psa_import_key must check that the imported key data matches the
expected key type. Implement the missing check for EC keys that the
curve is the expected one.
Instead of rolling our own list of elliptic curve identifiers, use one
from somewhere. Pick TLS because it's the right size (16 bits) and
it's as good as any.
Get rid of many redundant casts. In particular, it is not useful to
cast uint32_t values to size_t before performing arithmetic or
comparisons on them.
Rewrap a number of function calls, many of which now have narrower
arguments thanks to the removed casts. When a function call doesn't
fit on a single line, avoid grouping unrelated parameters together,
but do try to group a buffer pointer and the associated size.
Define more auxiliary variables xxx of a particular integer
type (psa_algorithm_t, psa_key_usage_t, etc.) corresponding to a test
function xxx_arg which has the type int. This avoids the need to cast
xxx_arg to an unsigned type sometimes in the code.
Avoid lines longer than 80 columns.
Remove some redundant parentheses, e.g. change
if( ( a == b ) && ( c == d ) )
to
if( a == b && c == d )
which makes lines less long and makes the remaining parentheses more
relevant.
Add missing parentheses around return statements.
There should be no semantic change in this commit.
Always adding things at the end tends to create merge conflicts.
Adding in the middle in this way makes the order more logical in
addition to avoiding conflicts.
* PKCS#7 padding always adds at least one byte of padding, so test
data with plaintext length = ciphertext length could not have been
correct.
* CTR has plaintext length = ciphertext length, so test data with
differing lengths could not have been correct.
In cipher_test_verify_output_multpart, tweak the ways chunk sizes are
added in order to get rid of the variable temp. In other functions,
this commit does not change the logic at all.
Only whitespace changes.
* Remove tabs.
* Remove trailing whitespace.
* Correct some misindented lines.
* Normalize whitespace around some punctuation.
* Split some lines to avoid going over 80 columns.
cipher_test_positive was never compiled due to a syntax error in the
BEGIN_CASE magic comment. It has now been duplicated as
cipher_test_encrypt. Remove the copy that was never compiled.
Conflicts:
library/psa_crypto.c
tests/suites/test_suite_psa_crypto.data
tests/suites/test_suite_psa_crypto.function
All the conflicts are concurrent additions where the order doesn't
matter. I put the code from feature-psa (key policy) before the code
from PR #13 (key lifetime).
Conflict resolution:
* `tests/suites/test_suite_psa_crypto.data`: in the new tests from PR #14,
rename `PSA_ALG_RSA_PKCS1V15_RAW` to `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` as
was done in PR #15 in the other branch.
New header file crypto_struct.h. The main file crypto.sh declares
structures which are implementation-defined. These structures must be
defined in crypto_struct.h, which is included at the end so that the
structures can use types defined in crypto.h.
Implement psa_hash_start, psa_hash_update and psa_hash_final. This
should work for all hash algorithms supported by Mbed TLS, but has
only been smoke-tested for SHA-256, and only in the nominal case.
Don't use the pk module except as required for pkparse/pkwrite. The
PSA crypto layer is meant to work alongside pk, not on top of it.
Fix the compile-time dependencies on RSA/ECP handling in
psa_export_key, psa_destroy_key and psa_get_key_information.
Define psa_key_type_t and a first stab at a few values.
New functions psa_import_key, psa_export_key, psa_destroy_key,
psa_get_key_information. Implement them for raw data and RSA.
Under the hood, create an in-memory, fixed-size keystore with room
for MBEDTLS_PSA_KEY_SLOT_COUNT - 1 keys.
Add a new function mbedtls_rsa_get_bitlen which returns the RSA key
size, i.e. the bit size of the modulus. In the pk module, call
mbedtls_rsa_get_bitlen instead of mbedtls_rsa_get_len, which gave the
wrong result for key sizes that are not a multiple of 8.
This commit adds one non-regression test in the pk suite. More tests
are needed for RSA key sizes that are a multiple of 8.
This commit does not address RSA alternative implementations, which
only provide an interface that return the modulus size in bytes.
New module psa_crypto.c (MBEDTLS_PSA_CRYPTO_C):
Platform Security Architecture compatibility layer on top of
libmedcrypto.
Implement psa_crypto_init function which sets up a RNG.
Add a mbedtls_psa_crypto_free function which deinitializes the
library.
Define a first batch of error codes.
This commit adds a test to ssl-opt.sh which exercises the behavior
of the library in the situation where a single proper fragment
of a future handshake message is received prior to the next
expected handshake message (concretely, the client receives
the first fragment of the server's Certificate message prior
to the server's ServerHello).
This commit adds two builds to all.sh which use a value of
MBEDTLS_SSL_DTLS_MAX_BUFFERING that allows to run the
reordering tests in ssl-opt.sh introduced in the last commit.
This commit adds tests to ssl-opt.sh which trigger code-paths
responsible for freeing future buffered messages when the buffering
limitations set by MBEDTLS_SSL_DTLS_MAX_BUFFERING don't allow the
next expected message to be reassembled.
These tests only work for very specific ranges of
MBEDTLS_SSL_DTLS_MAX_BUFFERING and will therefore be skipped
on a run of ssl-opt.sh in ordinary configurations.
This commit adds functions requires_config_value_at_most()
and requires_config_value_at_least() which can be used to
only run tests when a numerical value from config.h
(e.g. MBEDTLS_SSL_IN_CONTENT_LEN) is within a certain range.
The negotiated MFL is always the one suggested by the client, even
if the server has a smaller MFL configured locally. Hence, in the test
where the client asks for an MFL of 4096 bytes while the server locally
has an MFL of 512 bytes configured, the client will still send datagrams
of up to ~4K size.
Depending on the settings of the local machine, gnutls-cli will either try
IPv4 or IPv6 when trying to connect to localhost. With TLS, whatever it tries
first, it will notice if any failure happens and try the other protocol if
necessary. With DTLS it can't do that. Unfortunately for now there isn't
really any good way to specify an address and hostname independently, though
that might come soon: https://gitlab.com/gnutls/gnutls/issues/344
A work around is to specify an address directly and then use --insecure to
ignore certificate hostname mismatch; that is OK for tests that are completely
unrelated to certificate verification (such as the recent fragmenting tests)
but unacceptable for others.
For that reason, don't specify a default hostname for gnutls-cli, but instead
let each test choose between `--insecure 127.0.0.1` and `localhost` (or
`--insecure '::1'` if desired).
Alternatives include:
- having test certificates with 127.0.0.1 as the hostname, but having an IP as
the CN is unusual, and we would need to change our test certs;
- have our server open two sockets under the hood and listen on both IPv4 and
IPv6 (that's what gnutls-serv does, and IMO it's a good thing) but that
obviously requires development and testing (esp. for windows compatibility)
- wait for a newer version of GnuTLS to be released, install it on the CI and
developer machines, and use that in all tests - quite satisfying but can't
be done now (and puts stronger requirements on test environment).
From Hanno:
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.
This commit continues commit 47db877 by removing resend guards in the
ssl-opt.sh tests 'DTLS fragmenting: proxy MTU, XXX' which sometimes made
the tests fail in case the log showed a resend from the client.
See 47db877 for more information.
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.
This commit removes a guard in the ssl-opt.sh test
'DTLS fragmenting: proxy MTU, resumed handshake' which made
the test fail in case the log showed a resend from the client.