Since this is the first time a test function depends on MBEDTLS_TEST_HOOKS,
fix a bug in check-names.sh that wasn't apparent so far: headers from
library/*.h were not considered when looking for macro definitions. This
became apparent because MBEDTLS_STATIC_TESTABLE is defined in library/common.h
and started being used in library/ssl_msg.c, so was flagged as a likely typo.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:21 +02:00
Manuel Pégourié-Gonnard 045f094c81 Add dummy constant-flow HMAC function with tests
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.

Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:25:52 +02:00
Steven Cooreman 5a3c210e15 Update to renamed curve constant
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-13 17:26:26 +02:00
Steven Cooreman aec44e9fe8 Merge remote-tracking branch 'mbedtls/development' into montgomery-keys-clarification 2020-07-13 11:48:21 +02:00
Steven Cooreman 0024df6b37 Remove superfluous argument to ecp_write_key
Removed after feedback from PR review.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-13 10:59:40 +02:00
Manuel Pégourié-Gonnard 913a204a33 Fix undeclared dependency of test function
The ssl_tranform structure lacks some members accessed by this function when
CBC is not enabled.

This was found by test-ref-configs.pl and all.sh
test_when_no_ciphersuites_have_mac, so no need to add a new test.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-09 10:02:41 +02:00
Manuel Pégourié-Gonnard 62af37d616 Add tests with ARIA, Camellia, 3DES
Started as copies of the AES block, then:

- for ARIA, just s/AES/ARIA/
- for Camellia, just s/AES/Camellia/
- for 3DES, s/AES/3DES/ then s/3DES_128_CBC/DES_EDE3_CBC/ then manually
  subtract 8 to all plaintext lengths that were > 8. This accounts for the
fact that the block size of DES is 8 not 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 11:40:38 +02:00
Manuel Pégourié-Gonnard 7a1cb41ba2 Add test cases with MD5, SHA1, SHA384
All started from a copy of the SHA256 block and modified as follows:

- for MD5, just s/SHA256/MD5/
- for SHA384, adapt the dependency line then s/SHA256/SHA384
- for SHA1, s/SHA256/SHA1/ then manually adapt the plaintext length for the
  cases with "!trunc, B-1" and "!trunc, B", as the MAC length (20) is not a
multiple of the block size (16) for this hash

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 11:25:27 +02:00
Manuel Pégourié-Gonnard e79e3bb2da Add test cases with various record sizes
- plaintext length = 0 or 1
- plaintext length + MAC length = -1 or 0 mod block_size
    (using the minimum plaintext length that works)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 11:02:59 +02:00
Manuel Pégourié-Gonnard 527c1ff71a Generate good/bad padding programmatically
Compared to the previous approach of having the bad padding provided as input
to the testing function, this allows to test more kinds of incorrect data,
with less test cases in the .data file and more important no manually-generated
non-trivial data in the test case parameters, making it much easier to
complete the testing matrix.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 10:43:37 +02:00
Manuel Pégourié-Gonnard fafe8553c6
Merge pull request #3392 from paul-elliott-arm/psa_ecc_dh_macros
PSA: update EC curve and DH group family macros
2020-07-07 09:20:44 +02:00
Steven Cooreman ed3c9ec71a Added support for AES-ECB to the PSA Crypto implementation
PSA_ALG_ECB_NO_PADDING came in to the PSA Crypto API spec v1.0.0, but
was not implemented yet in the mbed TLS implementation.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 14:16:10 +02:00
Steven Cooreman 14f0e526fb Fix Curve25519 ecp_read_key vectors to match description
They did not match their description, probably due to a botched manual
endianness conversion where the nibbles also got swapped.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:52:38 +02:00
Steven Cooreman c9b7f78647 Rework mbedtls_ecp_write_key to remove unnecessary output parameter
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:52:32 +02:00
Steven Cooreman 6f5cc71ad1 Document masking of Montgomery private keys in psa_export_key
Follow the PSA Crypto specification which was updated between 1.0 beta3
and 1.0.0.
Add corresponding test cases.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:45:04 +02:00
Steven Cooreman de8593f2fe Implement and test mbedtls_ecp_write_key
mbedtls_ecp_write_key is a mirror function to mbedtls_ecp_read_key, which
writes a private key back into a byte buffer in the correct format.
This is a helpful convenience function, since the byte order is defined
differently between Montgomery and Weierstrass curves. Since this difference
is accounted for in mbedtls_ecp_read_key, it made sense to add
mbedtls_ecp_write_key for the purpose of abstracting this away such that
psa_export_key doesn't need to take byte order into account.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:42:38 +02:00
Gilles Peskine 642a4ef0aa
Merge pull request #3463 from gilles-peskine-arm/tests-not-executed
Fix some test cases that weren't getting executed
2020-07-03 15:13:18 +02:00
Manuel Pégourié-Gonnard 0ac01a1c59 TLS: Add negative tests for non-EtM CBC decryption
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-03 12:49:10 +02:00
Paul Elliott 75e27032d3 Rename DH Family Macros According to PSA Spec
Rename PSA_DH_GROUP_xxx to PSA_DH_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_GROUP to PSA_KEY_TYPE_DH_GET_FAMILY and rename
psa_dh_group_t to psa_dh_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-07-02 16:59:49 +01:00
Paul Elliott 8ff510ac26 Rename ECC Family Macros According to PSA Spec
Rename PSA_ECC_CURVE_xxx to PSA_ECC_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_CURVE to PSA_KEY_TYPE_ECC_GET_FAMILY and rename
psa_ecc_curve_t to psa_ecc_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-07-02 16:59:30 +01:00
Ronald Cron a123614699 tests: Move mbedtls_param_failed() to test common code
This makes the implementation of mbedtls_param_failed()
for testing purpose available to programs. Thus removing
the ad-hoc implementations in programs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-02 09:59:38 +02:00
Ronald Cron 579fd28527 tests: Isolate mbedtls_param_failed() long jump
In preparation of moving mbedtls_param_failed() to test
common code, isolate mbedtls_param_failed() long
jump data and set up from unit test data and code.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-02 09:59:32 +02:00
Ronald Cron 76883ec853 tests: Isolate mbedtls_param_failed() call check
In preparation of moving mbedtls_param_failed() to test
common code, isolate mbedtls_param_failed() call check
from unit test data.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-02 09:39:37 +02:00
Ronald Cron 4e66587545 tests: Move mbedtls_param_failed() call location record
In preparation of moving mbedtls_param_failed() to test
common code, move mbedtls_param_failed() call location
record into a context dedicated to mbedtls_param_failed().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-02 09:39:37 +02:00
Ronald Cron 55d97f2ca8 tests: Remove usage of mbedtls_test_hexify for comparison
Do not hexify binary data to compare them, do compare
them directly. That simplifies the check code and save
memory.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-02 09:39:30 +02:00
Ronald Cron ac6ae35150 tests: suites: Remove hex in name of variables of type data_t
Remove `hex` in name of variables of type data_t to reserve it
for variables of type char* that are the hexadecimal
representation of a data buffer.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-07-01 17:10:15 +02:00
Janos Follath be9a5752c2 Merge tag 'mbedtls-2.23.0' into merge-2.23.0-release-to-development
Mbed TLS 2.23.0
2020-07-01 11:23:17 +01:00
Janos Follath 0435cd8c23 Bump version to Mbed TLS 2.23.0
Executed "./scripts/bump_version.sh --version 2.23.0 --so-crypto 5"

A symbol has been removed from the mbedcrypto library since the last
release:
mbedtls_ecc_group_to_psa ( enum mbedtls_ecp_group_id grpid,
                           size_t* bits )

This is an ABI break and we need to increase the SO version.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-06-29 22:41:30 +01:00
Gilles Peskine 82ac38ee5d
Merge pull request #3438 from ronald-cron-arm/programs-use-common-test-code
Add support to build and link test common code in programs
2020-06-29 10:29:36 +02:00
Gilles Peskine 7eefa22fb1 Fix copypasta in test case descriptions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-26 22:54:47 +02:00
Gilles Peskine b20b873bff Remove metadata tests for features that are not implemented
The metadata tests depend on the corresponding feature because there
is no guarantee that the metadata is correct if the feature is
disabled. There are metadata test cases for some algorithms and key
types that are declared but not supported. These test cases are
present but can never run.

It is debatable whether having these test cases is a good thing in
case they become runnable in the future, or a bad thing because
they're dead code. We're working on detecting test cases that are
never executed for accidental reasons (e.g. typo in a dependency or
missing configuration on the CI), and having test cases that are
deliberately never executed messes this up. So remove these test
cases. If we do implement the corresponding feature, it'll be easy to
add the corresponding metadata test cases.

The features that had metadata tests but no implementations were:

* SHA-512/256 and SHA-512/224 (hypothetical dependency: MBEDTLS_SHA512_256)
* DSA (hypothetical dependency: MBEDTLS_DSA_C)
* SHA-3 and HMAC-SHA-3 (hypothetical dependency: MBEDTLS_SHA3_C)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-26 22:48:06 +02:00
Gilles Peskine af9dbc9213 Fix dependency in PSA test cases
The test cases were never executed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-26 22:45:30 +02:00
Gilles Peskine a911b32e2f Fix dependency in AES GCM test case
The test case was never executed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-26 22:40:58 +02:00
Gilles Peskine 961914df12
Merge pull request #3382 from stevew817/feature/volatile-keys-in-SE
Support volatile keys in external SE
2020-06-26 20:27:11 +02:00
Ronald Cron a0c2539c4c Rework mbedtls_test_unhexify()
Rework mbedtls_test_unhexify to extend its scope of usage.
Return in error when the function detects an error instead
of calling mbedtls_exit().
Improve safety by checking the output buffer is not overrun.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:45:16 +02:00