Commit graph

18039 commits

Author SHA1 Message Date
paul-elliott-arm
3318e69b41
Merge pull request #5128 from gilles-peskine-arm/base64_invasive_h-development
Fix copypasta in #endif comment
2021-11-04 10:06:23 +00:00
Gilles Peskine
f4ecf305fe Fix copypasta in #endif comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 18:27:22 +01:00
Gabor Mezei
77390dc8ec
Update changelog with the new public API
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-03 17:12:56 +01:00
Gabor Mezei
642eeb2879
Fix documentation and comments
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-03 16:13:32 +01:00
Gilles Peskine
4db2624bfe Fix test bug: some classification flags were not tested
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:51:32 +01:00
Gilles Peskine
a4256c1b2d Ensure that all flags are actually tested
At least twice, we added a classification flag but forgot to test it in the
relevant test functions. Add some protection so that this doesn't happen
again. In each classification category, put a macro xxx_FLAG_MASK_PLUS_ONE
at the end. In the corresponding test function, keep track of the flags that
are tested, and check that their mask is xxx_FLAG_MASK_PLUS_ONE - 1 which is
all the bits of the previous flags set.

Now, if we add a flag without testing it, the test
TEST_EQUAL( classification_flags_tested, xxx_FLAG_MASK_PLUS_ONE - 1 )
will fail. It will also fail if we make the set of flag numbers
non-consecutive, which is ok.

This reveals that three algorithm flags had been added but not tested (in
two separate occasions). Also, one key type flag that is no longer used by
the library was still defined but not tested, which is not a test gap but is
inconsistent. It's for DSA, which is relevant to the PSA encoding even if
Mbed TLS doesn't implement it, so keep the flag and do test it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:51:30 +01:00
Gilles Peskine
c323d4585f Note the change to PSA_ALG_IS_HASH_AND_SIGN in the changelog
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:51:20 +01:00
Gilles Peskine
4977e9fe64 Add PSA_ALG_IS_HASH_AND_SIGN to the metadata tests
The status of signature wildcards with respect to PSA_ALG_IS_HASH_AND_SIGN
is unclear in the specification. A wildcard is usually instantiated with a
specific hash, making the implementation hash-and-sign, but it could also be
instantiated with a non-hash-and-sign algorithm. For the time being, go with
what's currently implemented, which is that they are considered
hash-and-sign.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:51:20 +01:00
Gilles Peskine
f2fe31ab4e Reorder macro definitions
Definition before mention

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:48:15 +01:00
Gilles Peskine
f7b4137e69 Untangle PSA_ALG_IS_HASH_AND_SIGN and PSA_ALG_IS_SIGN_HASH
The current definition of PSA_ALG_IS_HASH_AND_SIGN includes
PSA_ALG_RSA_PKCS1V15_SIGN_RAW and PSA_ALG_ECDSA_ANY, which don't strictly
follow the hash-and-sign paradigm: the algorithm does not encode a hash
algorithm that is applied prior to the signature step. The definition in
fact encompasses what can be used with psa_sign_hash/psa_verify_hash, so
it's the correct definition for PSA_ALG_IS_SIGN_HASH. Therefore this commit
moves definition of PSA_ALG_IS_HASH_AND_SIGN to PSA_ALG_IS_SIGN_HASH, and
replace the definition of PSA_ALG_IS_HASH_AND_SIGN by a correct one (based
on PSA_ALG_IS_SIGN_HASH, excluding the algorithms where the pre-signature
step isn't to apply the hash encoded in the algorithm).

In the definition of PSA_ALG_SIGN_GET_HASH, keep the condition for a nonzero
output to be PSA_ALG_IS_HASH_AND_SIGN.

Everywhere else in the code base (definition of PSA_ALG_IS_SIGN_MESSAGE, and
every use of PSA_ALG_IS_HASH_AND_SIGN outside of crypto_values.h), we meant
PSA_ALG_IS_SIGN_HASH where we wrote PSA_ALG_IS_HASH_AND_SIGN, so do a
global replacement.
```
git grep -l IS_HASH_AND_SIGN ':!include/psa/crypto_values.h' | xargs perl -i -pe 's/ALG_IS_HASH_AND_SIGN/ALG_IS_SIGN_HASH/g'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:48:15 +01:00
Gilles Peskine
c1ec49eb13 Test PSA_HASH_BLOCK_LENGTH
Only tested for algorithms for which we support HMAC, since that's all we
use PSA_HASH_BLOCK_LENGTH for at the moment.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:47:03 +01:00
Gilles Peskine
e7be73d579 Use the new macro PSA_HASH_BLOCK_LENGTH
Replace an equivalent internal function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
5bc9bf7584 Add changelog entry for new PSA Crypto API macros.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
c5c5b93611 Add missing PSA_KEY_ID_NULL macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
7d262dd1ee Add missing PSA_HASH_BLOCK_LENGTH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
359b5ab6ea Add missing PSA_ALG_NONE macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
e6d3edaf32 Add missing PSA_ALG_IS_SIGN_HASH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Przemyslaw Stekiel
505712338e ssl_client2: move memory leak check before rng_free()
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-03 14:19:52 +01:00
Bence Szépkúti
ef0d02ed31 Explain why support_test_psa_compliance is needed
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-03 13:17:31 +01:00
Bence Szépkúti
b3818412bc Keep local clone around even if the test succeeds
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-03 13:17:29 +01:00
Bence Szépkúti
c63d1605ab Make directory creation code more compact
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-03 13:14:40 +01:00
Bence Szépkúti
67fb3149c0 Add licence header to script
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-03 13:12:37 +01:00
Bence Szépkúti
34b5f56344 Make main() suitable to being called from python
Don't call sys.exit(), and don't clobber the working directory.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-03 13:12:02 +01:00
Gilles Peskine
308d618d8d
Merge pull request #5124 from AndrzejKurek/add-missing-test-name
Add a missing psa_crypto test suite test name
2021-11-03 10:37:28 +01:00
Przemyslaw Stekiel
53de2622f3 Move psa_crypto_slot_management.h out from psa_crypto_helpers.h
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-03 09:35:35 +01:00
Przemyslaw Stekiel
bbb22bbd9e ssl_client2/ssl_server2: Move is_psa_leaking() before mbedtls_psa_crypto_free() (and rng_free())
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-03 09:06:09 +01:00
Xiaofei Bai
ccd738b853 Add git rev-parse options
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2021-11-03 07:31:00 +00:00
Harmen Stoppels
01ef723bba DT_NEEDED for shared builds in makefile
The makefile build specifies -L. -lmbedx509 -lmbedcrypto flags first,
and only then object files referencing symbols from those libraries.

In this order the linker will not add the linked libraries to the
DT_NEEDED section because they are not referenced yet (at least that
happens for me on ubuntu 20.04 with the default gnu compiler tools).

By first specifying the object files and then the linked libraries, we
do end up with libmbedx509 and libmbedcrypto in the DT_NEEDED sections.

This way running dlopen(...) on libmedtls.so just works.

Note that the CMake build does this by default.

Signed-off-by: Harmen Stoppels <harmenstoppels@gmail.com>
2021-11-03 01:06:11 +01:00
Andrzej Kurek
386f5820aa Add a missing psa_crypto test suite test name
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-11-02 16:51:24 +01:00
Bence Szépkúti
449781fda7 Fix pylint errors
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-02 13:53:11 +01:00
Bence Szépkúti
83aa604ce5 Simplify regex and use named capture groups
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-02 13:53:11 +01:00
Bence Szépkúti
c2bac00530 Use print(end='') to silence double newline
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-02 13:53:11 +01:00
Bence Szépkúti
d2ea2c0df3 Indicate errors interleaved with test suite output
Indicate whether a success or failure is unexpected, or expected and
ignored as they happen.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-02 13:51:22 +01:00
Przemyslaw Stekiel
e3fcb5087a Adapt generate_key() test code to mbedTLS standards
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-02 10:52:53 +01:00
Przemyslaw Stekiel
7bc26b8c2a generate_psa_tests.py: add key generation result to test case argument list, add comments
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-11-02 10:51:49 +01:00
Manuel Pégourié-Gonnard
0dbe1dfa1c
Merge pull request #4859 from brett-warren-arm/supported_groups
Add mbedtls_ssl_conf_groups to API
2021-11-02 10:49:09 +01:00
Jerry Yu
ba9c727e94 fix memory leak issue
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-30 20:23:45 +08:00
Jerry Yu
47413c2c8f fix wrong version header for tls1.3
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-30 20:23:37 +08:00
Jerry Yu
834886d211 Add certificate verify check
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-30 13:26:15 +08:00
Manuel Pégourié-Gonnard
4313d3ac87
Merge pull request #5010 from gilles-peskine-arm/psa-rsa-pss_any_salt
PSA: fix salt length for PSS verification
2021-10-29 16:36:36 +02:00
Brett Warren
14efd33a6c Convert TLS1.3 functions to get_supported_groups
Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-29 15:13:48 +01:00
Brett Warren
25386b7652 Refactor ssl_{server2,client2} for NamedGroup IDs
Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-29 14:07:46 +01:00
Brett Warren
01f3dae3f3 Refactor elliptic curve extension for NamedGroups
The refactoring is needed for the group api to work
properly. Code is modified to use mbedtls_get_supported_groups
instead of direct access so that both deprecated and new api
are useable.

Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-29 14:07:46 +01:00
Brett Warren
7f813d5d88 add group api tests
Signed-off-by: Brett Warren <brett.warren@arm.com>
2021-10-29 14:07:46 +01:00
Jerry Yu
6f87f2521c Refactor ssl_tls13_parse_certificate_verify
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-29 20:15:03 +08:00
Jerry Yu
daac359331 Change check condition order
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-29 20:01:42 +08:00
Jerry Yu
d0fc585b7e fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-29 19:57:55 +08:00
Jerry Yu
0b32c502a4 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-29 19:57:55 +08:00
Jerry Yu
da8cdf2fa9 Remove certificate_verify_coordinate
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-29 19:57:55 +08:00
Jerry Yu
982d9e5db2 Add ssl_tls13_sig_alg_is_offered
To keep consistent with cipher_suite check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-10-29 19:57:55 +08:00