Commit graph

8119 commits

Author SHA1 Message Date
Gilles Peskine
029b5d648d New utility program psa/psa_constant_names
Print the symbolic name corresponding to a numerical value.

Supported types: status values, algorithms, elliptic curves,
key types, key usage masks.

The program is partly generated from parsing psa/crypto.h with a few
hard-coded assumptions. This isn't ideal but it works and requires
little machinery.
2018-09-12 16:41:12 +03:00
Moran Peker
cb088e7059 Replace ssize_t by ptrdiff_t
ssize_t is a POSIX thing, not standard C
2018-09-12 16:41:12 +03:00
Gilles Peskine
9aa369eafb HMAC: improve robustness checks on hash/block size
In psa_mac_setup and psa_hmac_setup_internal, perform a sanity check
on the hash size and the hash block size respectively. These sanity
checks should only trigger on an incompletely or incorrectly
implemented hash function.

Remove the check on the block size in psa_hmac_finish_internal
because at this point it has already been checked and used.
2018-09-12 16:41:12 +03:00
Gilles Peskine
731606c580 Add OAEP tests with non-empty labels 2018-09-12 16:41:12 +03:00
Gilles Peskine
55728b0e70 Add a few key type and algorithm test macros
These new PSA_xxx_IS_yyy macros fill a few missing gaps.
2018-09-12 16:41:12 +03:00
Gilles Peskine
1e6bfdff5e psa_hmac_setup_internal: fix double call of psa_hash_setup
In the common case (key no longer than the block size), psa_hash_setup
was being called twice in succession. With current implementations
this is just a small performance loss, but potentially with
alternative implementations this could have lead to a memory leak.
2018-09-12 16:41:12 +03:00
Gilles Peskine
b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine
3bd1a42203 Remove duplicate definition of PSA_KEY_TYPE_IS_RSA 2018-09-12 16:41:12 +03:00
Gilles Peskine
ff94abdf3a Make psa_hmac_setup_internal more standalone
Call psa_hash_setup in psa_hmac_setup_internal rather than
psa_mac_init. This makes it easier to use psa_hmac_setup_internal on
its own (for the sake of using HMAC internally inside the library).
2018-09-12 16:41:12 +03:00
Gilles Peskine
55c94dd500 Asymmetric encrypt/decrypt tests: check output length
In asymmetric_encrypt_decrypt, use the buffer size advertized by the
library for the ciphertext, and the length of the plaintext for the
re-decrypted output.

Test the output length if known. Require it to be 0 on error for
encrypt/decrypt functions. If the output length is unknown, test at
least that it's within the buffer limits.
2018-09-12 16:41:12 +03:00
Gilles Peskine
b8be288374 psa_hmac_setup_internal: add some missing cleanup on failure
Clean ipad if hashing the key failed.
2018-09-12 16:41:12 +03:00
Gilles Peskine
6842812188 Asymmetric encryption tests: allow label argument
Add a label argument to all asymmetric encryption test functions
(currently empty in all tests, but that will change soon).

In asymmetric_encrypt and asymmetric_decrypt, with an empty label,
test with both a null pointer and a non-null pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine
9688997301 MAC setup: support 0-length HMAC key
Avoid undefined behavior when using a 0-length HMAC key (Asan
complained).
2018-09-12 16:41:12 +03:00
Gilles Peskine
072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine
01126fae7f Isolate HMAC code into its own functions
Create internal functions for HMAC operations. This prepares for two
things: separating crypto-sensitive code from argument decoding and
validation, and using HMAC for other purposes than a MAC inside the
library (e.g. HMAC_DRBG, HKDF).

No intended observable behavior change in this commit.
2018-09-12 16:41:12 +03:00
Gilles Peskine
71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine
94e44540ff psa_hash_update: robustify the case length=0
Don't require hash implementations to behave correctly on a
zero-length input, which may have an invalid pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine
a4d20bd387 For RSA PSS, document that salt length = hash length
This is the most common mode and the only mode that Mbed TLS functions
fully supports (mbedtls_rsa_rsassa_pss_verify_ext can verify
signatures with a different salt length).
2018-09-12 16:41:12 +03:00
Gilles Peskine
f64ee8a7f1 Fix "unknown MAC algorithm" to actually use a MAC algorithm 2018-09-12 16:41:12 +03:00
Gilles Peskine
ef0cb40736 Fix bug in exercise_mac_key that almost always broke the SIGN case
That case isn't used in the test suite yet.
2018-09-12 16:41:12 +03:00
Gilles Peskine
ebe10de167 Merge remote-tracking branch 'psa/pr/103' into feature-psa 2018-09-12 16:41:11 +03:00
Gilles Peskine
f969b3ac74 Change a generate_key test to exercise with PSS
This required tweaking exercise_signature_key to use a payload size
for the signature based on the algorithm, since our implementation of
PSS requires that the input size matches the hash size. This would
also be the case for PKCS#1 v1.5 with a specified hash.
2018-09-12 16:41:11 +03:00
Gilles Peskine
6489bc7a97 Merge pull request #106 from ARMmbed/psa-test_dependencies-201807
Fix some test dependencies
2018-09-12 16:41:11 +03:00
Gilles Peskine
b82ab6f402 Improve documentation of abort functions
Explicitly state that calling abort is safe after initializing to
zero.

Explicitly state that calling abort on an inactive operation is safe,
and replace "active" by "initialized" in the description of the
parameter.

Get rid of the recommendation for implementers to try to handle
uninitialized structures safely. It's good advice in principle but
cannot be achieved in a robust way and the wording was confusing.
2018-09-12 16:41:11 +03:00
Gilles Peskine
54622aec80 Fix PSA_ALG_SIGN_GET_HASH for PSA_ALG_SIGN_xxx_RAW 2018-09-12 16:41:11 +03:00
Jaeden Amero
0794936411 Merge pull request #102 from ARMmbed/dev/Patater/fix-allsh
Fix various issues caught by all.sh
2018-09-12 16:41:11 +03:00
Gilles Peskine
1c211b3e01 Fix some test dependencies
* No test depends on MBEDTLS_PK_C except via MBEDTLS_PK_PARSE_C, so
  remove MBEDTLS_PK_C and keep only MBEDTLS_PK_PARSE_C.
* Add MBEDTLS_PK_WRITE_C for pk export tests.
* Add MBEDTLS_GENPRIME for RSA key generation tests.
* Add dependencies to AEAD tests.
* Add missing dependencies to many RSA tests.
2018-09-12 16:41:11 +03:00
Gilles Peskine
be42f312a8 Doxygen: use \c foo in preference to foo for consistency 2018-09-12 16:41:11 +03:00
Gilles Peskine
66763a008a asymmetric_decrypt test: remove redundant argument
The expected output size is the size of the expected output, it
doesn't need to be passed separately.
2018-09-12 16:41:11 +03:00
Jaeden Amero
ed35da2b6f Merge pull request #97 from ARMmbed/psa-renamings_for_alpha1
Function renamings for alpha1
2018-09-12 16:41:11 +03:00
Jaeden Amero
67a9351bc5 psa: config: Add MBEDTLS_PSA_CRYPTO_SPM
We failed check-names.sh due to using a define which wasn't described or
defined anywhere. Even though we won't realistically enable
MBEDTLS_PSA_CRYPTO_SPM via the configuration system (and will do it from
PSA Crypto SPM tooling instead), add a description of the configuration to
config.h as good practice. Exclude MBEDTLS_PSA_CRYPTO_SPM from the "full"
configuration as well.
2018-09-12 16:41:11 +03:00
Gilles Peskine
9ac9426731 Doc: clarify the preconditions for psa_cipher_update 2018-09-12 16:41:11 +03:00
Gilles Peskine
d00444cf33 Improve test coverage of PKCS#1 v1.5 encrypt/decrypt
* Add a test for decryption with invalid padding.
* Add a test for encryption with input too large.
* In negative tests, pass input whose length matches the key length,
  unless that's what the test is about.
2018-09-12 16:41:11 +03:00
Gilles Peskine
2a91d612f5 Merge remote-tracking branch 'psa/pr/94' into feature-psa 2018-09-12 16:41:11 +03:00
Gilles Peskine
61a60376b7 Fix misplaced Doxygen comment 2018-09-12 16:41:11 +03:00
Jaeden Amero
b4fa8c9c6d psa: Fix Doxygen comment on psa_get_key_from_slot
We failed all.sh on the "test: doxygen markup outside doxygen blocks" due
to doxygen markup being outside a Doxygen block. Add an extra `*` to the
psa_get_key_from_slot comment to denote the comment as a Doxygen comment.
2018-09-12 16:41:11 +03:00
Gilles Peskine
6ac73a912b Doc: add some missing documentation of function and macro parameters 2018-09-12 16:41:11 +03:00
Gilles Peskine
af89fd771e psa_import_key: split RSA and ECP code into small functions
No intended behavior change except that some edge cases may have
swapped between INVALID_ARGUMENT and NOT_SUPPORTED.
2018-09-12 16:41:11 +03:00
Gilles Peskine
e430b42c4a Merge remote-tracking branch 'psa/pr/90' into feature-psa 2018-09-12 16:41:11 +03:00
Janos Follath
279ab8e69b Prevent leaking plaintext in psa_cipher_finish() 2018-09-12 16:41:11 +03:00
Gilles Peskine
fe11951c16 Rename psa cipher functions to psa_cipher_xxx
Make function names for multipart operations more consistent (cipher
edition).

Rename symmetric cipher multipart operation functions so that they all
start with psa_cipher_:

* psa_encrypt_setup -> psa_cipher_encrypt_setup
* psa_decrypt_setup -> psa_cipher_decrypt_setup
* psa_encrypt_set_iv -> psa_cipher_set_iv
* psa_encrypt_generate_iv -> psa_cipher_generate_iv
2018-09-12 16:41:11 +03:00
Gilles Peskine
dda3bd344d Doc: Minor formatting and copy fixes 2018-09-12 16:41:11 +03:00
Gilles Peskine
d8008d6dfe New macro PSA_KEY_TYPE_IS_RSA 2018-09-12 16:41:11 +03:00
Gilles Peskine
3286d46dcc Merge remote-tracking branch 'psa/pr/69' into feature-psa 2018-09-12 16:41:11 +03:00
Gilles Peskine
ab4152b3d4 Diversify export tests without the export usage flag
Test both with a symmetric key and with a key pair.
2018-09-12 16:41:11 +03:00
Janos Follath
315b51c22d Fix memory leak in psa_cipher_finish() 2018-09-12 16:41:11 +03:00
Gilles Peskine
fbfac6867b Simplify algorithm checking logic in MAC functions
Use if-else-if chains rather than switch because many blocks apply to
a class of algoritmhs rather than a single algorithm or a fixed set
of algorithms.

Call abort on more error paths that were missed earlier.
2018-09-12 16:41:11 +03:00
Gilles Peskine
fa4070c50b Doc: Fix some \c name that should have been \p name 2018-09-12 16:41:11 +03:00
Gilles Peskine
365b984e38 Add asymmetric_verify tests with public keys
Change most asymmetric_verify to use public keys (they were all using
key pairs before). Keep one test with an RSA key pair and one with an
EC key pair.
2018-09-12 16:41:11 +03:00
Gilles Peskine
aefb9d0cdd Merge remote-tracking branch 'psa/pr/85' into feature-psa 2018-09-12 16:41:11 +03:00