Commit graph

15579 commits

Author SHA1 Message Date
Gilles Peskine 6373fab865 mbedtls_ecp_gen_privkey_sw: range and coverage tests
Add unit tests for private key generation on short Weierstrass curves.
These tests validate that the result is within the desired range.
Additionally, they validate that after performing many iterations, the
range is covered to an acceptable extent: for tiny ranges, all values
must be reached; for larger ranges, all value bits must reach both 0
and 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine eadf31d56a mbedtls_ecp_gen_privkey_mx: simplify the size calculation logic
mbedtls_ecp_gen_privkey_mx generates a random number with a certain
top bit set. Depending on the size, it would either generate a number
with that top bit being random, then forcibly set the top bit to
1 (when high_bit is not a multiple of 8); or generate a number with
that top bit being 0, then set the top bit to 1 (when high_bit is a
multiple of 8). Change it to always generate the top bit randomly
first.

This doesn't make any difference in practice: the probability
distribution is the same either way, and no supported or plausible
curve has a size of the form 8n+1 anyway. But it slightly simplifies
reasoning about the behavior of this function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 4f7767445b mbedtls_ecp_gen_privkey_mx: make bit manipulations unconditional
Don't calculate the bit-size of the initially generated random number.
This is not necessary to reach the desired distribution of private
keys, and creates a (tiny) side channel opportunity.

This changes the way the result is derived from the random number, but
does not affect the resulting distribution.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 6acfc9cb4c mbedtls_ecp_gen_privkey_mx: remove the exception for all-zero
The library rejected an RNG input of all-bits-zero, which led to the
key 2^{254} (for Curve25519) having a 31/32 chance of being generated
compared to other keys. This had no practical impact because the
probability of non-compliance was 2^{-256}, but needlessly
complicated the code.

The exception was added in 98e28a74e3 to
avoid the case where b - 1 wraps because b is 0. Instead, change the
comparison code to avoid calculating b - 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 188828525d Add unit tests for mbedtls_ecp_gen_privkey_mx
Test the exact output from known RNG input. This is overly
constraining, but ensures that the code has good properties.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine bef3019ed5 Make the fallback behavior of mbedtls_test_rnd_buffer_rand optional
If a fallback is not explicitly configured in the
mbedtls_test_rnd_buf_info structure, fail after the buffer is
exhausted.

There is no intended behavior change in this commit: all existing uses
of mbedtls_test_rnd_buffer_rand() have been updated to set
mbedtls_test_rnd_std_rand as the fallback.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine ebf3a4b80f Update references in some test function documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 3838f28c33 mbedtls_ecp_gen_privkey_mx: rename n_bits to high_bit
For Montgomery keys, n_bits is actually the position of the highest
bit and not the number of bits, which would be 1 more (fence vs
posts). Rename the variable accordingly to lessen the confusion.

No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine de33213f23 mbedtls_ecp_gen_privkey: create subfunctions for each curve type
Put the Montgomery and short Weierstrass implementations of
mbedtls_ecp_gen_privkey into their own function which can be tested
independently, but will not be part of the public ABI/API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 21:31:24 +02:00
Gilles Peskine 2c5be61e99
Merge pull request #4593 from gilles-peskine-arm/remove-duplicated-ASSERT_ALLOC-2.x
Backport 2.x: Fix null pointer arithmetic in NIST_KW
2021-06-01 16:40:26 +02:00
Gilles Peskine 570a8cd056 Fix null pointer arithmetic in error case
When mbedtls_nist_kw_wrap was called with output=NULL and out_size=0, it
performed arithmetic on the null pointer before detecting that the output
buffer is too small and returning an error code. This was unlikely to have
consequences on real-world hardware today, but it is undefined behavior and
UBSan with Clang 10 flagged it. So fix it (fix #4025).

Fix a similar-looking pattern in unwrap, though I haven't verified that it's
reachable there.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-01 11:57:18 +02:00
Gilles Peskine 1260332ce2 Remove duplicated definition of ASSERT_ALLOC
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-31 20:31:47 +02:00
Gilles Peskine 3a2d59c125 Remove spurious dependencies on PEM
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-31 20:26:12 +02:00
Ronald Cron 72dcd4e4f1
Merge pull request #4385 from gilles-peskine-arm/psa-storage-format-test-algorithms
Backport 2.x: PSA storage format test: algorithms
2021-05-27 17:34:29 +02:00
Ronald Cron 9df7209bf6
Merge pull request #4546 from Patater/psa-without-genprime-fix-2.x
[Backport 2.x] psa: Support RSA signature without MBEDTLS_GENPRIME
2021-05-27 14:19:14 +02:00
Gilles Peskine f20390f387
Merge pull request #4557 from gilles-peskine-arm/aria_alt-2.x
Backport 2.x: Fix ARIA_ALT header and self-test and CAMELLIA_ALT self-test
2021-05-25 20:32:53 +02:00
Gilles Peskine 46d3a3782d Document include_intermediate in PSAMacroEnumerator
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:35:25 +02:00
Gilles Peskine 643eb83f06 key_storage_read: pass exercise as a flag rather than a boolean
This will allow adding other flags in the future.

No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:35:20 +02:00
Gilles Peskine 6d3c4c736d Add missing test suites to CMakeLists.txt
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:35:17 +02:00
Gilles Peskine 30ccba48ef Do support multiple files generated from the same script
The call to `tests/scripts/generate_psa_tests.py` added by the commit
"generate_psa_tests.py: allow generating each file independently"
assumed that the `check` function supports multiple file names, but in
fact it does not do so. When `generate_psa_tests.py` started generating
more than one file, `check-generated-files.sh` did not detect changes to
files other than the first one listed by `generate_psa_tests.py --list`.

Fix this: change `check` to support either a single directory (with
detection of added/removed files) or a list of files (which is assumed
to be static).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:35:17 +02:00
Gilles Peskine ff9629f92d Abbreviate algorithms in test descriptions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:35:14 +02:00
Gilles Peskine 08966e6fbc Remove duplicates from enumerated test inputs
When generating expressions to construct test case data, there can be
duplicate values, for example if a value of the form C(A) is present
as such in test_suite_psa_crypto_metadata.data and also constructed by
enumerating the argument A for the constructor C. Eliminate such
duplicates in generate_expressions.

This commit removes many test cases that were exact duplicates (and
were near-duplicates differing only in whitespace before the
whitespace normalization).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:35:05 +02:00
Gilles Peskine 0a93c1b1ce Normalize whitespace in test arguments
Avoid ending up with test cases that only differ in whitespace in an
argument.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:47 +02:00
Gilles Peskine 8a55b434c2 Don't generate non-existent dependency symbols
Filter our algorithm constructors that don't have a dependency symbol
of their own.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:23 +02:00
Gilles Peskine cf70d07c8b Define dependency symbols for hashless signature algorithms
Define the dependency symbols PSA_WANT_ALG_ECDSA_ANY and
PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW as de facto synonyms of
PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_RSA_PKCS1V15_SIGN respectively: if
either one is requested, the other is set.
This makes it easier to systematically determine the dependencies of
an algorithm.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:20 +02:00
Gilles Peskine b93f854f4c Expand psa_generate_tests to support constructor arguments
In macro_collector.py, base InputsForTest on PSAMacroEnumerator rather
than PSAMacroCollector. It didn't make much sense to use
PSAMacroCollector anymore since InputsForTest didn't use anything
other than the constructor.

psa_generate_tests now generates arguments for more macros.
In particular, it now collects macro arguments from
test_suite_psa_crypto_metadata. Algorithms with parameters are now
supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:09 +02:00
Gilles Peskine ae9f14b159 Speed up the generation of storage format test cases
First build a list of all keys, then construct all the corresponding
test cases. This allows all required information to be obtained in
one go, which is a significant performance gain as the information
includes numerical values obtained by compiling a C program.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 0ba69a462e Fix KeyType with parameters passed in the name argument
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine d6d2d6a7d7 Use InputsForTest in generate_psa_tests
In generate_psa_tests, use InputsForTest rather than PSAMacroCollector
to gather values. This way, the enumeration of values to test includes
values used in metadata tests in addition to constructors parsed from
header files. This allows greater coverage of values built from
constructors with arguments. This doesn't make a difference yet, but
it will once algorithm constructors with arguments are supported in
generate_psa_tests.

Make the injection of numerical values optional. They are useful for
test_psa_constant_names, so keep them there. Don't use them for
not-supported tests: they might make sense, but the current code
wouldn't work since it doesn't know how to make up fake key material
or what dependencies to generate. Don't use them for storage tests:
they only make sense for supported values.

Don't inject 'PSA_SUCCESS': that's superfluous.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 3cf3a8ebdf Move InputsForTest to macro_collector.py
This is useful to generate PSA tests for more than constant names.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine e30ad46f91 Add type annotations
Prepare to move InputsForTest to macro_collector.py.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 4d59f01bcd Fix copypasta in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 6a73f5592b Changelog entry for the ARIA_ALT and CAMELLIA_ALT fixes
Fix ARMmbed/mbed-os#14694

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 18:45:04 +02:00
Gilles Peskine 66c616a393 CAMELLIA: add missing context init/free
This fixes the self-test with alternative implementations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 18:45:04 +02:00
Gilles Peskine ccbbb2c501 ARIA: add missing context init/free
This fixes the self-test with alternative implementations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 18:45:04 +02:00
Gilles Peskine a8d0718b1c Fix misplaced extern "C" affecting MBEDTLS_ARIA_ALT
Reported via Mbed OS:
https://github.com/ARMmbed/mbed-os/issues/14694

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 18:45:04 +02:00
Ronald Cron aede2d0c52
Merge pull request #4533 from gilles-peskine-arm/host_test-int32-2.x
Backport 2.x: Fix build error in host_test.function when int32_t is not int
2021-05-21 16:02:11 +02:00
Jaeden Amero c17f29309f psa: Support RSA signature without MBEDTLS_GENPRIME
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.

Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.

Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.

It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.

Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
    psa_crypto_rsa.c.obj: in function `rsa_generate_key':
    psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'

Fixes #4512

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-21 10:21:27 +01:00
Jaeden Amero 9657334b57 psa: Add missing RSA test dependency
The test "PSA generate key: RSA, 1024 bits, good, encrypt (OAEP
SHA-256)" had a dependency on MBEDTLS_GENPRIME, but this was not listed
in the dependencies. Add MBEDTLS_GENPRIME to the test's dependencies to
ensure it has what it needs to run.

Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
2021-05-21 10:20:41 +01:00
Manuel Pégourié-Gonnard 7dea07610c
Merge pull request #4289 from gilles-peskine-arm/openssl-dhparam-robustness-development
Backport 2.x: Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman
2021-05-21 10:16:18 +02:00
Manuel Pégourié-Gonnard db97b1e211
Merge pull request #4491 from netfoundry/fix-mingw-build
Backport 2.x : Use proper formatting macros when using MinGW provided stdio
2021-05-21 10:03:18 +02:00
Janos Follath d76f7ba2e1
Merge pull request #4529 from hanno-arm/ssl_session_cache_fix_backport_2x
Backport 2.x: Add session ID as an explicit parameter to SSL session cache API
2021-05-21 08:49:11 +01:00
Hanno Becker c304679c75 Add ChangeLog entry
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-21 05:29:01 +01:00
Gilles Peskine d135b57e8c
Merge pull request #4412 from gilles-peskine-arm/undefined-reference-2.27
Backport 2.x: Fix missing compilation guard around psa_crypto_driver_wrappers.c
2021-05-20 17:20:36 +02:00
Gilles Peskine a33cb76820
Merge pull request #4493 from netfoundry/gcc11.fixes_2.x
Backport 2.x: build with gcc11
2021-05-20 15:54:20 +02:00
Gilles Peskine 05c11e3dd5
Merge pull request #4503 from gilles-peskine-arm/ciphersuite-sha384-guard-2.x
Backport 2.x: fix SHA384 guards in TLS
2021-05-19 21:13:08 +02:00
Gilles Peskine ad0e01248d Fix missing compilation guard around psa_crypto_driver_wrappers.c
Fix #4411.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 21:03:46 +02:00
Gilles Peskine c54010c3ec Split SHA-512 and SHA-384 guards for hash availability code
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:15 +02:00
Gilles Peskine fc9c07ff8f Fix unused variable with MBEDTLS_SHA512_NO_SHA384
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:13 +02:00
Gilles Peskine d2d59379ed Remove dead code under MBEDTLS_SHA512_NO_SHA384
TLS code specific to SHA-384 was gated on MBEDTLS_SHA512_C. But SHA-384 also
requires that MBEDTLS_SHA512_NO_SHA384 is not defined. This lead to dead
code in TLS when MBEDTLS_SHA512_C and MBEDTLS_SHA512_NO_SHA384 were both
defined (i.e. when SHA-512 was enabled but not SHA-384).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:10 +02:00