Commit graph

10726 commits

Author SHA1 Message Date
Tom Cosgrove
ca21b241bd
Merge pull request #8840 from gilles-peskine-arm/domain_parameters-remove
Remove domain parameters
2024-02-27 10:36:51 +00:00
Tom Cosgrove
f4a200f106
Merge pull request #8838 from paul-elliott-arm/improve_test_data_accessors
Improve test info data accessors
2024-02-26 11:22:20 +00:00
Gilles Peskine
4c32b69f37 Ignore domain parameters in RSA key generation
Remove the ability to select a custom public exponent via domain parameters
in RSA key generation. The only way to select a custom public exponent is
now to pass custom production parameters to psa_generate_key_ext().

A subsequent commit will remove domain parameters altogether from the API,
thus this commit does not bother to update the documentation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-26 08:50:38 +01:00
Gilles Peskine
0f63028809
Merge pull request #8815 from gilles-peskine-arm/psa_generate_key_ext-prototype
Introduce psa_generate_key_ext
2024-02-26 07:16:49 +00:00
Paul Elliott
9011dae0c1 Improve documentation / comments
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-02-24 10:57:22 +00:00
Tom Cosgrove
817772a6ca
Merge pull request #8716 from mschulz-at-hilscher/feature/gcm_largetable
Use large GCM tables
2024-02-23 16:25:38 +00:00
Gilles Peskine
0aab69d2eb
Merge pull request #8807 from gilles-peskine-arm/pk_import_into_psa-implement_import
Implement mbedtls_pk_import_into_psa
2024-02-21 15:45:17 +00:00
Gilles Peskine
dd49c739f0 Merge remote-tracking branch 'development' into pk_import_into_psa-implement_import
Conflicts:
* tests/suites/test_suite_pk.function: consecutive changes to the
  depends_on line of pk_sign_verify and its argument list.
2024-02-21 12:10:40 +01:00
Manuel Pégourié-Gonnard
0ecb5fd6f5
Merge pull request #8574 from ronald-cron-arm/ssl-tickets
Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3
2024-02-21 09:38:46 +00:00
Gilles Peskine
23605d19d9 More renaming: method -> production parameters
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-20 17:10:56 +01:00
Gilles Peskine
092ce51c47 Rename "key generation method" to "key production parameters"
"Key generation method" was misleading since it also applies to key
derivation. Change "key generation" to "key production", which we aren't
using yet and has roughly the right intuition. Change "method" to
"parameters" which there seems to be a slight preference for. Discussion
thread: https://github.com/Mbed-TLS/mbedtls/pull/8815#discussion_r1486524295

Identifiers renamed:
psa_key_generation_method_t → psa_key_production_parameters_t
psa_key_generation_method_s → psa_key_production_parameters_s
PSA_KEY_GENERATION_METHOD_INIT → PSA_KEY_PRODUCTION_PARAMETERS_INIT
method → params
method_data_length → params_data_length
default_method → default_production_parameters
psa_key_generation_method_is_default → psa_key_production_parameters_are_default
setup_key_generation_method → setup_key_production_parameters
key_generation_method_init → key_production_parameters_init

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-20 16:18:13 +01:00
Manuel Pégourié-Gonnard
fc3f980f0f
Merge pull request #8826 from valeriosetti/issue8824
RSA keys set to PSS/OAEP padding perform PKCS1v1.5 when MBEDTLS_USE_PSA_CRYPTO is enabled
2024-02-20 14:08:41 +00:00
Manuel Pégourié-Gonnard
a7f651cf16
Merge pull request #8804 from valeriosetti/issue8799
mbedtls_rsa_parse_key and mbedtls_rsa_parse_pubkey accept trailing garbage
2024-02-20 11:58:52 +00:00
Gilles Peskine
e7a7013910 Remove initialization function for variable-length struct
Assigning the return value of a function that returns a struct with a
flexible array member does not fill the flexible array member, which leaves
a gap in the initialization that could be surprising to programmers. Also,
this is a borderline case in ABI design which could cause interoperability
problems. So remove this function.

This gets rid of an annoying note from GCC about ABI compatibility on
(at least) x86_64.
```
In file included from include/psa/crypto.h:4820,
                 from <stdin>:1:
include/psa/crypto_struct.h: In function ‘psa_key_generation_method_init’:
include/psa/crypto_struct.h:244:1: note: the ABI of passing struct with a flexible array member has changed in GCC 4.4
  244 | {
      | ^
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-20 12:17:00 +01:00
Valerio Setti
80bc5d6aad test_suite_pk: fix data in some RSA related test cases
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-19 16:13:47 +01:00
Valerio Setti
f966a97806 test_suite_pk: remove leftover comment
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-19 15:30:27 +01:00
Valerio Setti
e88a1c5b85 pem: fix return values in pem_check_pkcs_padding()
Return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH instead of
MBEDTLS_ERR_PEM_BAD_INPUT_DATA in case of errors.
This commit also fix related failures in test pkparse and
pem test suites.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-19 15:09:41 +01:00
Valerio Setti
e10674d547 test_suite_pem: fix comment in test case
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-19 14:52:54 +01:00
Valerio Setti
eba4ca19c6 test_suite_pem: solve driver test disparities
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-19 07:42:18 +01:00
Valerio Setti
4cc6522a85 pem: do not parse ASN1 data after decryption (removes ASN1 dependency)
Now that we have padding verification after decryption and since
this can be used to validate the password as well there is no
need to parse ASN1 content any more, so we can simplify/remove
that dependency.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 15:26:12 +01:00
Valerio Setti
8aff4ef274 test_suite_pem: add more test cases for invalid padding data
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 15:26:08 +01:00
Gilles Peskine
46ee81d259 test_suite_pk: add test cases for RSA keys (sign/verify & crypt/decrypt)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 15:19:19 +01:00
Valerio Setti
0f286d5453 pem: reject empty PEM contents
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-16 14:30:58 +01:00
Gilles Peskine
2ec141a429 After pk_import_into_psa, test that the keys match
We were testing the internal consistency of the resulting key, and that the
resulting key had the right metadata, but we were not testing that the PSA
key had the expected key material. Comparing the public keys fixes that.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 17:22:37 +01:00
Gilles Peskine
6fe8a06f7e New test helper: mbedtls_test_key_consistency_psa_pk
Test that a PK key and a PSA key are consistent, i.e. that they have the
same type (or are a key pair and the corresponding public key) and that
they have the same public key.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 17:21:17 +01:00
Gilles Peskine
d6fc3501c0 Test mbedtls_pk_import_into_psa with different bits
This was only tested with opaque keys. Since the code paths are different
depending on the PK type, we also need to test RSA and ECKEY.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 17:15:29 +01:00
Paul Elliott
ba536dc1db Lock test mutex before doing mutex usage check
Although this again should only happen post all threads stopping, guard
this just in case things change.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-02-15 13:04:31 +00:00
Paul Elliott
114ed5ef1e Fix missing mutex lock for mutex usage error
Although this can only be read in a situation where threads should have
already stopped, best to fix this as its public.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-02-15 12:52:45 +00:00
Paul Elliott
264e21011a Rename internal test info data accessors
Rename internal test info data accessors by adding _internal to mark
them as obviously internal. Add to the intial comment block to further
explain the mutex locking policy.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-02-15 12:52:45 +00:00
Gilles Peskine
68a287dc7a Use named constants FROM_PAIR/FROM_PUBLIC for readability
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 13:30:55 +01:00
Gilles Peskine
f50cd59b51 Fix encrypt/decrypt confusion
The values are the same for all supported mechanisms (RSA-based), so no
semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 13:13:26 +01:00
Gilles Peskine
cbd2cbb408 Rename identifier for consistency
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 13:12:44 +01:00
Gilles Peskine
63072b1f94 Only test custom-e RSA key generation when built in
Custom-e RSA key generation is not yet supported in the test driver, and we
don't support fallback from the test driver to the built-in
implementation (even though we're testing with MBEDTLS_RSA_C). So for the
time being, only run psa_generate_key_ext test cases for RSA with a custom
public exponent when using the built-in implementation.

Add a test case to validate that psa_generate_key_ext test cases for RSA
with a custom public exponent returns NOT_SUPPORTED (rather than silently
doing the wrong thing) when not using built-in RSA (which is subtly
different from when having accelerated RSA: if both are enabled, which we
currently don't do in all.sh, then this should be supported and this is
validated by the test cases above).

This wart will be resolved when we add support for drivers with a
generate_key_ext entry point.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 12:02:04 +01:00
Gilles Peskine
c81393b2ed generate/derive key ext: pass method_data_length rather than method_length
Instead of passing the size of the whole structure, just pass the data
length and let the implementation worry about adding the size of the
structure. The intent with passing the structure size was to allow
the client code in a client-server implementation to know nothing
about the structure and just copy the bytes to the server. But that was not
really a useful consideration since the application has to know the
structure layout, so it has to be available in the client implementation's
headers. Passing the method data length makes life simpler for everyone by
not having to worry about possible padding at the end of the structure, and
removes a potential error condition
(method_length < sizeof(psa_key_generation_method_t)).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:57:48 +01:00
Gilles Peskine
7a18f9645c psa_generate_key_ext: RSA: support custom public exponent
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:57:46 +01:00
Gilles Peskine
f0765fa06a Implement psa_generate_key_ext, psa_key_derivation_output_key_ext
Implement and unit-test the new functions psa_generate_key_ext() and
psa_key_derivation_output_key_ext(), only for the default method.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:19:27 +01:00
Gilles Peskine
1d25a0a810 Refactoring: extract rsa_test_e
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-15 11:19:27 +01:00
Manuel Pégourié-Gonnard
59d63b2106
Merge pull request #8582 from yanrayw/issue/8167/PK_parse_write_OID_dependency
PK parse and PK write: add dependency check with OID
2024-02-15 08:34:14 +00:00
Yanray Wang
e9954bb9d5 test_suite_pk.function: add correct dependency
In valid_parameters_pkwrite, we first parse a public key then test
with mbedtls_pk_write_xxx functions. So valid_parameters_pkwrite
should depend on both MBEDTLS_PK_WRITE_C and MBEDTLS_PK_PARSE_C.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2024-02-14 15:56:02 +00:00
Paul Elliott
e66c841c73 Make internal test info accessor functions static.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-02-14 15:03:11 +00:00
Gilles Peskine
3ea9450463
Merge pull request #8734 from valeriosetti/issue8564
Add test for driver-only HMAC
2024-02-14 13:43:40 +00:00
Tom Cosgrove
1c0b1bffee
Merge pull request #8779 from gilles-peskine-arm/rsa-bitlen-fix
Fix mbedtls_pk_get_bitlen for a key size that is not a multiple of 8
2024-02-14 11:18:25 +00:00
Valerio Setti
3a4f2040b3 test_suite_psa_crypto: fix some test descriptions
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-14 06:44:31 +01:00
Valerio Setti
c1b93751b3 test_suite_pem: add more test cases for encrypted PEM buffers
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-14 06:44:28 +01:00
Valerio Setti
095e1ac71c pem: check data padding in DES/AES decrypted buffers
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-14 06:44:07 +01:00
Manuel Pégourié-Gonnard
e6c80bc6e5
Merge pull request #8755 from ronald-cron-arm/tls13-client-early-data-status
TLS 1.3: Refine and test client early data status
2024-02-13 20:36:42 +00:00
Paul Elliott
9718203308 Fix deadlock with test failures
Calling mbedtls_test_fail() attempts to lock the test data mutex.
Unfortunately we were calling this from places where we already held
this mutex, and this mutex is not recursive, so this deadlocks. Split
out mbedtls_test_fail() into mbedtls_test_fail_internal() in order to
address this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-02-13 13:57:31 +00:00
Gilles Peskine
465e4ed56b Prioritize SHA2 over MD5 for KNOWN_SUPPORTED_HASH_ALG
This fixes the ability to exercise keys in configurations where MD5 is
supported for direct use, but not inside some accelerated algorithms. This
is the case in `all.sh test_psa_crypto_config_accel_ecc_ecp_light_only` and
some other accelerated-ECC components of `all.sh`, where the driver is built
without MD5 support but built-in MD5 remains enabled.

This is only a hack, not a theoretically correct fix, but a correct fix is
out of scope of my current work.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-12 19:54:53 +01:00
Gilles Peskine
34955677e5 Don't exercise if the algorithm is not supported
Parsing a key and importing it into PSA may result in a policy that
specifies an algorithm that is not included in the build. This happens if
the key type is supported, but not the algorithm, e.g. in a build with
MBEDTLS_ECP_C but not MBEDTLS_ECDSA_C.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-12 19:31:55 +01:00
Gilles Peskine
1d33876d37 Fix some preprocessor guards
Fix the build in some configurations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-12 19:07:45 +01:00