Commit graph

880 commits

Author SHA1 Message Date
Darryl Green 940d72c3e8 psa: Refactor psa_import_key()
Create a new function psa_import_key_into_slot() from psa_import_key().
This is common functionality that will be used both when importing a
key and loading a key from persistent storage.
2018-11-20 15:21:22 +00:00
Hanno Becker 1aaedc03d4 Add implementation of TLS-1.2 PSK-to-MS key derivation 2018-11-19 11:24:25 +00:00
Gilles Peskine 93f8500e2e Fix unused variables warning if MBEDTLS_ECDH_C is off
depends-pkalgs.pl passes.
2018-11-16 16:43:31 +01:00
Gilles Peskine 346797d7b9 Add missing cleanup on failure in psa_key_agreement
If psa_key_derivation_internal() fails, it's up to the caller to clean
up. Do this, and add a note at the top of
psa_key_derivation_internal() and its auxiliary functions.

There is no non-regression test because at the moment the only way to
trigger an error is a borderline low-memory condition and we don't
have the means to trigger this.
2018-11-16 16:09:27 +01:00
Gilles Peskine a05219c70b Add some missing compilation guards
Add missing checks for defined(MBEDTLS_MD_C) around types and
functions that require it (HMAC, HKDF, TLS12_PRF).

Add missing checks for defined(MBEDTLS_ECDSA_DETERMINISTIC) around
code that calls mbedtls_ecdsa_sign_det().

Add missing checks for defined(MBEDTLS_ECDH_C) around ECDH-specific
functions.
2018-11-16 16:09:24 +01:00
Hanno Becker 353e45361d Don't call memcpy() with 0-length arguments
The standard prohibits calling memcpy() with NULL pointer
arguments, even if the size argument is 0.

The TLS-1.2 PRF generator setup function previously called
memcpy() with the label and salt as the source, even if
they were of length 0, as exercised by the derive_key_policy
test case in the PSA crypto test suite.

This commit adds guards around the memcpy() calls so that they
are only executed of salt or label have positive length, respectively.
2018-11-16 11:24:59 +00:00
Hanno Becker 3b339e2342 Simplify psa_generator_tls12_prf_generate_next_block() 2018-11-16 11:24:59 +00:00
Hanno Becker 580fba1431 Dynamically allocate A(i) + seed buffer for TLS-1.2 PRF 2018-11-16 11:24:59 +00:00
Hanno Becker c8a41d71cb Add implementation of TLS-1.2 PRF 2018-11-16 11:24:55 +00:00
Gilles Peskine b408661be9 ECDH: check that the keys are on the same curve
In psa_key_agreement_ecdh, check that the public key is on the same
curve as the private key. The underlying mbedtls API doesn't check.

If the curves don't match, psa_key_agreement_ecdh is practically
guaranteed to return INVALID_ARGUMENT anyway, because way the code is
written, the public point is interpreted on the curve of the private
point, and it is rejected because the point is not on the curve. This
is why the test case "PSA key agreement setup: ECDH, raw: public key
on different curve" passed even before adding this check.
2018-11-14 21:17:16 +01:00
Gilles Peskine 88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine 211a436f2e Document that key agreement produces a maximum-capacity generator 2018-11-14 21:15:37 +01:00
Gilles Peskine b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine 01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine 8feb3a886d Support key derivation with non-predefined capacity
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine 751d965dfc Implement PSA_ALG_SELECT_RAW 2018-11-14 21:15:37 +01:00
Gilles Peskine cce18aec4c Split off psa_key_derivation_internal
Refactor psa_key_derivation to prepare for key agreement algorithms
which need to plug into key derivation after argument validation.
2018-11-14 21:15:37 +01:00
Gilles Peskine 86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine aac64a2839 Remove support for non-byte-aligned RSA keys
Remove the need for an extra function mbedtls_rsa_get_bitlen. Use
mbedtls_rsa_get_len, which is only correct for keys whose size is a
multiple of 8. Key sizes that aren't a multiple of 8 are extremely
rarely used, so in practice this is not a problematic limitation.
2018-11-12 18:37:42 +01:00
Gilles Peskine 52b9018cf7 psa_export_key: for raw-byte keys, zero the end of the output buffer
Skip all writing to the target buffer if its size is 0, since in this
case the pointer might be invalid and this would cause the calls to
memcpy and memset to have undefined behavior.
2018-10-31 14:10:06 +01:00
Gilles Peskine 188c71e382 Private EC key format: change to raw secret value (export)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine f76aa7789b Private EC key format: change to raw secret value (doc, import)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the format
specification and the import code, but not the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine e0e9c7c417 New macro PSA_ALG_FULL_LENGTH_MAC
Provide a documented way of constructing the full-length MAC algorithm
from a truncated version.
2018-10-17 18:30:47 +02:00
Gilles Peskine 57fbdb1939 Use a public macro for AEAD tag length variations
Avoid depending on the encoding of algorithms inside psa_crypto.c.
2018-10-17 18:30:47 +02:00
Gilles Peskine f8a8fe60f8 Fix memory leak with AEAD with non-default tag lengths
When freeing the key context, choose the context format based on the
base algorithm value stored in the operation object.
2018-10-17 13:54:48 +02:00
Gilles Peskine 8cac2e628e Translate GCM_BAD_INPUT to INVALID_ARGUMENT, not NOT_SUPPORTED 2018-10-17 13:54:48 +02:00
Gilles Peskine 99b7d6b700 Wipe sensitive data in psa_mac_verify_finish
Wipe the whole MAC intermediate buffer, not just the requested MAC
size. With truncated MAC algorithms, the requested MAC size may be
smaller than what is written to the intermediate buffer.
2018-10-17 13:54:47 +02:00
Gilles Peskine 87b0ac49f8 Fix possible buffer overread in psa_mac_finish_internal (CMAC) 2018-10-17 13:54:47 +02:00
Gilles Peskine 6d72ff9e79 Document that the minimum truncated MAC length is implementation-defined 2018-10-17 13:54:47 +02:00
Gilles Peskine 23cc2ff9a8 Add support for non-default-tag-size AEAD (CCM and GCM) 2018-10-08 14:42:11 +02:00
Gilles Peskine edf9a6576d Refactor AEAD setup into a common function
There was a lot of repetition between psa_aead_encrypt and
psa_aead_decrypt. Refactor the code into a new function psa_aead_setup.
The new code should behave identically except that in some cases where
multiple error conditions apply, the code may now return a different
error code.

Internally, I rearranged some of the code:

* I removed a check that the key type was in CATEGORY_SYMMETRIC because
  it's redundant with mbedtls_cipher_info_from_psa which enumerates
  supported key types explicitly.
* The order of some validations is different to allow the split between
  setup and data processing. The code now calls a more robust function
  psa_aead_abort in case of any error after the early stage of the setup.
2018-10-08 14:42:11 +02:00
Gilles Peskine d911eb7915 Add support for truncated MAC algorithms 2018-10-08 14:42:11 +02:00
Gilles Peskine 159ebf3b8e
Merge pull request #142 from ARMmbed/psa-metadata_validation
Algorithm and key type encoding validation
2018-09-24 10:38:39 +02:00
Jaeden Amero 3bfe5f0388
Merge pull request #150 from ARMmbed/psa-rsa-verify-error
Don't return INVALID_PADDING on an invalid RSA signature
2018-09-21 16:15:10 +01:00
Jaeden Amero 40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00
Gilles Peskine 00709fafb8 Rename PSA_ALG_HMAC_HASH to PSA_ALG_HMAC_GET_HASH
Be consistent with other GET_HASH macros.
2018-09-20 12:00:21 +02:00
Gilles Peskine daea26f70f Correct and simplify block-based cipher modes
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
2018-09-20 11:58:22 +02:00
Gilles Peskine ef12c63de0 RSA verification: don't report an invalid padding error
Mbed TLS distinguishes "invalid padding" from "valid padding but the
rest of the signature is invalid". This has little use in practice and
PSA doesn't report this distinction. We just report "invalid
signature".
2018-09-17 14:33:43 +02:00
itayzafrir 90d8c7a728 Ensure the module is initialized in key based functions 2018-09-16 12:15:47 +03:00
itayzafrir 0adf0fc31c Ensure the module is initialized in psa_generate_random 2018-09-16 12:15:46 +03:00
Gilles Peskine 78b3bb670d Change the bitwise encoding of key type categories
There were only 5 categories (now 4). Reduce the category mask from 7
bits to 3.

Combine unformatted, not-necessarily-uniform keys (HMAC, derivation)
with raw data.

Reintroduce a KEY_TYPE_IS_UNSTRUCTURED macro (which used to exist
under the name KEY_TYPE_IS_RAW_DATA macro) for key types that don't
have any structure, including both should-be-uniform keys (such as
block cipher and stream cipher keys) and not-necessarily-uniform
keys (such as HMAC keys and secrets for key derivation).
2018-09-14 10:02:29 +01:00
itayzafrir 534bd7c33b Add missing calls to psa_cipher_abort in cipher functions 2018-09-14 10:02:29 +01:00
itayzafrir 40835d4e56 Add missing calls to psa_hash_abort in hash functions 2018-09-14 10:02:29 +01:00
Jaeden Amero df3b74f168 Merge pull request #125 from ARMmbed/key_slot_index-fix
Fix off-by-one errors in key slot index limits
2018-09-14 10:02:29 +01:00
Gilles Peskine 9a05634558 psa_crypto_free: destroy the last slot
The last slot in the array was not freed due to an off-by-one error.

Amend the fill_slots test to serve as a non-regression test for this
issue: without this bug fix, it would cause a memory leak.
2018-09-14 10:02:29 +01:00
Gilles Peskine 996deb18cc Fix buffer overflow in the slot array
Slots are numbered from 1, but the slot array is a C array so it's
numbered from 0.

Add a non-regression test.
2018-09-14 10:02:29 +01:00
Darryl Green 9e2d7a09f1 Add ifdefs for psa_internal_export_key function
MBEDTLS_PK_WRITE_C only requires either MBEDTLS_RSA_C or MBEDTLS_ECP_C to be defined.
Added wrappers to handle the cases where only one has been defined.
Moved mbedtls_pk_init to be within the ifdefs, so it's only called if appropriate.
2018-09-14 10:02:28 +01:00
Darryl Green 8800136156 Fix key parameter in psa_key_derivation to use correct type 2018-09-14 10:02:28 +01:00
Darryl Green 8f8aa8f931 Add ifdef for MBEDTLS_ECP_C around ecc_group_to_psa functions
These are unused if MBEDTLS_ECP_C isn't defined.
2018-09-14 10:02:28 +01:00
Darryl Green 5cc689a821 Add handling for (sometimes) unused parameters 2018-09-14 10:02:28 +01:00
Gilles Peskine 9f900a8b25 Merge pull request #105 from ARMmbed/psa-derive_hkdf
PSA key derivation: simple-ish interface, HKDF
2018-09-12 16:50:07 +03:00
Gilles Peskine 08542d8037 Fix psa_generator_import_key for DES
In psa_generator_import_key, if generating a DES or 3DES key, set the
parity bits.

Add tests for deriving a DES key. Also test deriving an AES key while
I'm at it.
2018-09-12 16:50:07 +03:00
Gilles Peskine d54931c7c4 HKDF: be more robust if we reach the maximum ouptut length
In psa_generator_hkdf_read, return BAD_STATE if we're trying to
construct more output than the algorithm allows. This can't happen
through the API due to the capacity limit, but it could potentially
happen in an internal call.

Also add a test case that verifies that we can set up HKDF with its
maximum capacity and read up to the maximum capacity.
2018-09-12 16:50:05 +03:00
Gilles Peskine bef7f14f8e Implement HKDF 2018-09-12 16:44:05 +03:00
Gilles Peskine ea0fb4975c Add framework for simple key derivation
New key type PSA_KEY_TYPE_DERIVE. New usage flag PSA_KEY_USAGE_DERIVE.
New function psa_key_derivation.

No key derivation algorithm is implemented yet. The code may not
compile with -Wunused.

Write some unit test code for psa_key_derivation. Most of it cannot be
used yet due to the lack of a key derivation algorithm.
2018-09-12 16:44:04 +03:00
Gilles Peskine eab56e4159 Add generator API
Add an API for byte generators: psa_crypto_generator_t,
PSA_CRYPTO_GENERATOR_INIT, psa_crypto_generator_init,
psa_get_generator_capacity, psa_generator_read,
psa_generator_import_key, psa_generator_abort.

This commit does not yet implement any generator algorithm, it only
provides the framework. This code may not compile with -Wunused.
2018-09-12 16:41:12 +03:00
Gilles Peskine 9aa369eafb HMAC: improve robustness checks on hash/block size
In psa_mac_setup and psa_hmac_setup_internal, perform a sanity check
on the hash size and the hash block size respectively. These sanity
checks should only trigger on an incompletely or incorrectly
implemented hash function.

Remove the check on the block size in psa_hmac_finish_internal
because at this point it has already been checked and used.
2018-09-12 16:41:12 +03:00
Gilles Peskine 1e6bfdff5e psa_hmac_setup_internal: fix double call of psa_hash_setup
In the common case (key no longer than the block size), psa_hash_setup
was being called twice in succession. With current implementations
this is just a small performance loss, but potentially with
alternative implementations this could have lead to a memory leak.
2018-09-12 16:41:12 +03:00
Gilles Peskine b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine ff94abdf3a Make psa_hmac_setup_internal more standalone
Call psa_hash_setup in psa_hmac_setup_internal rather than
psa_mac_init. This makes it easier to use psa_hmac_setup_internal on
its own (for the sake of using HMAC internally inside the library).
2018-09-12 16:41:12 +03:00
Gilles Peskine b8be288374 psa_hmac_setup_internal: add some missing cleanup on failure
Clean ipad if hashing the key failed.
2018-09-12 16:41:12 +03:00
Gilles Peskine 9688997301 MAC setup: support 0-length HMAC key
Avoid undefined behavior when using a 0-length HMAC key (Asan
complained).
2018-09-12 16:41:12 +03:00
Gilles Peskine 072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine 01126fae7f Isolate HMAC code into its own functions
Create internal functions for HMAC operations. This prepares for two
things: separating crypto-sensitive code from argument decoding and
validation, and using HMAC for other purposes than a MAC inside the
library (e.g. HMAC_DRBG, HKDF).

No intended observable behavior change in this commit.
2018-09-12 16:41:12 +03:00
Gilles Peskine 71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine 94e44540ff psa_hash_update: robustify the case length=0
Don't require hash implementations to behave correctly on a
zero-length input, which may have an invalid pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine af89fd771e psa_import_key: split RSA and ECP code into small functions
No intended behavior change except that some edge cases may have
swapped between INVALID_ARGUMENT and NOT_SUPPORTED.
2018-09-12 16:41:11 +03:00
Gilles Peskine d8008d6dfe New macro PSA_KEY_TYPE_IS_RSA 2018-09-12 16:41:11 +03:00
Gilles Peskine 35da9a2f2e In psa_asymmetric_encrypt, allow public keys
The code was accepting key pairs only, even though encryption doesn't
require the private key.
2018-09-12 16:41:11 +03:00
Gilles Peskine 4c317f4b4c generate_key: define a structure type for RSA extra parameters 2018-09-12 16:41:11 +03:00
Gilles Peskine 53d991e655 generate_key: rename \p parameters to \p extra
\p parameters is a confusing name for a function parameter. Rename it
to \p extra.
2018-09-12 16:41:11 +03:00
Gilles Peskine 630a18a51e Don't break the rsa context abstraction
This would fail on alternative implementation.
2018-09-12 16:41:11 +03:00
Gilles Peskine 3ff2162d14 Remove salt from asymmetric_{sign,verify}
No common signature algorithm uses a salt (RSA-PKCS#1v1.5, RSA-PSS,
DSA, ECDSA, EdDSA). We don't even take an IV for MAC whereas MAC
algorithms with IV are uncommon but heard of. So remove the salt
parameter from psa_asymmetric_sign and psa_asymmetric_verify.
2018-09-12 16:41:11 +03:00
Gilles Peskine aa7bc47f73 Add missing const on policy_get_xxx function parameter 2018-09-12 16:41:11 +03:00
Gilles Peskine 5d1888ebc5 Rename PSA_ALG_STREAM_CIPHER -> PSA_ALG_STREAM_CIPHER_BASE
Follow the usual naming convention: PSA_ALG_xxx_BASE for a constant
that isn't an algorithm, just used to build one.
2018-09-12 16:41:11 +03:00
Jaeden Amero 0794936411 Merge pull request #102 from ARMmbed/dev/Patater/fix-allsh
Fix various issues caught by all.sh
2018-09-12 16:41:11 +03:00
Jaeden Amero b4fa8c9c6d psa: Fix Doxygen comment on psa_get_key_from_slot
We failed all.sh on the "test: doxygen markup outside doxygen blocks" due
to doxygen markup being outside a Doxygen block. Add an extra `*` to the
psa_get_key_from_slot comment to denote the comment as a Doxygen comment.
2018-09-12 16:41:11 +03:00
Gilles Peskine fe11951c16 Rename psa cipher functions to psa_cipher_xxx
Make function names for multipart operations more consistent (cipher
edition).

Rename symmetric cipher multipart operation functions so that they all
start with psa_cipher_:

* psa_encrypt_setup -> psa_cipher_encrypt_setup
* psa_decrypt_setup -> psa_cipher_decrypt_setup
* psa_encrypt_set_iv -> psa_cipher_set_iv
* psa_encrypt_generate_iv -> psa_cipher_generate_iv
2018-09-12 16:41:11 +03:00
Gilles Peskine 2a91d612f5 Merge remote-tracking branch 'psa/pr/94' into feature-psa 2018-09-12 16:41:11 +03:00
Gilles Peskine fbfac6867b Simplify algorithm checking logic in MAC functions
Use if-else-if chains rather than switch because many blocks apply to
a class of algoritmhs rather than a single algorithm or a fixed set
of algorithms.

Call abort on more error paths that were missed earlier.
2018-09-12 16:41:11 +03:00
Janos Follath 279ab8e69b Prevent leaking plaintext in psa_cipher_finish() 2018-09-12 16:41:11 +03:00
Gilles Peskine 5d0b864944 Streamline cleanup logic in MAC finish
Reorganize error handling code in psa_mac_finish_internal,
psa_mac_sign_finish and psa_mac_verify finish to ensure that:

* psa_mac_abort() is always called, on all success and error paths.
* psa_mac_finish places a safe value in the output parameters on
  all error paths, even if abort fails.
2018-09-12 16:41:11 +03:00
Janos Follath 315b51c22d Fix memory leak in psa_cipher_finish() 2018-09-12 16:41:11 +03:00
Gilles Peskine 89167cb597 Split psa_mac_setup -> psa_mac_{sign,verify}_setup
Make function names for multipart operations more consistent (MAC
setup edition).

Split psa_mac_setup into two functions psa_mac_sign_setup and
psa_mac_verify_setup. These functions behave identically except that
they require different usage flags on the key. The goal of the split
is to enforce the key policy during setup rather than at the end of
the operation (which was a bit of a hack).

In psa_mac_sign_finish and psa_mac_verify_finish, if the operation is
of the wrong type, abort the operation before returning BAD_STATE.
2018-09-12 16:41:11 +03:00
Gilles Peskine acd4be36fa Rename psa_mac_{finish,verify} -> psa_mac_{sign,verify}_finish
Make function names for multipart operations more consistent (MAC
finish edition).
2018-09-12 16:41:11 +03:00
Gilles Peskine da8191d1cd Rename psa_hash_start -> psa_hash_setup
Make function names for multipart operations more consistent (hash
edition).
2018-09-12 16:41:11 +03:00
Gilles Peskine ab1d7ab89f Don't call psa_get_key_information internally
When you have a key slot pointer, read the key type directly, and call
psa_get_key_bits to get the bit size.
2018-09-12 16:41:11 +03:00
Mohammad Abo Mokh a5c7b7d0dd Style fixes 2018-09-12 16:41:11 +03:00
Gilles Peskine b870b188ad New internal function psa_get_key_bits
Isolate the code of psa_get_key_information that calculates the bit
size of a key into its own function which can be called by functions
that have a key slot pointer.
2018-09-12 16:41:11 +03:00
mohammad1603 2701005b46 Modifications for psa-crypto in order to integrate with SPM
Add required includes in tests and psa_crypto.c file in order to be able to compilef for the SPM solution.
Some functions needed to be deprecated from psa_crypto.c since they already implemented in the SPM.
2018-09-12 16:41:11 +03:00
Gilles Peskine b0b255c82a Always access key slots through accessor functions
New functions psa_get_key_slot(), psa_get_empty_key_slot(),
psa_get_key_from_slot() to access a key slot object from a key slot
number. These functions perform all requisite validations:

* psa_get_key_slot() verifies that the key slot number is in range.
* psa_get_empty_key_slot() verifies that the slot is empty.
* psa_get_key_from_slot() verifies that the slot contains a key with
  a suitable policy.

Always use these functions so as to make sure that the requisite
validations are always performed.
2018-09-12 16:41:11 +03:00
Gilles Peskine 1d96fff61a In psa_mac_finish, write a safe output even in the BAD_STATE case 2018-09-12 16:41:11 +03:00
Gilles Peskine aee13338b3 Fix safe output length in hash and mac finish
In psa_hash_finish and psa_mac_finish_internal, set the fallback
output length (which is reported on error) to the output buffer size,
not to the _expected_ buffer size which could be larger.
2018-09-12 16:41:11 +03:00
Gilles Peskine 1ae051409f Fix memory leak when importing an RSA key that is too large 2018-09-12 16:41:11 +03:00
Gilles Peskine 46f1fd7afd Handle null pointers safely when used as buffers of size 0
When the size of a buffer is 0, the corresponding pointer argument may
be null. In such cases, library functions must not perform arithmetic
on the pointer or call standard library functions such as memset and
memcpy, since that would be undefined behavior in C. Protect such
cases.

Refactor the storage of a 0-sized raw data object to make it store a
null pointer, rather than depending on the behavior of calloc(1,0).
2018-09-12 16:41:11 +03:00
Jaeden Amero bbf97e3cf1 psa: Pass hash_length with explicit types
The RSA module uses unsigned int for hash_length. The PSA Crypto API
uses size_t for hash_length. Cast hash_length to unsigned int when
passed to the hash module.
2018-09-12 16:41:11 +03:00
Jaeden Amero 23bbb757ad psa: Pass the number of bits with explicit types
The GCM, CCM, RSA, and cipher modules inconsistently use int or unsigned
int for a count of bits. The PSA Crypto API uses size_t for counting
things. This causes issues on LLP64 systems where a size_t can hold more
than an unsigned int. Add casts for where key_bits and bits are passed to
mbedtls_* APIs.
2018-09-12 16:41:11 +03:00
Jaeden Amero 5390f69590 psa: Use type of block_size consistently
Use size_t for block_size in psa_mac_abort() because
psa_get_hash_block_size() returns a size_t. This also helps to avoid
compiler warnings on LLP64 systems.
2018-09-12 16:41:11 +03:00
Jaeden Amero 045bd50a78 psa: Use key slot type in mbedtls_psa_crypto_free()
To avoid a possible loss of precision, and to be semantically correct,
use psa_key_slot_t (which is 16 bits) instead of size_t (which is 32 or
64 bits on common platforms) in mbedtls_psa_crypto_free().
2018-09-12 16:41:11 +03:00
Jaeden Amero 65fb236799 psa: Make psa_set_key_lifetime() match declaration
Previously, the psa_set_key_lifetime() implementation did not match the
function declaration in psa/crypto.h. Value types don't need const,
since they are passed by value. Fix psa_set_key_lifetime()
implementation by making it match its declaration in the header.
2018-09-12 16:41:11 +03:00
Gilles Peskine af3baabd05 Define max sizes for MAC and signatures
This requires defining a maximum RSA key size, since the RSA key size
is the signature size. Enforce the maximum RSA key size when importing
or generating a key.
2018-09-12 16:41:11 +03:00
Gilles Peskine a26ff6a290 psa_asymmetric_sign: consistently fill unused output with '!'
Fill the unused part of the output buffer with '!', for consistency
with hash and mac.

On error, set the output length to the output buffer size and fill the
output buffer with '!', again for consistency with hash and mac. This
way an invalid output is more visible in a memory dump.

Restructure the error paths so that there is a single place where the
unused part of the output buffer is filled.

Also remove a redundant initialization of *signature_length to 0.
2018-09-12 16:41:11 +03:00
Gilles Peskine 2b450e3a01 Factor RSA sign/verify code into its own functions
This makes the functions smaller and makes error paths easier to read.
2018-09-12 16:41:11 +03:00
Gilles Peskine eae6eee24c Change ECDSA signature representation to r||s
Change the representation of an ECDSA signature from the ASN.1 DER
encoding used in TLS and X.509, to the concatenation of r and s
in big-endian order with a fixed size. A fixed size helps memory and
buffer management and this representation is generally easier to use
for anything that doesn't require the ASN.1 representation. This is
the same representation as PKCS#11 (Cryptoki) except that PKCS#11
allows r and s to be truncated (both to the same length), which
complicates the implementation and negates the advantage of a
fixed-size representation.
2018-09-12 16:41:11 +03:00
Gilles Peskine a81d85b732 Sort out ECDSA mechanisms
* Distinguish randomized ECDSA from deterministic ECDSA.
* Deterministic ECDSA needs to be parametrized by a hash.
* Randomized ECDSA only uses the hash for the initial hash step,
  but add ECDSA(hash) algorithms anyway so that all the signature
  algorithms encode the initial hashing step.
* Add brief documentation for the ECDSA signature mechanisms.
* Also define DSA signature mechanisms while I'm at it. There were
  already key types for DSA.
2018-09-12 16:24:51 +03:00
Gilles Peskine 526fab0066 Fix parameter name signature_size for psa_asymmetric_verify
It should have been signature_length, following our conventions.
2018-09-12 16:24:51 +03:00
Gilles Peskine e9191ff90b Add missing const for signature parameter of psa_asymmetric_verify 2018-09-12 16:24:51 +03:00
Gilles Peskine 55bf3d1171 Sort out RSA mechanisms
* PSS needs to be parametrized by a hash.
* Don't use `_MGF1` in the names of macros for OAEP and PSS. No one
  ever uses anything else.
* Add brief documentation for the RSA signature mechanisms.
2018-09-12 16:24:51 +03:00
Gilles Peskine 7ed29c56f1 Rename PSA_ALG_RSA_GET_HASH to PSA_ALG_SIGN_GET_HASH
And don't use it for HMAC when there's a perfectly serviceable
PSA_ALG_HMAC_HASH. HMAC isn't hash-and-sign.
2018-09-12 16:24:50 +03:00
Gilles Peskine c648d6949d psa_import_key: fix memory leak on error
Free the content of the pk object if an error occurs after the import.
2018-09-12 16:24:50 +03:00
Jaeden Amero f24c7f80a0 psa_export_key: Always set a valid data length
Make psa_export_key() always set a valid data_length when exporting,
even when there are errors. This makes the API easier to use for buggy
programs (like our test code).

Our test code previously used exported_length uninitialized when
checking to see that the buffer returned was all zero in import_export()
in the case where an error was returned from psa_export_key().
Initialize exported_length to an invalid length, and check that it gets
set properly by psa_export_key(), to avoid this using export_length
uninitialized. Note that the mem_is_zero() check is still valid when
psa_export_key() returns an error, e.g. where exported_length is 0, as
we want to check that nothing was written to the buffer on error.

Out test code also previous passed NULL for the data_length parameter of
psa_export_key() when it expected a failure (in key_policy_fail()).
However, data_length is not allowed to be NULL, especially now that we
write to data_length from psa_export_key() even when there are errors.
Update the test code to not pass in a NULL data_length.
2018-09-12 16:24:50 +03:00
Gilles Peskine 8173631d7e psa_hash_abort: return PSA_SUCCESS if alg=0
Make psa_hash_abort consistent with psa_mac_abort and
psa_cipher_abort.

Add a comment explaining the reasoning.
2018-09-12 16:24:50 +03:00
Gilles Peskine f9c2c09810 In abort functions, return BAD_STATE on obviously bad input
psa_hash_abort, psa_mac_abort and psa_cipher_abort now return
PSA_ERROR_BAD_STATE if operation->alg is obviously not valid, which
can only happen due to a programming error in the caller or in the
library. We can't detect all cases of calling abort on uninitialized
memory but this is dirt cheap and better than nothing.
2018-09-12 16:24:50 +03:00
Gilles Peskine 48c0ea14c6 Remove PSA_KEY_TYPE_IS_RAW_BYTES from crypto.h
It isn't used to define other macros and it doesn't seem that useful
for users. Remove it, we can reintroduce it if needed.

Define a similar function key_type_is_raw_bytes in the implementation
with a clear semantics: it's a key that's represented as a struct
raw_data.
2018-09-12 16:24:50 +03:00
Gilles Peskine 9ad29e2bee Add what little was missing to fully support DES
Also add what was missing in the test suite to support block ciphers
with a block size that isn't 16.

Fix some buggy test data that passed only due to problems with DES
support in the product.
2018-09-12 16:24:50 +03:00
Gilles Peskine 9a94480685 Convert ERR_ASN1 error codes to PSA
This fixes the error code when psa_export_key on an asymmetric key
reports that the output buffer is too small.
2018-09-12 16:24:50 +03:00
Gilles Peskine b54979a297 Refuse non-byte-sized raw data keys
Since the key size is stored in bytes, we can't have a key whose size
isn't a whole number of bytes.
2018-09-12 16:24:50 +03:00
Gilles Peskine c06e07128c Favor INVALID_ARGUMENT over NOT_SUPPORTED for bad algorithm types
In psa_hash_start, psa_mac_start and psa_cipher_setup, return
PSA_ERROR_INVALID_ARGUMENT rather than PSA_ERROR_NOT_SUPPORTED when
the algorithm parameter is not the right category.
2018-09-12 16:23:54 +03:00
Gilles Peskine 248051acb6 Add missing #ifdef guards around psa_hmac_start 2018-09-12 16:23:54 +03:00
Gilles Peskine 16c0f4f787 Fix potential memory corruption on MAC/cipher setup failure
When psa_mac_start(), psa_encrypt_setup() or psa_cipher_setup()
failed, depending on when the failure happened, it was possible that
psa_mac_abort() or psa_cipher_abort() would crash because it would try
to call a free() function uninitialized data in the operation
structure. Refactor the functions so that they initialize the
operation structure before doing anything else.

Add non-regression tests and a few more positive and negative unit
tests for psa_mac_start() and psa_cipher_setup() (the latter via
psa_encrypt_setip()).
2018-09-12 16:23:53 +03:00
Gilles Peskine 12313cd84c Implement psa_generate_key: AES, DES, RSA, ECP
In the test cases, try exporting the generated key and perform sanity
checks on it.
2018-09-12 16:22:51 +03:00
Gilles Peskine e66ca3bbf3 psa_export_key: zero out potential garbage in the output buffer
In psa_export_key, ensure that each byte of the output buffer either
contains its original value, is zero, or is part of the actual output.
Specifically, don't risk having partial output on error, and don't
leave extra data at the end of the buffer when exporting an asymmetric
key.

Test that exporting to a previously zeroed buffer leaves the buffer
zeroed outside the actual output if any.
2018-09-12 16:22:51 +03:00
Gilles Peskine 0e2315859f psa_export_key: fix asymmetric key in larger buffer
Exporting an asymmetric key only worked if the target buffer had
exactly the right size, because psa_export_key uses
mbedtls_pk_write_key_der or mbedtls_pk_write_pubkey_der and these
functions write to the end of the buffer, which psa_export_key did not
correct for. Fix this by moving the data to the beginning of the
buffer if necessary.

Add non-regression tests.
2018-09-12 16:22:51 +03:00
Gilles Peskine 05d69890ee Implement psa_generate_random 2018-09-12 16:22:51 +03:00
Gilles Peskine 0ff4b0f7f9 psa_import_key: validate symmetric key size
When importing a symmetric key, validate that the key size is valid
for the given key type.

Non-supported key types may no longer be imported.
2018-09-12 16:22:51 +03:00
Gilles Peskine e3b07d81d6 Fix build without CMAC
Add missing guard for MBEDTLS_CMAC_C.
2018-09-12 16:22:51 +03:00
Gilles Peskine 828ed149d5 Rename MBEDTLS_xxx macros in psa_crypto.c to placate check-names.sh 2018-09-12 16:22:51 +03:00
Gilles Peskine 34ef7f5a55 Check the curve of an elliptic curve key on import
psa_import_key must check that the imported key data matches the
expected key type. Implement the missing check for EC keys that the
curve is the expected one.
2018-09-12 16:19:04 +03:00
Gilles Peskine b3e6e5deeb Rename hash max sizes for consistency
Use "hash" throughout the library, not "md" as in Mbed TLS.
2018-09-12 16:19:04 +03:00
Gilles Peskine 7bcfc0a9ae Be more consistent about blank lines 2018-09-12 16:18:04 +03:00
Gilles Peskine 803ce7402a Change sizeof(type) to sizeof(variable) 2018-09-12 16:18:04 +03:00
Gilles Peskine c1bb6c8dcc Formatting improvements
Avoid lines longer than 80 columns.

Remove some redundant parentheses, e.g. change
    if( ( a == b ) && ( c == d ) )
to
    if( a == b && c == d )
which makes lines less long and makes the remaining parentheses more
relevant.

Add missing parentheses around return statements.

There should be no semantic change in this commit.
2018-09-12 16:18:02 +03:00
Gilles Peskine 2d2778650b Normalize whitespace
Normalize whitespace to Mbed TLS standards. There are only whitespace
changes in this commit.
2018-09-12 16:15:52 +03:00
Gilles Peskine 6de7a179c8 Fix file permissions
Some files were marked as executable but shouldn't have been.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein aa5aea0bac fix spaces and add braces 2018-09-12 16:13:49 +03:00
Nir Sonnenschein e9664c30f0 space and style fixes 2018-09-12 16:13:49 +03:00
Nir Sonnenschein 9627241beb change macro PSA_HASH_BLOCK_SIZE to function psa_get_hash_block_size 2018-09-12 16:13:49 +03:00
Nir Sonnenschein 5ca6547b77 Renamed hmac_ctx to opad and removed null check.
this array is now part of the struct and not dynamically allocated
so it can't be null.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein caec7f0c49 Fix rename issue missed by re-base 2018-09-12 16:13:49 +03:00
Gilles Peskine d223b52a9a psa_hmac_start: reduce stack usage
Store the temporary key in the long-key case (where the key is first
hashed) directly into ipad. This reduces the stack usage a little, at
a slight cost in complexity.
2018-09-12 16:13:49 +03:00
Gilles Peskine 6a0a44e167 HMAC: clean up local variables containing key material
In psa_mac_start, the hash of the key and ipad contain material that
can be used to make HMAC calculations with the key, therefore they
must be wiped.

In psa_mac_finish_internal, tmp contains an intermediate value which
could reveal the HMAC. This is definitely sensitive in the verify case,
and marginally sensitive in the finish case (it isn't if the hash
function is ideal, but it could make things worse if the hash function
is partially broken).
2018-09-12 16:13:49 +03:00
Gilles Peskine c102e3ce4b psa_hmac_start: simplify key_length logic in hash-the-key case 2018-09-12 16:13:49 +03:00
Gilles Peskine e1bc6800cc psa_hmac_start: remove useless casts 2018-09-12 16:13:49 +03:00
Gilles Peskine 7e454bc19f Split out CMAC and HMAC code into auxiliary functions
Split algorithm-specific code out of psa_mac_start. This makes the
function easier to read.

The behavior is mostly unchanged. In a few cases, errors before
setting a key trigger a context wipe where they didn't. This is a
marginal performance loss but only cases that are an error in caller
code.
2018-09-12 16:13:49 +03:00
Gilles Peskine 99bc649760 Normalize whitespace to Mbed TLS standards
Only whitespace changes in this commit.
2018-09-12 16:13:49 +03:00
Gilles Peskine ef057ac8ed Remove dead code
Remove an unused function and an unused variable. Now the code builds
with gcc -Wall -Wextra -Werror.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein 084832d65f replace get_block_size_from_hash_algorithm with PSA_HASH_BLOCK_SIZE macro 2018-09-12 16:13:49 +03:00
Nir Sonnenschein 35dfbf4601 change hmac context to use statically allocated memory
1. removed dynamic allocation of stack context
2. moved ipad to stack
3. added defines for maximal sizes
2018-09-12 16:13:49 +03:00
Nir Sonnenschein 0c9ec53a10 remove reliance on md_info context for hash information
1. remove reliance on md_info context for hash information by decoding locally
2. remove block_size field in context as this is dynamically computed
2018-09-12 16:13:49 +03:00
Nir Sonnenschein eeace0bf7f Code style fix : changed keylen to key_length 2018-09-12 16:13:49 +03:00
Nir Sonnenschein 7810be273a Code correction: remove unneeded sizeof 2018-09-12 16:13:49 +03:00
Nir Sonnenschein dcd636a73f Commit changes to hmac to not use MD abstraction
this PR is part of efforts to use "lower level" mbedTLS APIs vs "higher level" abstract APIs.
2018-09-12 16:13:49 +03:00
Gilles Peskine 8605428dcf Merge remote-tracking branch 'psa/pr/27' into feature-psa 2018-09-05 12:46:19 +03:00
Gilles Peskine c4def2f228 Add input length check in psa_asymmetric_decrypt
Remove output size check which is not needed here and was copypasta.

Add non-regression tests.
2018-09-05 12:44:18 +03:00
Gilles Peskine b75e4f1314 Remove ECC boilerplate in asymmetric encrypt/decrypt
We don't have any encryption algorithm using ECC keys at the moment.
2018-09-05 12:44:17 +03:00
Gilles Peskine beb4948d10 Add RSA PSS verification (untested) 2018-09-05 12:44:17 +03:00
Gilles Peskine 625b01c9c3 Add OAEP placeholders in asymmetric encrypt/decrypt
Replace PSS placeholders by OAEP placeholders. PSS is a signature
algorithm, not an encryption algorithm.

Fix typo in PSA_ALG_IS_RSA_OAEP_MGF1.
2018-09-05 12:44:17 +03:00
Gilles Peskine 8b18a4fef3 Rename verify_RSA_hash_input_and_get_md_type
Give it a shorter name that's more in line with our naming conventions.
2018-09-05 12:44:17 +03:00
Gilles Peskine 61b91d4476 Normalize whitespace to Mbed TLS standards
Only whitespace changes in this commit.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein 1c2a7ea4e2 Allow psa_asymmetric_verify and psa_asymmetric_encrypt to use public key only. 2018-09-05 12:44:17 +03:00
Nir Sonnenschein d708260de4 add key policy enforcement implementation
add checks that keys have been set for the correct usage for asymmetric
functions.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein ca466c89b0 Set output length to safe value 2018-09-05 12:44:17 +03:00
Nir Sonnenschein c460291714 Re-Add ECC verification code which was not properly merged in re-base. 2018-09-05 12:44:17 +03:00
Nir Sonnenschein 4db79eb36b Extract common code
Make code easier to maintain.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein 717a040df5 Remove duplicate / unneeded code
1. remove duplicate function introduced by re-base
2. remove unneeded code
2018-09-05 12:44:17 +03:00
Gilles Peskine 5b051bc608 Remove trailing whitespace
Only horizontal whitespace changes in this commit.
2018-09-05 12:44:12 +03:00
Gilles Peskine 6afe789d4c Finish renaming around PSA_ALG_IS_RSA_PKCS1V15
Now the code compiles. Some OAEP and PSS macros may still need to be fixed.
2018-09-05 12:41:53 +03:00
Gilles Peskine d6125ca63b Merge remote-tracking branch 'psa/pr/24' into feature-psa 2018-09-05 12:41:53 +03:00
Nir Sonnenschein 4f594eca40 remove check for key pair (public key should be enough for verification) 2018-09-05 12:41:53 +03:00
Nir Sonnenschein 7f5a31915b code fixes for internal code review:
1. change to correct error code
2. removed unneeded comment
2018-09-05 12:41:53 +03:00
Nir Sonnenschein 39e59144f6 added support for PKCSv1.5 signature verification and encryption/decryption and very basic tests. 2018-09-05 12:41:53 +03:00
Gilles Peskine bb1072f642 Fix use of mbedtls_cipher_info_from_psa
One branch added an extra argument, the other branch added a call of
this function. Pass the extra argument on the code from the other
branch.
2018-09-05 12:41:52 +03:00
Gilles Peskine 84861a95ca Merge remote-tracking branch 'psa/psa-wrapper-apis-aead' into feature-psa 2018-09-05 12:41:52 +03:00
Gilles Peskine 154bd95131 psa_destroy_key: return SUCCESS on an empty slot
Do wipe the slot even if it doesn't contain a key, to erase any metadata.
2018-09-05 12:41:52 +03:00
Gilles Peskine 71bb7b77f0 Switch PSA_HASH_FINAL_SIZE to PSA_HASH_SIZE
Make this macro work on derived algorithms as well (HMAC,
hash-and-sign, etc.).
2018-09-05 12:41:52 +03:00
mohammad1603 fc614b1e0e fix parentheses 2018-09-05 12:41:52 +03:00
mohammad1603 e109f21638 remove unnecessary check for block size 2018-09-05 12:41:52 +03:00
mohammad1603 a1d9801683 add slot validation 2018-09-05 12:41:52 +03:00
mohammad1603 e3cb8a8d8b return PSA_ERROR_BUFFER_TOO_SMALL intead of PSA_ERROR_INVALID_ARGUMENT 2018-09-05 12:41:52 +03:00
mohammad1603 6b4d98cf78 remove trailing spaces 2018-09-05 12:41:52 +03:00
mohammad1603 5ed0621dd4 aligned with coding standards - line length 2018-09-05 12:41:52 +03:00
mohammad1603 f14394b25f add policy checks 2018-09-05 12:41:52 +03:00
mohammad1603 96910d807e fix block size depending on algorithm 2018-09-05 12:41:51 +03:00
mohammad1603 60a64d079a remove unnecessary argument to the psa_aead_unpadded_locate_tag function 2018-09-05 12:41:51 +03:00
mohammad1603 15223a8b89 write the tag directly on the ciphertext buffer. 2018-09-05 12:41:51 +03:00
mohammad1603 4fc744f8af change the check of block size for all supported algorithms 2018-09-05 12:41:51 +03:00
mohammad1603 0f21465175 use mbedtls_cipher_info_from_psa to get cipher ID 2018-09-05 12:41:51 +03:00
mohammad1603 f58aa6ade6 use memset instead of mbedtils_zeroize 2018-09-05 12:41:51 +03:00
mohammad1603 554faad260 return NOT_SUPPORTED instead of INVLID_ARGUMENT 2018-09-05 12:41:51 +03:00
mohammad1603 95893f834d remove usless cast 2018-09-05 12:41:51 +03:00
mohammad1603 f08a550e68 set output length to zero to cover output length in error case 2018-09-05 12:41:51 +03:00
mohammad1603 f4f0d612ba change mbedtls_cipher_info_from_psa to provide cipher_id also 2018-09-05 12:41:51 +03:00
mohammad1603 9375f8403a fix code offsets after rebase 2018-09-05 12:41:51 +03:00
Gilles Peskine ee652a344c Fix psa_aead_decrypt to read the tag at the end of the ciphertext 2018-09-05 12:41:51 +03:00
Gilles Peskine a40d77477d Whitespace fixes
Changed indentation to match Mbed TLS style. Wrapped some lines to 80 columns.
2018-09-05 12:41:51 +03:00
mohammad1603 39574652ae add else for not supported algorithm 2018-09-05 12:38:18 +03:00
mohammad1603 5c8845f563 return invalid argument for unsupported algorithms 2018-09-05 12:38:18 +03:00
mohammad1603 e58e68458e fix condition over key type 2018-09-05 12:38:18 +03:00
mohammad1603 17638efc46 remove unused variable 2018-09-05 12:38:18 +03:00
mohammad1603 dad36fa855 add Key and Algorithm validation 2018-09-05 12:38:18 +03:00
mohammad1603 a7e6df76ea Validation fixes for key_type 2018-09-05 12:38:18 +03:00
mohammad1603 4f5eb7cb54 Fill the the output buffer with zero data in case of failure 2018-09-05 12:38:18 +03:00
mohammad1603 6bbd8c75dc Remove unnecessary cast
Remove unnecessary cast
2018-09-05 12:38:18 +03:00
mohammad1603 db6247315f Parameters validation fixes
Fix key_type validation test and no need to ask for place for tag in decryption
2018-09-05 12:38:18 +03:00
mohammad1603 ce5cba9a6a unify the concatenation of the tag and update output length 2018-09-05 12:38:18 +03:00
mohammad1603 9e5a515aa8 Fix parameter validation 2018-09-05 12:38:18 +03:00
mohammad1603 47ddf3d544 Concatenate the tag to the output buffer
Concatenate the tag to the output buffer.
2018-09-05 12:38:18 +03:00
mohammad1603 5955c98779 Initial implementation of the AEAD decrypt/encrypt APIs
Initial implementation for the AEAD APIs, missing the following:
* Concatenation of the tag to the output buffer.
* Updated documentation of the new functions.
* argument validations
* tests
2018-09-05 12:38:18 +03:00
Gilles Peskine 3aa8efb230 Merge remote-tracking branch 'psa/psa-wrapper-apis-march-12' into feature-psa 2018-09-05 12:38:17 +03:00
Gilles Peskine 2c5219a06d Whitespace normalization
No semantic change.
2018-09-05 12:14:29 +03:00
Gilles Peskine 5351420b3e Use block local variable for padding_mode for readability
No intended behavior change.
2018-09-05 12:14:29 +03:00
Moran Peker 7cb22b8327 abort operation before return + fix error checks 2018-09-05 12:14:29 +03:00
Gilles Peskine 89d789c9bc Refactor some argument checks for readability
No intended behavior change.
2018-09-05 12:14:29 +03:00
Gilles Peskine 7e9288520f Wrap lines to 80 columns 2018-09-05 12:14:29 +03:00
Gilles Peskine e553c65cc3 Fix indentation and horizontal whitespace
Only whitespace changes in this commit.
2018-09-05 12:14:29 +03:00
Moran Peker 3520c2c4f7 unset iv_required to 0 (psa_encrypt_set_iv)and block_size (psa_cipher_setup) 2018-09-05 12:14:29 +03:00
Moran Peker 395db875e6 adjust indentation per Mbed TLS standards 2018-09-05 12:14:29 +03:00
Moran Peker ae382791fb add missing psa_cipher_abort( operation ) 2018-09-05 12:14:28 +03:00
Moran Peker 70531163a9 fix compilation error - missing if 2018-09-05 12:14:28 +03:00
Moran Peker a28258c594 adjust indentation per Mbed TLS standards 2018-09-05 12:14:28 +03:00
Moran Peker 2cab25aacf fix conditions in psa_cipher_finish function 2018-09-05 12:14:28 +03:00
Moran Peker dc38ebc068 delete decrypt checks + fix memcpy& return value 2018-09-05 12:14:28 +03:00
Moran Peker ad9d82cc0e add iv_required field to psa_cipher_operation_s and fix relevant functions 2018-09-05 12:14:28 +03:00
Moran Peker 71f19ae6f8 add missing call to psa_cipher_abort in cipher_setup func + iv_length check in cipher_set_iv func 2018-09-05 12:14:28 +03:00
Moran Peker 406008ab4c add missing check on output_size in psa_cipher_update func 2018-09-05 12:14:28 +03:00
Moran Peker bed71a2b17 fix missing check on output_size in psa_cipher_finish func 2018-09-05 12:14:28 +03:00
Moran Peker 0071b873a3 add missing parameter output_size on psa_cipher_finish 2018-09-05 12:14:28 +03:00
Moran Peker 4c80d8331a adjust indentation per Mbed TLS standards 2018-09-05 12:14:28 +03:00
mohammad1603 b152d4d8b6 add test scenarios to decrypt and encrypt input and compare with given output 2018-09-05 12:14:28 +03:00
mohammad1603 89e0f468bf style 2018-09-05 12:14:28 +03:00
Moran Peker 41deec4494 partly pr fix 2018-09-05 12:14:28 +03:00
Moran Peker e1210dcac3 remove unused parameter in psa_cipher_finish. 2018-09-05 12:14:28 +03:00
Moran Peker 3205a6592b tests fix 2018-09-05 12:14:28 +03:00
mohammad1603 16864af80b fix static function name 2018-09-05 12:14:28 +03:00
mohammad1603 8481e74ecc CR fixes
more fixes

Compilation fixes

Compilation fixes for PSA crypto code and tests
2018-09-05 12:14:28 +03:00
mohammad1603 efb0107fbe CR fix, remove exposing ECB 2018-09-05 12:14:27 +03:00
mohammad1603 990a18c2f0 add ecb to cipher algorithms 2018-09-05 12:14:27 +03:00
Gilles Peskine 5100318a92 Merge pull request #18 from ARMmbed/psa-wrapper-apis-export-publickey
Export public key implementation (#18)
2018-09-05 12:13:23 +03:00
mohammad1603 8275961178 warnings fixes 2018-09-05 12:13:23 +03:00
mohammad1603 503973bdf3 initial implementation for PSA symmetric APIs - missing tests and documentations 2018-09-05 12:13:23 +03:00
Moran Peker 8756763cf1 change error check on psa_internal_export_key func 2018-09-05 12:13:23 +03:00
Gilles Peskine 785fd55a39 Whitespace fixes; removed redundant parentheses
No semantic change.
2018-09-05 12:13:23 +03:00
Moran Peker cceea98bfe adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker d732659867 adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker 17e36e1bd9 fix conditions 2018-09-05 12:13:23 +03:00
Moran Peker 6036432617 adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker a998bc6ac9 psa_internal_export_key function for common code.
create psa_internal_export_key function for common code in psa_export_key and psa_export_public_key.
2018-09-05 12:13:22 +03:00
Moran Peker 5010828fb6 adjust indentation per Mbed TLS standards 2018-09-05 12:13:22 +03:00
Moran Peker b4d0ddd2d3 psa_export_public_key 2018-09-05 12:13:20 +03:00
Moran Peker dd4ea38d58 export public key 2018-09-05 12:10:47 +03:00
itayzafrir 7b30f8b0c9 Added handling for MBEDTLS_ERR_ECP_XXX error codes
Added handling for MBEDTLS_ERR_ECP_XXX error codes
2018-09-05 12:10:47 +03:00
itayzafrir 5c7533923a ECDSA sign and verify implementation and tests
ECDSA sign and verify implementation and tests
2018-09-05 12:10:47 +03:00
Gilles Peskine a0655c3501 Merge remote-tracking branch 'psa/pr/13' into feature-psa
Conflicts:
	library/psa_crypto.c
	tests/suites/test_suite_psa_crypto.data
	tests/suites/test_suite_psa_crypto.function

All the conflicts are concurrent additions where the order doesn't
matter. I put the code from feature-psa (key policy) before the code
from PR #13 (key lifetime).
2018-09-05 12:10:43 +03:00
mohammad1603 ea0500936e Change behavior of psa_get_key_lifetime()
psa_get_key_lifetime() behavior changed regarding empty slots, now
it return the lifetime of and empty slots. Documentation in header
file updated accordingly.
2018-09-05 12:01:37 +03:00
mohammad1603 5d7ec2033d fix key lifetime set implementation , tests accordingly 2018-09-05 12:01:37 +03:00
mohammad1603 ba178511f4 Remove unused and duplicated erros, fix documentation and tests
Remove unused and duplicated erros, fix documentation and tests
2018-09-05 12:01:37 +03:00
mohammad1603 060ad8ac34 Compilation and tests fixes 2018-09-05 12:01:37 +03:00
mohammad1603 804cd71bf8 initial key lifetime implementation and tests 2018-09-05 12:01:37 +03:00
Gilles Peskine c63b6ba754 Merge remote-tracking branch 'psa/pr/14' into feature-psa
Conflict resolution:

* `tests/suites/test_suite_psa_crypto.data`: in the new tests from PR #14,
  rename `PSA_ALG_RSA_PKCS1V15_RAW` to `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` as
  was done in PR #15 in the other branch.
2018-09-05 12:01:34 +03:00
Gilles Peskine 47c1bc0458 Correct some return codes 2018-09-05 11:53:26 +03:00
mohammad1603 38a622b68b Function psa_get_key_policy() now return policy value for empty slots
Function psa_get_key_policy() now return policy value for empty slots
2018-09-05 11:53:26 +03:00
mohammad1603 5feda72d7a Remove usage of PSA_ERROR_INVALID_KEY_POLICY
use PSA_ERROR_INVALID_ARGUMENT instead of INVALID_KEY_POLICY error
2018-09-05 11:53:26 +03:00
mohammad1603 6df908f234 Add static internal MAC finish function
add new psa_mac_finish_internal() to be called by psa_mac_finish() and
psa_mac_verify() in order to be able to check key usage separatly.
2018-09-05 11:53:26 +03:00
Gilles Peskine a59262338a Rename PKCS1V15 to PKCS1V15_SIGN
There's PKCS1V15_CRYPT as well (to be added soon).
2018-09-05 11:53:26 +03:00
mohammad1603 4eed757901 add new test scenarios 2018-09-05 11:53:26 +03:00
mohammad1603 06e7920be5 integrate policy key usage in export and asymmetric sign functions 2018-09-05 11:53:26 +03:00
mohammad1603 8cc1ceec3e Key Policy APIs implementation 2018-09-05 11:53:26 +03:00
Gilles Peskine dc2fc8443f Rename xxx_of_psa functions to xxx_from_psa
Be consistent with how similar functions are named in Mbed TLS.
2018-09-05 11:53:25 +03:00
Gilles Peskine 3c6e970752 Fix memory leak in psa_destroy_key 2018-09-05 11:53:25 +03:00
Gilles Peskine 6d9121381a Add some comments to document some non-obvious coding choices 2018-09-05 11:53:25 +03:00
Gilles Peskine e4ebc12fcd psa_crypto_init: set the global initialized flag 2018-09-05 11:53:25 +03:00
Gilles Peskine 8c9def3e7f PSA: Implement MAC functions
Implement psa_mac_start, psa_mac_update and psa_mac_final.

Implement HMAC anc CMAC.

Smoke tests.
2018-09-05 11:53:25 +03:00
Gilles Peskine 9ef733faa0 Implement hash functions
New header file crypto_struct.h. The main file crypto.sh declares
structures which are implementation-defined. These structures must be
defined in crypto_struct.h, which is included at the end so that the
structures can use types defined in crypto.h.

Implement psa_hash_start, psa_hash_update and psa_hash_final. This
should work for all hash algorithms supported by Mbed TLS, but has
only been smoke-tested for SHA-256, and only in the nominal case.
2018-09-05 11:53:25 +03:00
Gilles Peskine a590529938 Greatly expanded mbedtls_to_psa_error
It now covers most cryptography algorithm modules (missing: bignum,
DHM, everything ECC, HMAC_DRBG).
2018-09-05 11:53:24 +03:00
Gilles Peskine 93aa0334d9 PSA asymmetric signature: set *signature_length = 0 on failure 2018-09-05 11:53:24 +03:00
Gilles Peskine 20035e3579 PSA crypto: asymmetric signature (RSA PKCS#1v1.5 only)
Define hash algorithms and RSA signature algorithms.

New function psa_asymmetric_sign.

Implement psa_asymmetric_sign for RSA PKCS#1 v1.5.
2018-09-05 11:53:24 +03:00
Gilles Peskine c66ea6a921 PSA key import: support RSA public keys
Use different key types for private keys and public keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine 969ac726d9 PSA RSA key import: don't rely on pk so much
Don't use the pk module except as required for pkparse/pkwrite. The
PSA crypto layer is meant to work alongside pk, not on top of it.

Fix the compile-time dependencies on RSA/ECP handling in
psa_export_key, psa_destroy_key and psa_get_key_information.
2018-09-05 11:53:24 +03:00
Gilles Peskine 2f9c4dc5ad Add key management functions
Define psa_key_type_t and a first stab at a few values.

New functions psa_import_key, psa_export_key, psa_destroy_key,
psa_get_key_information. Implement them for raw data and RSA.

Under the hood, create an in-memory, fixed-size keystore with room
for MBEDTLS_PSA_KEY_SLOT_COUNT - 1 keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine e59236fc17 Add PSA crypto module
New module psa_crypto.c (MBEDTLS_PSA_CRYPTO_C):
Platform Security Architecture compatibility layer on top of
libmedcrypto.

Implement psa_crypto_init function which sets up a RNG.

Add a mbedtls_psa_crypto_free function which deinitializes the
library.

Define a first batch of error codes.
2018-09-05 10:59:00 +03:00