Commit graph

586 commits

Author SHA1 Message Date
Neil Armstrong
d597bc705f Add PSA PAKE tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Gilles Peskine
36aeb7f163
Merge pull request #5834 from mprse/HKDF_1
HKDF 1: PSA: implement HKDF_Expand and HKDF_Extract algorithms
2022-06-20 15:27:46 +02:00
Przemek Stekiel
0e99391afe derive_output test: fix output key bit length
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-03 16:18:15 +02:00
Przemek Stekiel
fcdd023ba6 derive_output tests: add invalid input secret test for HKDF-Expand
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-19 10:28:58 +02:00
Gilles Peskine
7be11a790d Use TEST_LE_U in some places where it applies
Systematically replace "TEST_ASSERT( $x <= $y )" by "TEST_LE_U( $x, $y )" in
test_suite_psa_crypto. In this file, all occurrences of this pattern are
size_t so unsigned.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-05-16 19:37:53 +02:00
Gilles Peskine
3ff25443c8 Separate the validation of the size macros and of the function
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-05-16 19:33:11 +02:00
Gilles Peskine
d4a258a08f Improve PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE validation
We want to check:
1. actual output <= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE (the output fits
   if the caller uses the key-specific buffer size macro)
2. actual output <= PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE (the output fits
   if the caller uses the generic buffer size macro)
3. PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE <= PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
   (consistency in the calculation)

We were only testing (1) and (2). Test (3) as well. (1) and (3) together
imply (2) so there's no need to test (2).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-05-16 19:33:11 +02:00
Gilles Peskine
992bee8b6e Test psa_raw_key_agreement with a larger/smaller buffer
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-05-16 19:33:11 +02:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Przemek Stekiel
ead1bb9987 derive_output test: Adapt for HKDF-Extract/Expand algs
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-11 12:22:57 +02:00
Gilles Peskine
2b5d898eb4
Merge pull request #5644 from gilles-peskine-arm/psa-storage-format-test-exercise
PSA storage format: exercise key
2022-04-28 18:20:02 +02:00
Przemek Stekiel
4e47a91d2e Fix indentation issues
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
4daaa2bd05 derive_output mix-psk test: add more cases for derivation of output key
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
6aabc473ce derive_output test: remove redundant tests with raw key agreement
Already handled by input_bytes().
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
e665466a80 derive_output test: add other key type value 11 to handle raw key type
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
38647defa8 derive_output() test: fix code style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
cd00d7f724 test PSA key derivation: add positive and negative cases for mixed-psk
Mix-PSK-to-MS test vectors are generated using python-tls library:
https://github.com/python-tls/tls

Steps to generate test vectors:
1. git clone git@github.com:python-tls/tls.git
2. cd tls
3. python3 setup.py build
4. sudo python3 setup.py install
5. Use the python script below to generate Master Secret (see description for details):

"""
Script to derive MS using mixed PSK to MS algorithm.

Script can be used to generate expected result for mixed PSK to MS tests.

Script uses python tls library:
https://github.com/python-tls/tls

Example usage:
derive_ms.py <secret> <other_secret> <seed> <label> <hash>
derive_ms.py 01020304 ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7 5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f 6d617374657220736563726574 SHA256

secret          : 01020304
other_secret    : ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7
pms             : 0030ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7000401020304
seed            : 5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f
label           : 6d617374657220736563726574
output          : 168fecea35190f9df34c042f24ecaa5e7825337f2cd82719464df5462f16aae84cb38a65c0d612ca9273f998ad32c05b
"""
from cryptography.hazmat.primitives import hashes
from tls._common.prf import prf
import os
import sys

def build_pms(other_secret: bytes, secret: bytes) -> bytes:
    other_secret_size = len(other_secret).to_bytes(2, byteorder='big')
    secret_size = len(secret).to_bytes(2, byteorder='big')
    return(other_secret_size + other_secret + secret_size + secret)

def derive_ms(secret: bytes, other_secret: bytes, seed: bytes, label: bytes, hash: hashes.HashAlgorithm) -> bytes:
    return prf(build_pms(other_secret, secret), label, seed, hash, 48)

def main():
    #check args
    if len(sys.argv) != 6:
        print("Invalid number of arguments. Expected: <secret> <other_secret> <seed> <label> <hash>" )
        return
    if sys.argv[5] != 'SHA384' and sys.argv[5] != 'SHA256':
        print("Invalid hash algorithm. Expected: SHA256 or SHA384" )
        return

    secret = bytes.fromhex(sys.argv[1])
    other_secret = bytes.fromhex(sys.argv[2])
    seed = bytes.fromhex(sys.argv[3])
    label = bytes.fromhex(sys.argv[4])
    hash_func = hashes.SHA384() if sys.argv[5] == 'SHA384' else hashes.SHA256()
    pms = build_pms(other_secret, secret)

    actual_output = derive_ms(secret, other_secret, seed, label, hash_func)

    print('secret       : ' + secret.hex())
    print('other_secret : ' + other_secret.hex())
    print('pms          : ' + pms.hex())
    print('seed         : ' + seed.hex())
    print('label        : ' + label.hex())
    print('output       : ' + actual_output.hex())

if __name__ == "__main__":
    main()

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:41:41 +02:00
Gilles Peskine
286c314ae3 cipher_alg_without_iv: also test multipart decryption
For multipart encrpytion, call psa_cipher_finish(). This is not actually
necessary for non-pathological implementations of ECB (the only currently
supported IV-less cipher algorithm) because it requires the input to be a
whole number of blocks and non-pathological implementations emit the output
block from update() as soon as an input block is available. But in principle
a driver could delay output and thus require a call to finish().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:27:17 +02:00
Gilles Peskine
9e38f2c8fd cipher_alg_without_iv: generalized to also do decryption
Test set_iv/generate_iv after decrypt_setup. Test successful decryption.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:25:00 +02:00
Gilles Peskine
9b9b614a02 cipher_encrypt_alg_without_iv: validate size macros independently
Validate the size macros directly from the output length in the test data,
rather than using the value returned by the library. This is equivalent
since the value returned by the library is checked to be identical.

Enforce that SIZE() <= MAX_SIZE(), in addition to length <= SIZE(). This is
stronger than the previous code which merely enforced length <= SIZE() and
length <= MAX_SIZE().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:24:48 +02:00
Przemek Stekiel
ffbb7d35fc derive_output: add optional step for derivation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-12 11:27:00 +02:00
Manuel Pégourié-Gonnard
c11bffe989
Merge pull request #5139 from mprse/key_der_ecc
PSA: implement key derivation for ECC keys
2022-03-14 09:17:13 +01:00
Przemek Stekiel
c85f0912c4 psa_crypto.c, test_suite_psa_crypto.function: fix style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-08 11:37:54 +01:00
Gilles Peskine
6bf5c8cb1d
Merge pull request #5506 from superna9999/4964-extend-psa-one-shot-multipart
Extend PSA operation setup tests to always cover both one-shot and multipart
2022-03-07 17:04:37 +01:00
Neil Armstrong
fd4c259a7b Use PSA_INIT() in mac_multipart_internal_func()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-07 10:11:11 +01:00
Neil Armstrong
fe6da1c35c Fix style issues in mac_sign_verify_multi()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:29:14 +01:00
Gilles Peskine
92e08fba4c
Merge pull request #5475 from miudr/fix_issue_5140
Fix AEAD multipart incorrect offset in test_suite_psa_crypto.function
2022-03-01 20:45:54 +01:00
Neil Armstrong
4766f99fe5 Add multi-part mac sign/verify test
The test is based on the AEAD multi-part test, re-using the
design on aead_multipart_internal_func() to test differnet
sequence of psa_mac_update() for MAC update or verify.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-28 18:37:30 +01:00
Neil Armstrong
60234f87a6 Revert "Introduce new mac_key_policy_multi() variant of mac_key_policy() testing multiple updates occurences"
This reverts commit 3ccd08b343.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-28 15:21:38 +01:00
Neil Armstrong
3ccd08b343 Introduce new mac_key_policy_multi() variant of mac_key_policy() testing multiple updates occurences
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 16:15:08 +01:00
Neil Armstrong
ee9686b446 Fix style issue in hash_setup()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:47:34 +01:00
Przemyslaw Stekiel
696b120650 Add tests for ECC key derivation
Test code and test vectors are taken from PR #5218

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-22 13:35:26 +01:00
Neil Armstrong
66a479f8fb Add Cipher Decrypt Fail multi-part case
Make `PSA symetric decrypt: CCM*-no-tag, input too short (15 bytes)`
depend on MBEDTLS_CCM_C otherwise the multi-part test fails on
the missing CCM* instead on the input length validity for CCM*.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
d8dba4e0aa Add Cipher Encrypt Fail multi-part case
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
3ee335dbe3 Add Cipher Encrypt multi-part case
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
752d811015 Add AEAD Key Policy check multi-part cases
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
78aeaf8ad7 Add Cipher Key Policy check one-shot cases
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
3af9b97a29 Add Multipart Message authentication Compute & Verify cases
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
ca30a00aad Add Multipart Hash Compute & Compare tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
55a1be1f48 Add Multipart Hash Compare fail tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
161ec5c368 Add Multipart Hash Compute fail tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Neil Armstrong
edb20865c7 Add One-Shot Hash setup test
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-22 10:56:18 +01:00
Manuel Pégourié-Gonnard
1ab2d6966c
Merge pull request #5385 from AndrzejKurek/use-psa-crypto-reduced-configs
Resolve problems with reduced configs using USE_PSA_CRYPTO
2022-02-02 10:20:26 +01:00
Mircea Udrea
657ff4fd09 Fix AEAD multipart incorrect offset in test_suite_psa_crypto.function
When working with block cipher modes like GCM(PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER),
aead_multipart_internal_func() should calculate the offset in output buffer
based on output_length, not using the offset of the input buffer(part_offset).

Signed-off-by: Mircea Udrea <mircea.udrea@silexinsight.com>
2022-01-31 13:51:56 +01:00
Gilles Peskine
c6753a6c90
Merge pull request #5363 from AndrzejKurek/clarify-testing-set-nonce-set-lengths
PSA AEAD: extend testing of set_nonce + set_lengths
2022-01-25 17:02:26 +01:00
Andrzej Kurek
f881601c91 Detect invalid tag lengths in psa_aead_setup
Read tag lengths from the driver and validate against preset values.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-20 07:40:12 -05:00
Andrzej Kurek
031df4a93a Clarify test descriptions
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-19 12:44:49 -05:00
Andrzej Kurek
e5f94fb556 PSA AEAD: test long plaintext lengths for psa_set_lengths
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-19 12:36:50 -05:00
Andrzej Kurek
1e8e1745a8 PSA AEAD: test more combinations of set_nonce and set_lengths
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-19 12:36:50 -05:00
Andrzej Kurek
a2ce72e5bf Test calling psa_aead_set_lengths and set_nonce in various order
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-19 12:36:50 -05:00