Now that the support for key generation in the transparent
test driver is at the same level as the support in the
Mbed TLS library, remove the restriction on the generate
key test case that was introduced by the work on key
import and export through the PSA driver interface.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add a test in test_suite_psa_crypto_driver_wrappers that
when accelerators do not support the generation of a key
and there is no software fallback, the key generation
fails with the PSA_ERROR_NOT_SUPPORTED error code.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This brings them in line with PSA Crypto API 1.0.0
PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH -> PSA_ALG_AEAD_WITH_SHORTENED_TAG
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Add macros to skip a test case when hitting a
common alternative implementation limitation.
Add a macro for AES-192 and GCM with a nonce
length different from 12 bytes.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
when MBEDTLS_PSA_CRYPTO_C is defined and guard
PSA client code only with MBEDTLS_PSA_CRYPTO_CLIENT.
The definition of MBEDTLS_PSA_CRYPTO_CLIENT is done
in crypto_types.h before the definition of
psa_key_attributes_t. That way as PSA crypto client
code is related to key attributes we can be quite
confident that MBEDTLS_PSA_CRYPTO_CLIENT will be
defined when needed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move test macros previously located in `suites/helpers.function` to
`include/test/macros.h`. This makes these test infrastructure macros
available for use in other parts of the test infrastructure at compile
time as opposed to run time.
This commit is a simple cut and paste from one file to the other.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Check that the source address and the frame counter have the expected
length. Otherwise, if the test data was invalid, the test code could
build nonsensical inputs, potentially overflowing the iv buffer.
The primary benefit of this change is that it also silences a warning
from compiling with `gcc-10 -O3` (observed with GCC 10.2.0 on
Linux/amd64). GCC unrolled the loops and complained about a buffer
overflow with warnings like:
```
suites/test_suite_ccm.function: In function 'test_mbedtls_ccm_star_auth_decrypt':
suites/test_suite_ccm.function:271:15: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
271 | iv[i] = source_address->x[i];
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~
suites/test_suite_ccm.function:254:19: note: at offset [13, 14] to object 'iv' with size 13 declared here
254 | unsigned char iv[13];
```
Just using memcpy instead of loops bypasses this warnings. The added
checks are a bonus.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test function generate_random allocated a few extra bytes after
the expected output and checked that these extra bytes were not
overwritten. Memory sanity checks such as AddressSanitizer and
Valgrind already detect this kind of buffer overflow, so having this
test in our code was actually redundant. Remove it.
This has the benefit of not triggering a build error with GCC
(observed with 7.5.0 and 9.3.0) when ASan+UBSan is enabled: with the
previous code using trail, GCC complained about an excessively large
value passed to calloc(), which was (size_t)(-sizeof(trail)).
Thus this commit fixes#4122.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Attempting to create an ECC key with a curve specification that is not
valid can plausibly fail with PSA_ERROR_INVALID_ARGUMENT ("this is not
a curve specification at all") or PSA_ERROR_NOT_SUPPORTED ("this may
be a curve specification, but not one I support"). The choice of error
is somewhat subjective.
Before this commit, due to happenstance in the implementation, an
attempt to use a curve that is declared in the PSA API but not
implemented in Mbed TLS returned PSA_ERROR_INVALID_ARGUMENT, whereas
an attempt to use a curve that Mbed TLS supports but for which support
was disabled at compile-time returned PSA_ERROR_NOT_SUPPORTED. This
inconsistency made it difficult to write negative tests that could
work whether the curve is implemented via Mbed TLS code or via a
driver.
After this commit, any attempt to use parameters that are not
recognized fails with NOT_SUPPORTED, whether a curve with the
specified size might plausibly exist or not, because "might plausibly
exist" is not something Mbed TLS can determine.
To keep returning INVALID_ARGUMENT when importing an ECC key with an
explicit "bits" attribute that is inconsistent with the size of the
key material, this commit changes the way mbedtls_ecc_group_of_psa()
works: it now works on a size in bits rather than bytes, with an extra
flag indicating whether the bit-size must be exact or not.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test random generation as a whole. This is different from
test_suite_*_drbg and test_suite_entropy, which respectively test PRNG
modules and entropy collection.
Start with basic tests: good-case tests, and do it twice and compare
the results to validate that entropy collection doesn't repeat itself.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Both tests do not require a lot of RAM, even though it may seem
like it at first sight. The derivation output is generated blockwise
from the KDF function, which only keeps state amounting to a couple
of blocks of the underlying hash primitive at a time.
There is never an allocation to keep the full derivation capacity in
memory...
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Add doxygen style documentation to `mbedtls_test_fail`, `mbedtls_test_skip`,
`mbedtls_test_set_step` and `mbedtls_test_info_reset`. This should make it
easier to understand how the test infrastructure is used.
Also make some minor style changes to meet the coding standards and make it
more obvious that `mbedtls_test_info.step` was being incremented.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add a new function `mbedtls_test_info_reset()` to remove direct writes to
`mbedtls_test_info`. This change still allows values to be read directly
however all writes are now done inside of `helpers.c`.
Also slightly reordered code to make it easier to read.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Fix some export related tests that were
relying on the fact that the size of the
output buffer was checked after other
parameters.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The compilation guards in key_management.c are now
accelerator compilation guards (MBEDTLS_PSA_ACCEL_KEY_TYPE_xyz).
As a consequence when running the PSA driver wrapper
tests as part of test_psa_crypto_config_basic
and test_psa_crypto_drivers all.sh components all
key management cryptographic operations were handled by
the software builtin fallback, and not by the test driver
as intended in the first place.
This commits fixes this issue by:
. declaring an accelerator for ECC key pairs in
test_psa_crypto_config_basic.
. declaring an accelerator for both ECC and RSA
key pairs in test_psa_crypto_drivers.
It is possible to declare an accelerator for both
ECC and RSA key pairs in test_psa_crypto_drivers
and not in test_psa_crypto_config_basic because
in the case of test_psa_crypto_drivers the new
PSA configuration is not activated. That way,
the builtin fallback software implementation
is present to supply the transparent test driver
when some support is missing in it (mainly
RSA key generation).
Note that the declaration of accelerators does
much more than just "fixing" the execution flow of
driver wrapper tests, it makes all import and public
key export cryptographic operations in all unit
tests being handled by the transparent test driver
(provided that it supports the key type).
One test case related to key generation is
partially disabled. This will be fixed with the
rework of psa_generate_key along the lines
described in psa-crypto-implementation-structure.md.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
In test_suite_psa_crypto_driver_wrappers test suite, the
generate key with software fallback test should be run
only if the software fallback is available.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add test cases for mbedtls_mpi_sub_abs() where the second operand has
more limbs than the first operand (which, if the extra limbs are not
all zero, implies that the function returns
MBEDTLS_ERR_MPI_NEGATIVE_VALUE).
This exposes a buffer overflow (reported in #4042).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Storage format tests that only look at how the file is structured and
don't care about the format of the key material don't depend on any
cryptographic mechanisms.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The negative test cases for psa_copy_key() don't actually care whether
the target policy is supported. This is similar to _key_policy tests.
Add a similar rule.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test function asymmetric_signature_key_policy combines positive
and negative tests inside the code, so it doesn't take a status as its
last argument.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Switch dependencies on MBEDTLS_xxx to PSA_WANT_xxx for hash
algorithms.
Add a missing dependency in bad_order functions (it was previously
expressed in the .data file, but this is no longer the case when
dependencies in the .data file are determined automatically).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Replace manually written dependencies on MBEDTLS_xxx with
PSA_WANT_xxx dependencies that are determined automatically from the
test data.
Run tests/scripts/set_psa_test_dependencies.py on
tests/suites/test_suite_psa_crypto*.data,
except for the dynamic secure element tests in
tests/suites/test_suite_psa_crypto_se_driver_hal*.data.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When using the test function persistent_key_load_key_from_storage with
DERIVE_KEY, there's a dependency on HKDF-SHA-256. Since this
dependency is in the code, declare it there rather than with the data.
If the depenency is not met, mark the test as skipped since it can't
create the key to be tested.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move PSA key attributes tests to their own
test suite to be able to run them when
MBEDTLS_PSA_CRYPTO_CLIENT is enabled but
not MBEDTLS_PSA_CRYPTO_C.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Adds the `mbedtls_` prefix to `test_result_t` and `test_info` and updates
any references to them. This is to follow the naming convention as these are
now declared in a public namespace.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Moves the functions `test_fail`, `test_set_step`, `test_skip` and the struct
`test_info` from `tests/suites/helpers.function` to `tests/src/helpers.*`.
This is done to open these functions up to the API where they can be used by
other functions in the 'src' test infrastructure module.
As the functions are now contained within the src folder of the testing
infrastructure, the `mbedtls_` prefix has been added to the functions.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
`test_fail` automatically sets `test_info.result`. This commit removes a case
where `test_info.result` was being manually set after `test_fail` was called.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
- following the removal of the RSA_VALIDATE_RET() to check
the salt length, this test is not necessary/required anymore
- negative salt length are caught later in the function
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
- removed the check on saltlen > 0 and added tests
positive test cases for this.
- added negative test cases when even saltlen == 0
is not enough. This allowed to uncover an underflow bu
in the slen check (when olen-slen-2 is negative)
- fixed the saltlen check to avoid underflow
- added more test cases where saltlen is the maximum
possible value and one above the maximum possible value
(different hash, different key size)
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
TEST_ASSERT jumps to the exit label, so it must not be called from
cleanup code executed after the exit label. It's legitimate (and
indeed very common) to call PSA_DONE in cleanup code, so PSA_DONE must
not jump to exit.
Define an auxiliary function test_fail_if_psa_leaking() that calls
test_fail() with the error message provided by
mbedtls_test_helper_is_psa_leaking(). This function currently needs to
be in helpers.function rather than in a PSA-specific helper file
because it calls test_fail which is defined in helpers.function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't microoptimize memory usage in tests: use separate buffers for
the input and the output. Allocate the input buffer dynamically
because the size is a parameter of the test case. Allocate the output
buffer dynamically because it's generally good practice in tests so
that a memory sanitizer can detect a buffer overflow.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When verifying the impact of a forced RNG failure, depend on the built-in
implementation of the algorithm that uses randomization, whether it's
because the algorithm is randomized or because our implementation uses
randomization for (e.g.) blinding. An external implementation could use
its own randomness source which is not affected by the forced failure of
the RNG driver.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Under MBEDTLS_ERR_RSA_RNG_FAILED, add tests where the random generator
failed. This commit tests the following operations:
* psa_generate_random()
* psa_generate_key() for a symmetric key
* Deterministic signatures that use blinding (RSA PKCS#1v1.5,
deterministic ECDSA).
* Randomized signatures (RSA PSS, randomized ECDSA).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
To reduce the risk of people accidentally using the test
implementation of mbedtls_psa_external_get_random(), which is
insecure, require the user to explicitly call
mbedtls_test_enable_insecure_external_rng() first.
Disabling the test implementation of mbedtls_psa_external_get_random()
will also allow negative testing for MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG,
which will be added in a subsequent commit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Include psa_crypto_helpers.h automatically if MBEDTLS_PSA_CRYPTO_C is
enabled, like helpers.h is included automatically.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
psa_crypto_helpers.h no longer defines static functions, so it can be
included anywhere without worrying about unused functions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test suite assumed that if SHA512 was enabled, then
SHA384 was also available. This is not true. There is
config MBEDTLS_SHA512_NO_SHA384 which allows precisely
to add SHA512 and not SHA384.
This commits adds the necessary `depends_on` clause,
to avoid running the SHA384 tests when config
MBEDTLS_SHA512_NO_SHA384 is set.
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
- all positibe test cases were sampled from the CAVP test suite
(SigGenPSS_186-2.txt, SigGenPSS_186-3.txt)
Only kept one representative for each triple (modlen, sha, saltlen)
- two extra test cases were added to cover the maximum salt length
(slen=olen-slen-2 and slen=(olen-slen-2)-1)
- in rsa.c, the salt intermediate buffer was too small to cover cases
where slen > hlen. So reworked the code to generate the salt in the
encoded message directly. This has the advantage to remove a memcpy
and a memset.
Signed-off-by: Cédric Meuter <cedric.meuter@gmail.com>
Make it clear that this is an abstraction of the random generator
abstraction, and not an abstraction of the PSA random generator.
mbedtls_psa_get_random and MBEDTLS_PSA_RANDOM_STATE are public-facing
definitions and will be moved in a subsequent commit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Executed ./scripts/bump_version.sh --version 2.25.0 --so-crypto 6
Increasing the SO version of the crypto library, because the openless
API improvement came with API/ABI incompatibilities. For example
- the size of psa_key_handle_t changed
- the type of a parameter in 18 public functions has changed from
psa_key_handle_t to mbedtls_svc_key_id_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Make sure that if a buffer is allowed to be empty, a null pointer is
accepted if the buffer length is 0. This was already the case for most
but not all arguments to mbedtls_cipher_auth_{en,de}crypt{,_ext}.
Make sure to pass NULL for an empty buffer in the tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Run all the addition and subtraction tests with the result aliased to
the first operand and with the result aliased to the second operand.
Before, only some of the aliasing possibilities were tested, for only
some of the functions, with only some inputs.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases
which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables
previous tests that were turned off accidentally.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Previously `mbedtls_mpi_exp_mod` was tested with values that were over
`MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only
taken when the exponent is large enough however, on builds where
`MBEDTLS_MPI_MAX_SIZE` is under the size of these test values.
This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to
safely test (notably this is the case in config-thread.h).
Signed-off-by: Chris Jones <christopher.jones@arm.com>
In two test cases, the exponentiation computation was not being fully tested
as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the
case A is reduced to 0 and therefore the result of the computation will always
be 0.
This fixes that issue and therefore increases the test coverage to ensure
different computations are actually being run.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Reword test cases to be easier to read and understand.
Adds comments to better explain what the test is doing.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
This temporarily breaks all.sh '*deprecated*' (deprecated functions still used
in the library), which will be fix in the next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We want to test both sets of functions (ext and non-ext) in turn, so goto exit
is not really and option.
Also, separate setting up the context (which is going to be the same for both
ext and non-ext functions) from setting up the buffers (which will vary).
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Add two further boundary tests for cases where both the exponent and modulus to
`mbedtls_mpi_exp_mod()` are `MBEDTLS_MPI_MAX_SIZE`, or longer, bytes long.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
* development: (488 commits)
Fix removal of deprecated PSA constants
Use GitHub-compatible table formatting
Remove psa header files in uninstall part
Change function casting in `ssl_calc_finished_tls_sha384`
Fix GCC warning in `ssl_calc_finished_tls_sha384`
Add changelog entry file to `ChangeLog.d`
Fix GCC warning in `ssl_calc_finished_tls_sha384`
Fix GCC warning about `test_snprintf`
Fix mismatched function parameters (prototype/definition)
Fix build failure on gcc-11
Copyediting
Clarifications around key import
Fix copypasta
A variable is unused in some configurations
Rename test_driver_keygen to test_driver_key_management
Move "internal use" sentence attached to the wrong function
Added changelog
Plug in the entry point for public key export through driver
tests: psa: Reset key attributes where needed
Improve/fix documentation
...
Adds test cases to ensure that `mbedtls_mpi_exp_mod` will return an error with
an exponent or modulus that is greater than `MBEDTLS_MPI_MAX_SIZE` in size.
Adds test cases to ensure that Diffie-Hellman will fail to make a key pair
(using `mbedtls_dhm_make_public`) when the prime modulus is greater than
`MBEDTLS_MPI_MAX_SIZE` in size.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add a test case to ensure `mbedtls_mpi_exp_mod` fails when using a key size
larger than MBEDTLS_MPI_MAX_SIZE.
Add a test case to ensure that Diffie-Hellman operations fail when using a key
size larger than MBEDTLS_MPI_MAX_SIZE.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.
Regression test added (one of the client certs modified accordingly)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.
*_drbg_reseed_interval is now set in init() and free().
mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().
Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
Signed-off-by: gacquroff <gavina352@gmail.com>
Positive tests: test that the RNG has the expected size, given that we
know how many leading zeros it has because we know how the function
consumes bytes and when the test RNG produces null bytes.
Negative tests: test that if the RNG is willing to emit less than the
number of wanted bytes, the function fails.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
GCC 11 generated the warnings because the parameter `ret_buf`
was declared as `const char[10]`, but some of the arguments
provided in `run_test_snprintf` are shorter literals, like "".
Now the type of `ret_buf` is `const char *`.
Both implementations of `test_snprintf` were fixed.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
Support using HMAC_DRBG instead of CTR_DRBG in the PSA subsystem.
Use HMAC_DRBG if CTR_DRBG is available. Choose between SHA-256 and
SHA-512 based on availability.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Implement support for MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
For test purposes, write an implementation that uses libc rand().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
After a call to psa_get_key_attributes() to retrieve
the attributes of a key into a psa_key_attributes_t
structure, a call to psa_reset_key_attributes() is
mandated to free the resources that may be
referenced by the psa_key_attributes_t structure.
Not calling psa_reset_key_attributes() may result in
a memory leak.
When a test function calls psa_get_key_parameters()
the associated key attributes are systematically
reset in the clean-up part of the function with a
comment to emphasize the need for the reset and make
it more visible.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For consistency across the code base, prefer
persistent over permanent to qualify a key
stored in persistent storage.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When looking for an empty key slot to store
the description of a key, if all key slots
are in use, reuse the first encountered
and unaccessed key slot containing the
description of a permanent key.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The identifier of keys created/registred should be in
the application range.
This is by spec for key creation.
This may change for registered key.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The lifetime of key attributes now encodes whether a key is
volatile/persistent or not AND its location.
Fix PSA code where the fact that the lifetime encodes
the key location was not taken into account properly.
Fix the impacted tests and add two non regression tests.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When key identifiers encode key owner, add tests
checking that:
. the key owner of an imported volatile key is
the one specified.
. a key identifier of a volatile key with a valid
PSA key identifier but the wrong owner is
rejected.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Volatile key identifiers in the vendor range are
reserved to volatile keys thus don't allow them
for persistent keys when creating a key.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For persistent keys there were two successive
INVALIDATE_BY_(CLOSING/DESTROYING) identical tests
where the comments of the second test rather
indicated that it should had been an
INVALIDATE_BY_(CLOSING/DESTROYING)_WITH_SHUTDOWN test.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Rename ways of invalidating keys before introducing
key purging tests because the "CLOSE_BY" prefix doesn't
get on well with the purge operation.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
As handles are now key identifiers, a handle may be
valid now even if it does not refer to any key
known to the library.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.
The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The ccm tests were previously relying on unspecified behaviour in
the underlying implementation (i.e. that it rejects certain buffer
sizes without reading the buffer).
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
The CCM specification (NIST SP 800-38C) mandates that the formatting of
the additional data length l(a) changes when it is greater _or equal_ to
2^16 - 2^8 (>= 0xFF00). Since such lengths are not supported in mbed TLS,
the operation should fail in such cases.
This commit fixes an off-by-one error which allowed encryption/decryption
to be executed when l(a) was equal to 0xFF00, resulting in an
incorrect/non-standard length format being used.
Fixes#3719.
Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
* Stores bits in psa_persistent_key_storage_format.
* psa_load_persistent_key_into_slot still imports plaintext keys which
ensures that the bits value gets set.
* Updates key specification to match new implementation.
* Expands persistent store and load tests with to check for bits
attribute.
* Removes bits storage from psa_se_key_data_storage_t.
Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>
* #3742 After input of a key as SECRET in the derivation, allow the
derivation result to be used as key.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
* #3741 Allow key agreement inside derivation with a key that's allowed
for the relevant agreement.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Test import and key generation, each followed by a key agreement. Only
good cases in this commit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
... as opposed to PSA_ERROR_BAD_STATE.
The spec on psa_cipher_finish() states that PSA_ERROR_INVALID_ARGUMENT
should be returned when:
"The total input size passed to this operation is not valid for this
particular algorithm. For example, the algorithm is a based on block
cipher and requires a whole number of blocks, but the total input size
is not a multiple of the block size."
Currently, there is a distinction between encryption and decryption
on whether INVALID_ARGUMENT or BAD_STATE is returned, but this is not
a part of the spec.
This fix ensures that PSA_ERROR_INVALID_ARGUMENT is returned
consistently on invalid cipher input sizes.
Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
* Reworked the cipher context once again to be more robustly defined
* Removed redundant memset
* Unified behaviour on failure between driver and software in cipher_finish
* Cipher test driver setup function now also returns early when its status
is overridden, like the other test driver functions
* Removed redundant test cases
* Added bad-order checking to verify the driver doesn't get called where
the spec says it won't.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
ssl_tls1_3_keys.c exports a structure containing all labels used
in the TLS 1.3 key schedule, but the TLS 1.3 key scheduling unit
tests so far replicated those labels in the test file. In particular,
wrong label values in ssl_tls1_3_keys.c wouldn't have been caught
by the unit tests.
This commit modifies the TLS 1.3 key schedule unit tests to use
the TLS 1.3 labels as exported by ssl_tls1_3_keys.c. This not only
makes sure that those labels are correct, but also avoids hardcoding
their hex-encoding in the test file.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
The pk_ec_test_vec() was incorrectly using MBEDTLS_MD_SHA1 for the
parameter to mbedtls_pk_verify(). It should use MBEDTLS_MD_NONE since
that parameter is ignored for this test case.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
The relevant test functions are already marked as depending on
`MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`, so there's no need
to re-state this dependency for each test case.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
* Moved test data to .data file
* Bundled test driver hook variables in a struct
* Style fixes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Trying to compile in the PSA accelerator test driver under MBEDTLS_TEST_HOOKS
turned out to be awkward regarding existing builds. We'll put it under a
custom (not in config.h) define instead, since it's something that only
should happen in test.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
The test function mbedtls_mpi_lt_mpi_ct did not initialize ret in test
code. If there was a bug in library code whereby the library function
mbedtls_mpi_lt_mpi_ct() did not set ret when it should, we might have
missed it if ret happened to contain the expected value. So initialize
ret to a value that we never expect.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
To test the proper handling of owner identifier as of key
identifiers, add owner identifier(s) to tests having
key identifier(s) as test parameters. Just don't do it for
tests related to tests invalid values of key identifiers
as there is no owner identifier invalid values.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Delete key files based on declaration by test cases and
not based on a hardcoded list of identifiers as in
test_suite_psa_crypto_slot_management.function. This fixes
the fact that in case of error the file associated to the
key identifier PSA_KEY_ID_VENDOR_MAX was not purged
(register_key_smoke_test test function).
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Remove systematic deletion of key file associated to key
identifier 0 as this file is not created under the hood
anymore by the library.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Fix PSA code and unit tests for the unit tests
to pass with key identifiers encoding owner
identifiers.
The changes in PSA code just make the enablement
of key identifiers encoding owner identifiers
platform independent. Previous to this commit,
such key identifiers were used only in the case
of PSA SPM platforms.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
With PSA crypto v1.0.0, a volatile key identifier may
contain a owner identifier but no file is associated
to it. Thus rename the type psa_key_file_id_t to
mbedtls_svc_key_id_t to avoid a direct link with a
file when a key identifier involves an owner
identifier.
The new type name is prefixed by mbedtls to highlight
that the type is specific to Mbed TLS implementation
and not defined in the PSA Cryptography API
specification.
The svc in the type name stands for service as this
is the key identifier type from the point of view of
the service providing the Cryptography services.
The service can be completely provided by the present
library or partially in case of a multi-client service.
As a consequence rename as well:
. MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to
MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
. PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT
. PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID
. psa_key_file_id_make to mbedtls_svc_key_id_make
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define always psa_key_id_t as defined in the PSA
Cryptography API specification independently of
whether the MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration file is set or not.
As a consequence, get rid of `psa_app_key_id_t` that is
not needed anymore.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The purpose of this commit and the following is for
psa_key_id_t to always be as defined by the PSA
Cryptography API specification.
Currently psa_key_id_t departs from its specification
definition when MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration flag is set. In that configuration, it is set
to be equal to psa_key_file_id_t which in that configuration
encodes an owner identifier along the key identifier.
Type psa_key_file_id_t was meant to be the key identifier type
used throughout the library code. If
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set it
includes both a key and owner identifier, otherwise it is
equal to psa_key_id_t.
It has not been the key identifier type throughout the
library so far because when the PSA Cryptography
specification was developped the library Doxygen
documentation was used to generate the PSA Cryptography API
specification thus the need to use psa_key_id_t and not
psa_key_file_id_t.
As this constraint does not hold anymore, move
to psa_key_file_id_t as the key identifier type throughout
the library code.
By the way, this commit updates the key identifier
initialization in the tests to be compatible with a
composit key identifier. A psa_key_id_make()
inline function is introduced to initialize key
identifiers (composit ot not) at runtime.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
If test_fail is called multiple times in the same test case, report
the location of the first failure, not the last one.
With this change, you no longer need to take care in tests that use
auxiliary functions not to fail in the main function if the auxiliary
function has failed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Return a name that more clearly returns nonzero=true=good, 0=bad. We'd
normally expect check_xxx to return 0=pass, nonzero=fail so
check_parity was a bad name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
An early draft of the PSA crypto specification required multipart
operations to keep working after destroying the key. This is no longer
the case: instead, now, operations are guaranteed to fail. Mbed TLS
does not comply yet, and still allows the operation to keep going.
Stop testing Mbed TLS's non-compliant behavior.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Rely on Asan to detect a potential buffer overflow, instead of doing a
manual check. This makes the code simpler and Asan can detect
underflows as well as overflows.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the cleanup code for persistent_key_load_key_from_storage(), we
only attempt to reopen the key so that it will be deleted if it exists
at that point. It's intentional that we do nothing if psa_open_key()
fails here.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If any of the TEST_ASSERT()s that are before the call to
mbedtls_pk_warp_as_opaque() failed, when reaching the exit label
psa_destroy_key() would be called with an uninitialized argument.
Found by Clang.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
* development:
Update copyright notices to use Linux Foundation guidance
Undef ASSERT before defining it to ensure that no previous definition has sneaked in through included files.
Add ChangeLog entry for X.509 CN-type vulnerability
Improve documentation of cn in x509_crt_verify()
Fix comparison between different name types
Add test: DNS names should not match IP addresses
Remove obsolete buildbot reference in compat.sh
Fix misuse of printf in shell script
Fix added proxy command when IPv6 is used
Simplify test syntax
Fix logic error in setting client port
ssl-opt.sh: include test name in log files
ssl-opt.sh: remove old buildbot-specific condition
ssl-opt.sh: add proxy to all DTLS tests
Signed-off-by: Dan Handley <dan.handley@arm.com>
The documentation of mbedtls_pk_wrap_as_opaque is quite clear:
* \param handle Output: a PSA key handle.
* It's the caller's responsibility to call
* psa_destroy_key() on that handle after calling
* mbedtls_pk_free() on the PK context.
But the test failed to call psa_destroy_key().
While at it, also use PSA_DONE(): it ensures that if we fail to destroy the
key, we'll get an explicit error message about it without the need for
valgrind.
This is a preliminary to adding a valgrind-based test for constant-flow code:
we need to make sure the rest of the tests are fully valgrind-clean, which
they weren't.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296
The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.
Also remove the now-redundant lines declaring that the files are part of
MbedTLS.
This commit was generated using the following script:
# ========================
#!/bin/sh
# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '
# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I
# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
RFC5280 does not state that the `revocationDate` should be checked.
In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.
https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
* development: (55 commits)
Log change as bugfix
Add changelog entry
Clarify updates to the persistent state in storage
With multiple applicable transparent drivers, the order is unspecified
Minor clarifications
Give some examples of purpsoses of pure-software transparent driver
Fix typos
Add a link to the PSA API specification
Explain locations vs lifetimes
Initialize key pointer in ecdh to NULL
Add buffer zeroization when ecp_write_key fails
Simplified key slot deletion
Style fixes
Use arc4random_buf instead of rand on NetBSD
Apply review feedback
Update open question section about public key storage
Remove the paragraph about declaring application needs
Change driver persistent data to a callback interface
Rework and expand key management in opaque drivers
Fix typos and copypasta
...
Since it is being dereferenced by free on exit it should be inited to NULL.
Also added a small test that would trigger the issue.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
PSA Crypto was checking the byte length of a to-be-imported public ECP key
against the expected length for Weierstrass keys, forgetting that
Curve25519/Curve448 exists.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
The usage of "!memcmp()" is at least not recommended
and better to use the macro dedicated for buffer
comparisons.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The convention from the TLS RFC is a bit unusual, so even if the test
function's introductory comment mentions that we're taking the RFC's
definition, it doesn't hurt to repeat it in crucial places.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Passing a length of 0 to it is perfectly acceptable, the macro was designed to
handle it correctly.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We only have a single integer available for two nested loops, but the loop
sizes are small enough compared to the integer's range that we can encode both
indexes. Since the integer is displayed in decimal in case of errors, use a
power of 10 to pack the two indexes together.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Currently this breaks all.sh component test_memsan_constant_flow, just as
expected, as the current implementation is not constant flow.
This will be fixed in the next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Everything works at the byte level, not bit level. Flipping the lsb is just
one convenient way to corrupt a byte, but don't really care about individual
bits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Add a few more negative test cases for mbedtls_x509_crl_parse.
The test data is manually adapted from the existing positive test case
"X509 CRL ASN1 (TBSCertList, sig present)" which decomposes as
305c
3047 tbsCertList TBSCertList
020100 version INTEGER OPTIONAL
300d signatureAlgorithm AlgorithmIdentifier
06092a864886f70d01010e
0500
300f issuer Name
310d300b0603550403130441424344
170c303930313031303030303030 thisUpdate Time
3014 revokedCertificates
3012 entry 1
8202abcd userCertificate CertificateSerialNumber
170c303831323331323335393539 revocationDate Time
300d signatureAlgorithm AlgorithmIdentifier
06092a864886f70d01010e
0500
03020001 signatureValue BIT STRING
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test function now depends on MBEDTLS_TEST_HOOKS, which is enabled by
config.py full, and since there are already components in all.sh exercising
the full config, this test function is sill exercised even with this new
dependency.
Since this is the first time a test function depends on MBEDTLS_TEST_HOOKS,
fix a bug in check-names.sh that wasn't apparent so far: headers from
library/*.h were not considered when looking for macro definitions. This
became apparent because MBEDTLS_STATIC_TESTABLE is defined in library/common.h
and started being used in library/ssl_msg.c, so was flagged as a likely typo.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.
Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The ssl_tranform structure lacks some members accessed by this function when
CBC is not enabled.
This was found by test-ref-configs.pl and all.sh
test_when_no_ciphersuites_have_mac, so no need to add a new test.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Started as copies of the AES block, then:
- for ARIA, just s/AES/ARIA/
- for Camellia, just s/AES/Camellia/
- for 3DES, s/AES/3DES/ then s/3DES_128_CBC/DES_EDE3_CBC/ then manually
subtract 8 to all plaintext lengths that were > 8. This accounts for the
fact that the block size of DES is 8 not 16.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
All started from a copy of the SHA256 block and modified as follows:
- for MD5, just s/SHA256/MD5/
- for SHA384, adapt the dependency line then s/SHA256/SHA384
- for SHA1, s/SHA256/SHA1/ then manually adapt the plaintext length for the
cases with "!trunc, B-1" and "!trunc, B", as the MAC length (20) is not a
multiple of the block size (16) for this hash
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- plaintext length = 0 or 1
- plaintext length + MAC length = -1 or 0 mod block_size
(using the minimum plaintext length that works)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Compared to the previous approach of having the bad padding provided as input
to the testing function, this allows to test more kinds of incorrect data,
with less test cases in the .data file and more important no manually-generated
non-trivial data in the test case parameters, making it much easier to
complete the testing matrix.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
PSA_ALG_ECB_NO_PADDING came in to the PSA Crypto API spec v1.0.0, but
was not implemented yet in the mbed TLS implementation.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
They did not match their description, probably due to a botched manual
endianness conversion where the nibbles also got swapped.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Follow the PSA Crypto specification which was updated between 1.0 beta3
and 1.0.0.
Add corresponding test cases.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
mbedtls_ecp_write_key is a mirror function to mbedtls_ecp_read_key, which
writes a private key back into a byte buffer in the correct format.
This is a helpful convenience function, since the byte order is defined
differently between Montgomery and Weierstrass curves. Since this difference
is accounted for in mbedtls_ecp_read_key, it made sense to add
mbedtls_ecp_write_key for the purpose of abstracting this away such that
psa_export_key doesn't need to take byte order into account.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
Rename PSA_DH_GROUP_xxx to PSA_DH_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_GROUP to PSA_KEY_TYPE_DH_GET_FAMILY and rename
psa_dh_group_t to psa_dh_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Rename PSA_ECC_CURVE_xxx to PSA_ECC_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_CURVE to PSA_KEY_TYPE_ECC_GET_FAMILY and rename
psa_ecc_curve_t to psa_ecc_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
