Commit graph

14780 commits

Author SHA1 Message Date
Ronald Cron 3a9c46b184 Add RSA key generation support to the transparent test driver
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 9e18fc1cf9 Move RSA key generation code to the PSA RSA specific C file
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 977c247048 Call software implementation as a driver
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 5c4d38639d psa: Extend psa_get_key_buffer_size scope
When generating transparent keys, we need to be able
to compute the size of the key buffer whether the
key is generated by the Mbed TLS library or by an
accelerator. Thus, change the RSA/ECP
MBEDTLS_PSA_BUILTIN_... compilation guards with
their PSA_WANT_... counterparts.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 55ed0591c8 Export "internally" psa_generate_key_internal()
Export psa_generate_key_internal() to make it
available to the driver wrapper.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 2a38a6b98f Change psa_generate_key_internal() signature
Change psa_generate_key_internal() signature to
that of a PSA driver generate_key entry point.

That way, this function can be called by the
driver wrapper when a software fallback is
necessary.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 9df74beea7 psa: driver wrapper: Rename and export get_key_buffer_size
Rename and export get_key_buffer_size to be able to call
it from psa_crypto.c to compute the size of buffers to
contain keys generated by an opaque driver without
storage.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 31216284e1 psa: driver wrapper: Clarify the scope of and rename get_expected_key_size
Restrict the scope of get_expected_key_size to
generation of key in a secure element or
cryptoprocessor without storage.

For transparent driver, the key buffer size calculation is
for the time being moved to psa_driver_wrapper_generate_key
and will eventually be done by psa_get_key_buffer_size.

Rename the function to get_key_buffer_size to
align its naming with that of psa_get_key_buffer_size.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 9cca31654c psa: driver wrapper: Fix buffer allocation in case of key generation
In case of a secure element or cryptoprocessor with
storage, when generating a key, the key material is
not exported from the secure element or cryptoprocessor
thus there is no need to allocate a buffer in that case.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 2b56bc84f5 Move key buffer allocation out of psa_generate_key_internal()
Preparatory commit to eventually change
psa_generate_key_internal() signature to that of
a PSA driver generate_key entry point.

To be able to change the signature, the buffer to
store the generated key has to be allocated before
the call to psa_generate_key_internal().

This commit moves the allocation and clean-up in
case of error of the buffer to store the generated
key from psa_generate_key_internal() to
psa_generate_key().

This has the nice benefit of factorizing the key
buffer allocation and clean-up.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron 01b2aba924 Move key buffer size computation out of psa_generate_key_internal()
Preparatory commit to eventually change
psa_generate_key_internal() signature to that of
a PSA driver generate_key entry point.

To be able to change the signature, the buffer to
store the key has to be allocated before the call
to psa_generate_key_internal() thus its size has
to be calculed beforehand as well.

This is the purpose of this commit: to move the
computation of the key size in bytes out of
psa_generate_key_internal().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:50 +01:00
Ronald Cron f3bb761c00 Improve psa_generate_key_internal()
Small improvements to psa_generate_key_internal()
implementation:
. declare only once the status local variable and
  initialize it to PSA_ERROR_CORRUPTION_DETECTED
  to improve robustness against FI attacks.
. remove an unnecessary assignment.
. use type local variable instead of its global
  variable equivalent.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-16 09:04:49 +01:00
Steven Cooreman ea8d387406 Fix config query file
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 14:26:47 +01:00
Steven Cooreman 863470a5f9 Rename PSA_KEY_SLOT_COUNT to MBEDTLS_PSA_KEY_SLOT_COUNT
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 14:26:44 +01:00
Steven Cooreman 1f968fdf19 Define the user-configurable PSA config flag in config.h
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 14:26:30 +01:00
David Carlier 4971c3fce7 Changelog entry.
Signed-off-by: David Carlier <devnexen@gmail.com>
2021-02-15 13:13:13 +00:00
Steven Cooreman 7976574f82 Allow tweaking PSA_KEY_SLOT_COUNT
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 13:58:27 +01:00
Dave Rodgman 0279c2fc70 ssl-opt.sh: add --priority=normal to gnutls
For calls to gnutls-serv and gnutls-cli where --priority is not
specified, explicitly add the default value: --priority=normal. This is
needed for some tests on Ubuntu 20.04 (gnutls 3.6.13).

For example:
./ssl-opt.sh -f "DTLS fragmenting: gnutls.*1.0"
requires this PR to work on Ubuntu 20.04

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-02-15 12:45:43 +00:00
Gilles Peskine 59ad77032f
Merge pull request #4131 from paul-elliott-arm/fix_crypto_leak
Fix memory leak in error case in psa_crypto
2021-02-15 11:38:13 +01:00
Gilles Peskine 9d5abfed8b
Merge pull request #4137 from stevew817/fix/unused_argument_warnings
Fix/unused argument warnings
2021-02-15 11:20:58 +01:00
Steven Cooreman 70f654a89c Fix a malformed define guard
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 10:51:43 +01:00
Ronald Cron 5cd00d28bf
Merge pull request #4092 from ronald-cron-arm/psa-crypto-client
Psa crypto client
2021-02-15 10:46:35 +01:00
Ronald Cron 7339335c7d
Merge pull request #3967 from bensze01/psa_macro_rename
PSA: Rename AEAD tag length macros
2021-02-12 16:33:21 +01:00
Paul Elliott d17062e6bf Correct english in changelog.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-02-12 14:48:16 +00:00
Manuel Pégourié-Gonnard 97ce71daca
Merge pull request #4109 from gilles-peskine-arm/ssl-opt-server-failure-development
ssl-opt.sh: if the server fails, do treat it as a test failure
2021-02-12 12:15:50 +01:00
Manuel Pégourié-Gonnard b2024ef3bb
Merge pull request #4129 from chris-jones-arm/move-test-macros
Move test macros to macros.h
2021-02-12 10:17:28 +01:00
Bence Szépkúti a63b20d28b Rename AEAD tag length macros
This brings them in line with PSA Crypto API 1.0.0

PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH         -> PSA_ALG_AEAD_WITH_SHORTENED_TAG

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-02-11 11:39:31 +01:00
Ronald Cron 8a129828da
Merge pull request #4010 from stevew817/feature/gcm_vectors
Testing changes for AES-GCM backed by ALT implementation
2021-02-11 09:33:51 +01:00
Steven Cooreman 74afe47cc8 Fix unused variables in PSA core when no KDF algorithm is present
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 17:19:22 +01:00
Steven Cooreman 7196fefeef Fix unused variable in PSA core when no AEAD algorithm is present
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 17:18:39 +01:00
Steven Cooreman 6dce4bbe36 Fix unused argument when compiling with MBEDTLS_ECDSA_SIGN_ALT
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 17:07:20 +01:00
Steven Cooreman 1e9c042085 Minor fixup of SKIP_IF test macro documentation verbiage
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 17:02:05 +01:00
Ronald Cron 28a45ed8db tests: psa: Add macros to skip a test case
Add macros to skip a test case when hitting a
common alternative implementation limitation.

Add a macro for AES-192 and GCM with a nonce
length different from 12 bytes.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-10 16:07:21 +01:00
Steven Cooreman 50f1f5e119 Use PSA_ALG_ macros to inspect AEAD base algorithm
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 2f09913aeb Set default IV for AES-GCM to 12 bytes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 82645b153d Allow skipping vectors w/ non-12-byte IV AES-GCM on ALT
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman d588ea1704 Allow skipping AES-192 for alternative implementations in PSA test suite
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 7c9e7da8d4 Add CAVS14.0 AES-GCM vectors to test more IV, tag and key lengths
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Steven Cooreman 2222d689c5 Allow GCM selftest to skip non-12-byte IVs for ALT implementations
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-10 15:34:52 +01:00
Gilles Peskine aaf866edd2 ssl-opt.sh: Only check the server exit for Mbed TLS
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.

We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-09 21:01:33 +01:00
Paul Elliott da3e7db495 Fix memory leak in error case in psa_crypto
In psa_generate_derived_key_internal() an error case was returning
directly rather than jumping to the exit label, which meant that an
allocated buffer would not be free'd.

Found via coverity.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-02-09 19:03:47 +00:00
Ronald Cron 07907ae84e Add change log entry
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-09 15:36:14 +01:00
Ronald Cron 395889f9b7 psa: Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
when MBEDTLS_PSA_CRYPTO_C is defined and guard
PSA client code only with MBEDTLS_PSA_CRYPTO_CLIENT.

The definition of MBEDTLS_PSA_CRYPTO_CLIENT is done
in crypto_types.h before the definition of
psa_key_attributes_t. That way as PSA crypto client
code is related to key attributes we can be quite
confident that MBEDTLS_PSA_CRYPTO_CLIENT will be
defined when needed.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-09 15:36:08 +01:00
Gilles Peskine a0b4decff0
Merge pull request #4072 from gilles-peskine-arm/psa_import_ecc_key-not_supported
ECC import: more useful choice of INVALID_ARGUMENT vs NOT_SUPPORTED
2021-02-09 15:16:20 +01:00
Chris Jones a6d155fb47 Move test macros to macros.h
Move test macros previously located in `suites/helpers.function` to
`include/test/macros.h`. This makes these test infrastructure macros
available for use in other parts of the test infrastructure at compile
time as opposed to run time.

This commit is a simple cut and paste from one file to the other.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-09 12:09:33 +00:00
Gilles Peskine b168c0d2e6 More robust code to set the IV
Check that the source address and the frame counter have the expected
length. Otherwise, if the test data was invalid, the test code could
build nonsensical inputs, potentially overflowing the iv buffer.

The primary benefit of this change is that it also silences a warning
from compiling with `gcc-10 -O3` (observed with GCC 10.2.0 on
Linux/amd64). GCC unrolled the loops and complained about a buffer
overflow with warnings like:
```
suites/test_suite_ccm.function: In function 'test_mbedtls_ccm_star_auth_decrypt':
suites/test_suite_ccm.function:271:15: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
  271 |         iv[i] = source_address->x[i];
      |         ~~~~~~^~~~~~~~~~~~~~~~~~~~~~
suites/test_suite_ccm.function:254:19: note: at offset [13, 14] to object 'iv' with size 13 declared here
  254 |     unsigned char iv[13];
```
Just using memcpy instead of loops bypasses this warnings. The added
checks are a bonus.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-09 12:00:13 +01:00
Gilles Peskine 5d332f0274
Merge pull request #4105 from paul-elliott-arm/fix_test_leak
Fix for memory leak in ssl tests
2021-02-09 10:03:49 +01:00
Ronald Cron 6b8d0a48eb
Merge pull request #4123 from gilles-peskine-arm/fix-build-test_generate_random
Remove trail check in the generate_random test
2021-02-09 08:52:21 +01:00
Ronald Cron f8ceb4c18e
Merge pull request #4120 from bensze01/fix_changelog
Fix mistake in 2.25.0 Changelog
2021-02-09 08:46:50 +01:00
Gilles Peskine 9189202156 Remove trail check in the generate_random test
The test function generate_random allocated a few extra bytes after
the expected output and checked that these extra bytes were not
overwritten. Memory sanity checks such as AddressSanitizer and
Valgrind already detect this kind of buffer overflow, so having this
test in our code was actually redundant. Remove it.

This has the benefit of not triggering a build error with GCC
(observed with 7.5.0 and 9.3.0) when ASan+UBSan is enabled: with the
previous code using trail, GCC complained about an excessively large
value passed to calloc(), which was (size_t)(-sizeof(trail)).
Thus this commit fixes #4122.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-08 19:50:26 +01:00