Commit graph

579 commits

Author SHA1 Message Date
Valerio Setti
024b028ce1 test: split psa_pake function/data from the generic test_suite_psa_crypto
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 18:52:17 +01:00
Valerio Setti
1070aed778 test_suite_psa_crypto: do not re-use PAKE's contexts in case of errors
As for ecjpake_setup(), now the test function can handle:
- "external" errors, through parameters set by the data file
- "internal" ones, through enums which inject ad-hoc failures

Similarly also ecjpake_rounds() can handle both type of errors,
but right now there's no erroneous case in the associated ".data"
file.

In both cases, after an error the current test is terminated.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 18:45:03 +01:00
Przemek Stekiel
cd356c3cdb Add ec-jpake test to verify if key can be destroyed after set_password_key
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-21 12:25:21 +01:00
Gilles Peskine
faefe62013
Merge pull request #6390 from mpg/fix-ecjpake-psa-format
Fix ecjpake PSA format
2022-11-07 17:35:44 +01:00
Przemek Stekiel
8258ea7b7d test_suite_psa_crypto: adapt dependenies and guards so the test can run in the driver-only build
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-10-19 13:20:20 +02:00
Manuel Pégourié-Gonnard
b3c30907d6
Merge pull request #6383 from mprse/aead_driver_test
Enable testing of AEAD drivers with libtestdriver1
2022-10-14 11:11:01 +02:00
Przemek Stekiel
42bb3ff40b Adapt expected results in ChaCha20-Poly1305 ( invalid tag length)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-10-10 07:28:40 +02:00
Manuel Pégourié-Gonnard
ec7012dbc7 Fix I/O format of PSA EC J-PAKE for compliance
The format used by the mbedtls_ecjpake_xxx() APIs and that defined by
the PSA Crypto PAKE extension are quite different; the former is
tailored to the needs of TLS while the later is quite generic and plain.
Previously we only addressed some part of this impedance mismatch: the
different number of I/O rounds, but failed to address the part where the
legacy API adds some extras (length bytes, ECParameters) that shouldn't
be present in the PSA Crypto version. See comments in the code.

Add some length testing as well; would have caught the issue.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-05 12:52:48 +02:00
Manuel Pégourié-Gonnard
f3f9e450b6
Merge pull request #6115 from AndrzejKurek/ecjpake-kdf-tls-1-2
Ad-hoc KDF for EC J-PAKE in TLS 1.2
2022-09-28 09:47:32 +02:00
Andrzej Kurek
2be1689504 Add capacity testing to EC J-PAKE to PMS tests
Let the caller restrict the capacity but limit it to 32 bytes.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-16 07:14:04 -04:00
Andrzej Kurek
d37850404a Add derivation step testing to EC J-PAKE to PMS tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-16 06:45:44 -04:00
Andrzej Kurek
d8705bc7b7 Add tests for the newly created ad-hoc EC J-PAKE KDF
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-14 08:39:41 -04:00
Neil Armstrong
2a73f21878 Fixup expected status handling in ecjpake_setup() and add more coverage for psa_pake_set_password_key()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-09-06 11:34:54 +02:00
Neil Armstrong
e5fdf20a79 Make ecjpake_rounds test depends on PSA_WANT_ALG_TLS12_PSK_TO_MS
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
8c2e8a6cda Add ecjpake_rounds_inject tests to exercise error injection
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
f983caf6c4 Move JPAKE rounds into a common function, add reordering and error injection
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
a24278a74a Add invalid hash ecjpake_setup() test case
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
9c8b492052 Add advanced psa_pake_input/psa_pake_output test in ecjpake_setup() test
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
ebd9a03743 Cleanup PSA pake test dependency
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
d597bc705f Add PSA PAKE tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Gilles Peskine
36aeb7f163
Merge pull request #5834 from mprse/HKDF_1
HKDF 1: PSA: implement HKDF_Expand and HKDF_Extract algorithms
2022-06-20 15:27:46 +02:00
Przemek Stekiel
66867731aa derive_output tests: fix output key length to be consistent with teh description
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-06 11:26:02 +02:00
Przemek Stekiel
cde3f783f5 Make info valid only after secret for HKDF-EXPAND + adapt tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-06 11:26:02 +02:00
Przemek Stekiel
0586f4c4ea Make salt mandatory for HKDF-EXTRACT + adapt tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-06 11:25:43 +02:00
Przemek Stekiel
3e8249cde0 Add PSA_WANT_ALG_HKDF_EXPAND, PSA_WANT_ALG_HKDF_EXTRACT, adapt code and dependencies
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-03 16:18:15 +02:00
Przemek Stekiel
fcdd023ba6 derive_output tests: add invalid input secret test for HKDF-Expand
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-19 10:28:58 +02:00
Manuel Pégourié-Gonnard
4014a0408e
Merge pull request #5617 from gilles-peskine-arm/chacha20-rfc7539-test-vector
PSA: ChaCha20: add RFC 7539 test vector with counter=1
2022-05-12 12:34:20 +02:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Przemek Stekiel
6786a87ccd derive_output tests: add capacity HKDF-Extract/Expand tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-11 12:40:21 +02:00
Przemek Stekiel
2849e0e4d5 derive_output tests: add negative HKDF-Extract/Expand tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-11 12:38:01 +02:00
Przemek Stekiel
e1036fbe90 derive_output tests: add positive HKDF-Extract/Expand tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-11 12:34:53 +02:00
Gilles Peskine
2b5d898eb4
Merge pull request #5644 from gilles-peskine-arm/psa-storage-format-test-exercise
PSA storage format: exercise key
2022-04-28 18:20:02 +02:00
Manuel Pégourié-Gonnard
70701e39b5
Merge pull request #5726 from mprse/mixed_psk_1_v2
Mixed PSK 1: Extend PSK-to-MS algorithm in PSA (v.2)
2022-04-21 17:11:52 +02:00
Przemek Stekiel
4daaa2bd05 derive_output mix-psk test: add more cases for derivation of output key
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
6aabc473ce derive_output test: remove redundant tests with raw key agreement
Already handled by input_bytes().
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
e665466a80 derive_output test: add other key type value 11 to handle raw key type
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
c5bd1b8b24 PSA key derivation mix-psk tests: add description for bad state cases
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Przemek Stekiel
cd00d7f724 test PSA key derivation: add positive and negative cases for mixed-psk
Mix-PSK-to-MS test vectors are generated using python-tls library:
https://github.com/python-tls/tls

Steps to generate test vectors:
1. git clone git@github.com:python-tls/tls.git
2. cd tls
3. python3 setup.py build
4. sudo python3 setup.py install
5. Use the python script below to generate Master Secret (see description for details):

"""
Script to derive MS using mixed PSK to MS algorithm.

Script can be used to generate expected result for mixed PSK to MS tests.

Script uses python tls library:
https://github.com/python-tls/tls

Example usage:
derive_ms.py <secret> <other_secret> <seed> <label> <hash>
derive_ms.py 01020304 ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7 5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f 6d617374657220736563726574 SHA256

secret          : 01020304
other_secret    : ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7
pms             : 0030ce2fa604b6a3e08fc42eda74ab647adace1168b199ed178dbaae12521d68271d7df56eb56c55878034cf01bd887ba4d7000401020304
seed            : 5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f
label           : 6d617374657220736563726574
output          : 168fecea35190f9df34c042f24ecaa5e7825337f2cd82719464df5462f16aae84cb38a65c0d612ca9273f998ad32c05b
"""
from cryptography.hazmat.primitives import hashes
from tls._common.prf import prf
import os
import sys

def build_pms(other_secret: bytes, secret: bytes) -> bytes:
    other_secret_size = len(other_secret).to_bytes(2, byteorder='big')
    secret_size = len(secret).to_bytes(2, byteorder='big')
    return(other_secret_size + other_secret + secret_size + secret)

def derive_ms(secret: bytes, other_secret: bytes, seed: bytes, label: bytes, hash: hashes.HashAlgorithm) -> bytes:
    return prf(build_pms(other_secret, secret), label, seed, hash, 48)

def main():
    #check args
    if len(sys.argv) != 6:
        print("Invalid number of arguments. Expected: <secret> <other_secret> <seed> <label> <hash>" )
        return
    if sys.argv[5] != 'SHA384' and sys.argv[5] != 'SHA256':
        print("Invalid hash algorithm. Expected: SHA256 or SHA384" )
        return

    secret = bytes.fromhex(sys.argv[1])
    other_secret = bytes.fromhex(sys.argv[2])
    seed = bytes.fromhex(sys.argv[3])
    label = bytes.fromhex(sys.argv[4])
    hash_func = hashes.SHA384() if sys.argv[5] == 'SHA384' else hashes.SHA256()
    pms = build_pms(other_secret, secret)

    actual_output = derive_ms(secret, other_secret, seed, label, hash_func)

    print('secret       : ' + secret.hex())
    print('other_secret : ' + other_secret.hex())
    print('pms          : ' + pms.hex())
    print('seed         : ' + seed.hex())
    print('label        : ' + label.hex())
    print('output       : ' + actual_output.hex())

if __name__ == "__main__":
    main()

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:41:41 +02:00
Gilles Peskine
9e38f2c8fd cipher_alg_without_iv: generalized to also do decryption
Test set_iv/generate_iv after decrypt_setup. Test successful decryption.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-21 11:25:00 +02:00
Przemek Stekiel
ffbb7d35fc derive_output: add optional step for derivation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-12 11:27:00 +02:00
Gilles Peskine
08622b6dc7 Declare PSA_WANT_ALG_CCM_STAR_NO_TAG and use it in tests
CCM*-no-tag is currently available whenever CCM is, so declare
PSA_WANT_ALG_CCM_STAR_NO_TAG whenever PSA_WANT_ALG_CCM is declared and vice
versa.

Fix dependencies of test cases that use PSA_ALG_CCM_STAR_NO_TAG: some were
using PSA_WANT_ALG_CCM and some had altogether wrong dependencies.

This commit does not touch library code. There is still no provision for
providing CCM support without CCM*-no-tag or vice versa.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-03-16 13:54:25 +01:00
Manuel Pégourié-Gonnard
c11bffe989
Merge pull request #5139 from mprse/key_der_ecc
PSA: implement key derivation for ECC keys
2022-03-14 09:17:13 +01:00
Gilles Peskine
fc47641e36 Add RFC 7539 test vector for ChaCha20
The PSA Crypto API uses 0 as the initial counter value, but the test vector
in RFC 7539 uses 1. So the unit tests here include an extra leading block.
The expected data for this leading block was calculated with Cryptodome.

    #!/usr/bin/env python3
    import re
    from Cryptodome.Cipher import ChaCha20

    key = bytes.fromhex('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f')
    nonce = bytes.fromhex('000000000000004a00000000')
    encrypt = lambda pt: ChaCha20.new(key=key, nonce=nonce).encrypt(pt)
    # Cryptodome uses counter=0, like PSA Crypto. Prepend a 64-byte input block #0
    # so that the plaintext from RFC 7539 starts exactly at block #1.
    header = b'The RFC 7539 test vector uses counter=1, but PSA uses counter=0.'
    assert(len(header) == 64)
    sunscreen = b"Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it."
    plaintext = header + sunscreen
    zeros = b'\x00' * len(plaintext)
    keystream = encrypt(zeros)
    ciphertext = encrypt(plaintext)

    print('RFC 7539 §2.4.2')
    print('Keystream:')
    print(re.sub(r'(..)', r'\1:', keystream[64:].hex()))
    print('Ciphertext Subscreen:')
    print(re.sub(r'(..)', r'\1 ', ciphertext[64:].hex()))
    print('')

    print(f"""\
    PSA symmetric decrypt: ChaCha20, RFC7539 keystream
    depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20
    # Keystream from RFC 7539 §2.4.2, with an extra 64-byte output block prepended
    # because the test vector starts at counter=1 but our API starts at counter=0.
    cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"{key.hex()}":"{nonce.hex()}":"{zeros.hex()}":"{keystream.hex()}"

    PSA symmetric decrypt: ChaCha20, RFC7539 sunscreen
    depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20
    # Test vector from RFC 7539 §2.4.2, with an extra 64-byte block prepended
    # because the test vector starts at counter=1 but our API starts at counter=0.
    cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"{key.hex()}":"{nonce.hex()}":"{ciphertext.hex()}":"{plaintext.hex()}"
    """)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-03-10 18:57:09 +01:00
Przemek Stekiel
4400be408b Adapt test cases for invalid bits with and without ECC keys enabled
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-01 17:02:46 +01:00
Przemek Stekiel
dcab6ccb3b Return PSA_ERROR_INVALID_ARGUMENT for a public key, and PSA_ERROR_NOT_SUPPORTED for a type that is not handled.
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-01 14:29:49 +01:00
Neil Armstrong
4766f99fe5 Add multi-part mac sign/verify test
The test is based on the AEAD multi-part test, re-using the
design on aead_multipart_internal_func() to test differnet
sequence of psa_mac_update() for MAC update or verify.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-28 18:37:30 +01:00
Neil Armstrong
60234f87a6 Revert "Introduce new mac_key_policy_multi() variant of mac_key_policy() testing multiple updates occurences"
This reverts commit 3ccd08b343.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-28 15:21:38 +01:00
Neil Armstrong
3ccd08b343 Introduce new mac_key_policy_multi() variant of mac_key_policy() testing multiple updates occurences
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 16:15:08 +01:00
Przemyslaw Stekiel
aeaa4f0651 Code optimization
- fix codding style
- fix comments and descriptions
- add helper function for montgomery curve
- move N-2 calculation outside the loop
- fix access to <data> bytes: *data[x] -> (*data)[x]

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-22 13:35:27 +01:00
Przemyslaw Stekiel
f6c2c87492 Fix ECC derivation tests
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-22 13:35:27 +01:00