Commit graph

23559 commits

Author SHA1 Message Date
Paul Elliott
59ad9457b6 Add {sign/verify}_hash_abort_internal
Ensure that num_ops is cleared when manual abort is called, but obviously not
when an operation just completes, and test this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
20a360679b Add State tests
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
0c68335a42 Convert tests to configurable max_ops
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
4cec2f60dc Add interruptible to psa_op_fail tests
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
9100797cb3 Negative tests
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
e04e15b766 Add Changelog entry
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
712d512007 Basic tests
Sign Hash, Verify Hash and Sign and Verify Hash.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
296ede99c9 Fix issues with get_{sign/verify}_num_ops
Move to accumulate ops in context rather than attempting to read straight out
of structures due to structure ops getting reset per operation, and also
issues with _abort clearing internal data. Fix usage of size_t in structures

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
588f8ed498 Add internal implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
2ba002cc2f Make ECDSA restartable sign and verify functions public
Make public the versions of ECSDA sign and verify which return raw signatures
rather than returning ASN.1 encoded signatures, in order to use them for the
internal implemention of psa_sign/verify_hash_interruptible.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Gabor Mezei
7e6fcc1fbc
Update documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:19:09 +01:00
Gabor Mezei
555b1f7e44
Add check for test
Check the bit length of the output of ecp_mod_p521_raw.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:19:09 +01:00
Gabor Mezei
2b064ec332
Revert the addition of hex digit calculator function
This reverts commit 0f83e15e670565147daa32fd1fac510759520e26.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:19:08 +01:00
Gabor Mezei
cf228706cd
Restrict input parameter size for ecp_mod_p521_raw
The imput mpi parameter must have twice as many limbs as the modulus.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:19:08 +01:00
Gabor Mezei
d10d429380
Stack usage optimization for mod_p521
Instead of creating an mpi on the stack, reuse the unused part of the input mpi.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:51 +01:00
Janos Follath
fe24e91a34
mod_p521: document reduction algorithm
Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Janos Follath
666673e83f
modp521: apply naming conventions
Apply the usual parameter name and align the local variables and
comments. This naming diverges from the standard notation, but this is
beneficial as our variable meanings diverge as well and the difference
can help avoiding confusion.

Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Janos Follath
755ff0e685
Add corner case to mod_p521 tests
Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Janos Follath
13c3aa13af
Revert changes to mod_p521 flow
It is not necessary to save the middle limb upfront as overwriting it is
the desired result: in the first step we are reducing modulo
2^{512+biL}.

Arguably, the original flow is more intuitive and easier to see the idea
behind it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:50 +01:00
Gabor Mezei
b50aeb8f05
Fix 32-bit issues
The 521 bit needs different limb alignment for different word sizes.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:49 +01:00
Gabor Mezei
6bfbd36507
Fix coding style issues
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:49 +01:00
Gabor Mezei
05c138e172
Fix pylint issues
Create a new function for calculating the number of hex digits needed
for a certain amount of limbs.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:49 +01:00
Gabor Mezei
b62ad5d569
Rename function to follow naming convention
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:48 +01:00
Gabor Mezei
b1c62caa1f
Add documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:48 +01:00
Gabor Mezei
d8f67b975b
Add test generation for ecp_mod_p521_raw
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:13:48 +01:00
Gabor Mezei
2cb630edee
Change the ecp_mod_p521_raw to be testable
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:05:22 +01:00
Gabor Mezei
8450ab9c60
Fix Secp521r1 reduction
The prototype calculated with wrong limb size and not taken into account
the overflow in the shared limb.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:03:03 +01:00
Gabor Mezei
42df16c84b
Extract Secp521r1 from the prototype
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-15 18:02:57 +01:00
David Horstmann
f51851dc70 Change += to |= for clearer semantics
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 15:44:24 +00:00
Gilles Peskine
e2a9f86755
Merge pull request #6971 from gabor-mezei-arm/6026_Secp192r1_fast_reduction
Extract Secp192r1 fast reduction from the prototype
2023-02-15 16:22:36 +01:00
David Horstmann
34b3f1b757 Make overflow checks more readable
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 13:46:53 +00:00
David Horstmann
21b8387929 Add ChangeLog for OID-to-string fixes
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 13:07:49 +00:00
Paul Elliott
9fe12f666b PSA level initial implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
Paul Elliott
2d247923e5 Initial empty driver wrapper implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
Paul Elliott
1265f00494 First draft of PSA interruptible ECC signing design
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
David Horstmann
895eb7c9b5 Add testcases for overlong encoding of OIDs
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 12:09:41 +00:00
David Horstmann
9c1887c4c7 Disallow overlong encoding when parsing OIDs
OID subidentifiers are encoded as follow. For every byte:
* The top bit is 1 if there is another byte to come, 0 if this is the
last byte.
* The other 7 bits form 7 bits of the number. These groups of 7 are
concatenated together in big-endian order.

Overlong encodings are explicitly disallowed by the BER/DER/X690
specification. For example, the number 1 cannot be encoded as:

0x80 0x80 0x01

It must be encoded as:

0x01

Enforce this in Mbed TLS' OID DER-to-string parser.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 12:02:27 +00:00
Manuel Pégourié-Gonnard
6778ddf657
Merge pull request #6549 from gilles-peskine-arm/psa-migration-md-cipher-strategy
Dual-API hash dispatch strategy
2023-02-15 12:50:13 +01:00
David Horstmann
f01de145bd Add tests for mbedtls_oid_get_numeric_string()
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-15 11:45:51 +00:00
Pengyu Lv
10f41444a0 Fix CI failure
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-15 16:58:09 +08:00
Pengyu Lv
c36743f4e0 Only check files known to git
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-15 10:20:40 +08:00
Gilles Peskine
edc6ae9578
Merge pull request #7090 from paul-elliott-arm/fix_iar_warnings_dev
Fix IAR Warnings
2023-02-14 20:01:00 +01:00
Gilles Peskine
c5e2a4fe67
Merge pull request #6937 from valeriosetti/issue6886
Add test for PK parsing of keys using compressed points
2023-02-14 19:54:29 +01:00
Gilles Peskine
4386cf188d Changelog entry for pacifying clang -Wdocumentation about \retval
Fixes #6960

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-14 19:26:56 +01:00
Gilles Peskine
ed73355d2e Make \retval commands non-empty
Pacify Clang >=15 which complained:
```
include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation]
 * \retval #PSA_SUCCESS
   ~~~~~~~~~~~~~~~~~~~^
```

This commit performs the following systematic replacement:
```
perl -i -0777 -p -e 's/([\\@])(retval +\S+)\n(?! *\*? *([^\n \\*\/]|\\[cp]\b))/$1$2 ${1}emptydescription\n/g' $(git ls-files '*.[hc]' '*.function' '*.jinja')
```
i.e. add an `\emptydescription` argument to `\retval` commands (or
`@retval`, which we don't normally used) that are followed by a single word,
unless the next line looks like it contains text which would be the
description.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-14 19:21:09 +01:00
Gilles Peskine
8ea7d85851 Define a workaround for empty \retval description
Since Clang 15, `clang -Wdocumentation` warns about an empty description in
a Doxygen `\retval` command:

```
include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation]
 * \retval #PSA_SUCCESS
   ~~~~~~~~~~~~~~~~~~~^
```

Ideally `\retval` directives should have a description that describes the
precise meaning of the return value, but we commonly use an empty
description when the return value is a status code and the status code's
description is sufficient documentation.

As a workaround, define a Doxygen command `\emptydescription` that we can
use to make the description source code non-empty, without changing the
appearance. Using the command will be done in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-14 19:15:40 +01:00
David Horstmann
c7f700c795 Fix incorrect printing of OIDs
The first 2 components of an OID are combined together into the same
subidentifier via the formula:

subidentifier = (component1 * 40) + component2

The current code extracts component1 and component2 using division and
modulo as one would expect. However, there is a subtlety in the
specification[1]:

>This packing of the first two object identifier components recognizes
>that only three values are allocated from the root node, and at most
>39 subsequent values from nodes reached by X = 0 and X = 1.

If the root node (component1) is 2, the subsequent node (component2)
may be greater than 38. For example, the following are real OIDs:
* 2.40.0.25, UPU standard S25
* 2.49.0.0.826.0, Met Office
* 2.999, Allocated example OID

This has 2 implications that the current parsing code does not take
account of:
1. The second component may be > 39, so (subidentifier % 40) is not
correct in all circumstances.
2. The first subidentifier (containing the first 2 components) may be
more than one byte long. Currently we assume it is just 1 byte.

Improve parsing code to deal with these cases correctly.

[1] Rec. ITU-T X.690 (02/2021), 8.19.4

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-14 17:00:25 +00:00
Gabor Mezei
0b4b8e3c5e
Update documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-14 16:36:38 +01:00
Andrzej Kurek
570a0f808b Move to DER certificates for new x509 tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-14 05:52:49 -05:00
Dave Rodgman
319a5675db
Merge pull request #7084 from daverodgman/sizemax-uintmax
Assume SIZE_MAX >= INT_MAX, UINT_MAX
2023-02-14 10:06:22 +00:00