Commit graph

539 commits

Author SHA1 Message Date
avolinski
7cc8229d80 Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID
Update mbedtls_psa_inject_entropy function documentation
2018-11-21 16:24:53 +02:00
Netanel Gonen
21f37cbbec Add Tests for psa crypto entropy incjection
Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option
2018-11-21 16:24:52 +02:00
Netanel Gonen
2bcd312cda Add entropy injection function to psa cripto APIs 2018-11-21 16:15:14 +02:00
itayzafrir
910c76b3d1 Check that memory allocation was successful in psa_save_generated_persistent_key 2018-11-21 16:10:33 +02:00
Darryl Green
0c6575a84d psa: Extend psa_generate_key to support persistent lifetimes 2018-11-20 15:40:32 +00:00
Darryl Green
dd8fb777ce psa: Refactor psa_internal_export_key to use slot, rather than key
When generating keys that have persistent lifetime, we will need
the keys to be in the exported format to save to persistent storage.
This refactoring to separate checking the slots usage from the
exporting of the key data will be necessary for using
psa_internal_export_key in psa_generate_key.
2018-11-20 15:40:32 +00:00
Darryl Green
d49a499d03 psa: Implement persistent keys
Allow use of persistent keys, including configuring them, importing and
exporting them, and destroying them.

When getting a slot using psa_get_key_slot, there are 3 scenarios that
can occur if the keys lifetime is persistent:

1. Key type is PSA_KEY_TYPE_NONE, no persistent storage entry:
   -  The key slot is treated as a standard empty key slot
2. Key type is PSA_KEY_TYPE_NONE, persistent storage entry exists:
   -  Attempt to load the key from persistent storage
3. Key type is not PSA_KEY_TYPE_NONE:
   -  As checking persistent storage on every use of the key could
      be expensive, the persistent key is assumed to be saved in
      persistent storage, the in-memory key is continued to be used.
2018-11-20 15:40:25 +00:00
Darryl Green
40225ba709 psa: Refactor psa_destroy_key()
Create a new function psa_remove_key_from_memory() from psa_destroy_key().
This is needed as psa_destroy_key() will remove all key data, including
persistent storage. mbedtls_psa_crypto_free() will now only free in-memory
data and not persistent data.
2018-11-20 15:21:22 +00:00
Darryl Green
06fd18de37 psa: Move get_key_slot functions
Move the psa_get_key_slot and related static functions as they will need
to call psa_import_key_into_slot() for persistent keys.
2018-11-20 15:21:22 +00:00
Darryl Green
940d72c3e8 psa: Refactor psa_import_key()
Create a new function psa_import_key_into_slot() from psa_import_key().
This is common functionality that will be used both when importing a
key and loading a key from persistent storage.
2018-11-20 15:21:22 +00:00
Hanno Becker
1aaedc03d4 Add implementation of TLS-1.2 PSK-to-MS key derivation 2018-11-19 11:24:25 +00:00
Gilles Peskine
93f8500e2e Fix unused variables warning if MBEDTLS_ECDH_C is off
depends-pkalgs.pl passes.
2018-11-16 16:43:31 +01:00
Gilles Peskine
346797d7b9 Add missing cleanup on failure in psa_key_agreement
If psa_key_derivation_internal() fails, it's up to the caller to clean
up. Do this, and add a note at the top of
psa_key_derivation_internal() and its auxiliary functions.

There is no non-regression test because at the moment the only way to
trigger an error is a borderline low-memory condition and we don't
have the means to trigger this.
2018-11-16 16:09:27 +01:00
Gilles Peskine
a05219c70b Add some missing compilation guards
Add missing checks for defined(MBEDTLS_MD_C) around types and
functions that require it (HMAC, HKDF, TLS12_PRF).

Add missing checks for defined(MBEDTLS_ECDSA_DETERMINISTIC) around
code that calls mbedtls_ecdsa_sign_det().

Add missing checks for defined(MBEDTLS_ECDH_C) around ECDH-specific
functions.
2018-11-16 16:09:24 +01:00
Hanno Becker
353e45361d Don't call memcpy() with 0-length arguments
The standard prohibits calling memcpy() with NULL pointer
arguments, even if the size argument is 0.

The TLS-1.2 PRF generator setup function previously called
memcpy() with the label and salt as the source, even if
they were of length 0, as exercised by the derive_key_policy
test case in the PSA crypto test suite.

This commit adds guards around the memcpy() calls so that they
are only executed of salt or label have positive length, respectively.
2018-11-16 11:24:59 +00:00
Hanno Becker
3b339e2342 Simplify psa_generator_tls12_prf_generate_next_block() 2018-11-16 11:24:59 +00:00
Hanno Becker
580fba1431 Dynamically allocate A(i) + seed buffer for TLS-1.2 PRF 2018-11-16 11:24:59 +00:00
Hanno Becker
c8a41d71cb Add implementation of TLS-1.2 PRF 2018-11-16 11:24:55 +00:00
Gilles Peskine
b408661be9 ECDH: check that the keys are on the same curve
In psa_key_agreement_ecdh, check that the public key is on the same
curve as the private key. The underlying mbedtls API doesn't check.

If the curves don't match, psa_key_agreement_ecdh is practically
guaranteed to return INVALID_ARGUMENT anyway, because way the code is
written, the public point is interpreted on the curve of the private
point, and it is rejected because the point is not on the curve. This
is why the test case "PSA key agreement setup: ECDH, raw: public key
on different curve" passed even before adding this check.
2018-11-14 21:17:16 +01:00
Gilles Peskine
88714d78b8 Allow ECDH-only public key in ECDH
In ECDH key agreement, allow a public key with the OID id-ECDH, not
just a public key with the OID id-ecPublicKey.

Public keys with the OID id-ECDH are not permitted by psa_import_key,
at least for now. There would be no way to use the key for a key
agreement operation anyway in the current API.
2018-11-14 21:17:16 +01:00
Gilles Peskine
211a436f2e Document that key agreement produces a maximum-capacity generator 2018-11-14 21:15:37 +01:00
Gilles Peskine
b7ecdf0509 Implement ECDH 2018-11-14 21:15:37 +01:00
Gilles Peskine
01d718cee8 New API function: psa_key_agreement
Set up a generator from a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
8feb3a886d Support key derivation with non-predefined capacity
psa_key_derivation requires the caller to specify a maximum capacity.
This commit adds a special value that indicates that the maximum
capacity should be the maximum supported by the algorithm. This is
currently meant only for selection algorithms used on the shared
secret produced by a key agreement.
2018-11-14 21:15:37 +01:00
Gilles Peskine
751d965dfc Implement PSA_ALG_SELECT_RAW 2018-11-14 21:15:37 +01:00
Gilles Peskine
cce18aec4c Split off psa_key_derivation_internal
Refactor psa_key_derivation to prepare for key agreement algorithms
which need to plug into key derivation after argument validation.
2018-11-14 21:15:37 +01:00
Gilles Peskine
86a440b638 Reject non-byte-aligned RSA keys
On key import and key generation, for RSA, reject key sizes that are
not a multiple of 8. Such keys are not well-supported in Mbed TLS and
are hardly ever used in practice.

The previous commit removed support for non-byte-aligned keys at the
PSA level. This commit actively rejects such keys and adds
corresponding tests (test keys generated with "openssl genrsa").
2018-11-12 19:14:18 +01:00
Gilles Peskine
aac64a2839 Remove support for non-byte-aligned RSA keys
Remove the need for an extra function mbedtls_rsa_get_bitlen. Use
mbedtls_rsa_get_len, which is only correct for keys whose size is a
multiple of 8. Key sizes that aren't a multiple of 8 are extremely
rarely used, so in practice this is not a problematic limitation.
2018-11-12 18:37:42 +01:00
Gilles Peskine
52b9018cf7 psa_export_key: for raw-byte keys, zero the end of the output buffer
Skip all writing to the target buffer if its size is 0, since in this
case the pointer might be invalid and this would cause the calls to
memcpy and memset to have undefined behavior.
2018-10-31 14:10:06 +01:00
Gilles Peskine
188c71e382 Private EC key format: change to raw secret value (export)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine
f76aa7789b Private EC key format: change to raw secret value (doc, import)
Change the import/export format of private elliptic curve keys from
RFC 5915 to the raw secret value. This commit updates the format
specification and the import code, but not the export code.
2018-10-31 14:10:06 +01:00
Gilles Peskine
e0e9c7c417 New macro PSA_ALG_FULL_LENGTH_MAC
Provide a documented way of constructing the full-length MAC algorithm
from a truncated version.
2018-10-17 18:30:47 +02:00
Gilles Peskine
57fbdb1939 Use a public macro for AEAD tag length variations
Avoid depending on the encoding of algorithms inside psa_crypto.c.
2018-10-17 18:30:47 +02:00
Gilles Peskine
f8a8fe60f8 Fix memory leak with AEAD with non-default tag lengths
When freeing the key context, choose the context format based on the
base algorithm value stored in the operation object.
2018-10-17 13:54:48 +02:00
Gilles Peskine
8cac2e628e Translate GCM_BAD_INPUT to INVALID_ARGUMENT, not NOT_SUPPORTED 2018-10-17 13:54:48 +02:00
Gilles Peskine
99b7d6b700 Wipe sensitive data in psa_mac_verify_finish
Wipe the whole MAC intermediate buffer, not just the requested MAC
size. With truncated MAC algorithms, the requested MAC size may be
smaller than what is written to the intermediate buffer.
2018-10-17 13:54:47 +02:00
Gilles Peskine
87b0ac49f8 Fix possible buffer overread in psa_mac_finish_internal (CMAC) 2018-10-17 13:54:47 +02:00
Gilles Peskine
6d72ff9e79 Document that the minimum truncated MAC length is implementation-defined 2018-10-17 13:54:47 +02:00
Gilles Peskine
23cc2ff9a8 Add support for non-default-tag-size AEAD (CCM and GCM) 2018-10-08 14:42:11 +02:00
Gilles Peskine
edf9a6576d Refactor AEAD setup into a common function
There was a lot of repetition between psa_aead_encrypt and
psa_aead_decrypt. Refactor the code into a new function psa_aead_setup.
The new code should behave identically except that in some cases where
multiple error conditions apply, the code may now return a different
error code.

Internally, I rearranged some of the code:

* I removed a check that the key type was in CATEGORY_SYMMETRIC because
  it's redundant with mbedtls_cipher_info_from_psa which enumerates
  supported key types explicitly.
* The order of some validations is different to allow the split between
  setup and data processing. The code now calls a more robust function
  psa_aead_abort in case of any error after the early stage of the setup.
2018-10-08 14:42:11 +02:00
Gilles Peskine
d911eb7915 Add support for truncated MAC algorithms 2018-10-08 14:42:11 +02:00
Gilles Peskine
159ebf3b8e
Merge pull request #142 from ARMmbed/psa-metadata_validation
Algorithm and key type encoding validation
2018-09-24 10:38:39 +02:00
Jaeden Amero
3bfe5f0388
Merge pull request #150 from ARMmbed/psa-rsa-verify-error
Don't return INVALID_PADDING on an invalid RSA signature
2018-09-21 16:15:10 +01:00
Jaeden Amero
40363fe3f5
Merge pull request #139 from ARMmbed/psa-PSA_ALG-block_cipher_padding
Correct and simplify block-based cipher modes
2018-09-21 09:38:27 +01:00
Gilles Peskine
00709fafb8 Rename PSA_ALG_HMAC_HASH to PSA_ALG_HMAC_GET_HASH
Be consistent with other GET_HASH macros.
2018-09-20 12:00:21 +02:00
Gilles Peskine
daea26f70f Correct and simplify block-based cipher modes
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.

Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
2018-09-20 11:58:22 +02:00
Gilles Peskine
ef12c63de0 RSA verification: don't report an invalid padding error
Mbed TLS distinguishes "invalid padding" from "valid padding but the
rest of the signature is invalid". This has little use in practice and
PSA doesn't report this distinction. We just report "invalid
signature".
2018-09-17 14:33:43 +02:00
itayzafrir
90d8c7a728 Ensure the module is initialized in key based functions 2018-09-16 12:15:47 +03:00
itayzafrir
0adf0fc31c Ensure the module is initialized in psa_generate_random 2018-09-16 12:15:46 +03:00
Gilles Peskine
78b3bb670d Change the bitwise encoding of key type categories
There were only 5 categories (now 4). Reduce the category mask from 7
bits to 3.

Combine unformatted, not-necessarily-uniform keys (HMAC, derivation)
with raw data.

Reintroduce a KEY_TYPE_IS_UNSTRUCTURED macro (which used to exist
under the name KEY_TYPE_IS_RAW_DATA macro) for key types that don't
have any structure, including both should-be-uniform keys (such as
block cipher and stream cipher keys) and not-necessarily-uniform
keys (such as HMAC keys and secrets for key derivation).
2018-09-14 10:02:29 +01:00
itayzafrir
534bd7c33b Add missing calls to psa_cipher_abort in cipher functions 2018-09-14 10:02:29 +01:00
itayzafrir
40835d4e56 Add missing calls to psa_hash_abort in hash functions 2018-09-14 10:02:29 +01:00
Jaeden Amero
df3b74f168 Merge pull request #125 from ARMmbed/key_slot_index-fix
Fix off-by-one errors in key slot index limits
2018-09-14 10:02:29 +01:00
Gilles Peskine
9a05634558 psa_crypto_free: destroy the last slot
The last slot in the array was not freed due to an off-by-one error.

Amend the fill_slots test to serve as a non-regression test for this
issue: without this bug fix, it would cause a memory leak.
2018-09-14 10:02:29 +01:00
Gilles Peskine
996deb18cc Fix buffer overflow in the slot array
Slots are numbered from 1, but the slot array is a C array so it's
numbered from 0.

Add a non-regression test.
2018-09-14 10:02:29 +01:00
Darryl Green
9e2d7a09f1 Add ifdefs for psa_internal_export_key function
MBEDTLS_PK_WRITE_C only requires either MBEDTLS_RSA_C or MBEDTLS_ECP_C to be defined.
Added wrappers to handle the cases where only one has been defined.
Moved mbedtls_pk_init to be within the ifdefs, so it's only called if appropriate.
2018-09-14 10:02:28 +01:00
Darryl Green
8800136156 Fix key parameter in psa_key_derivation to use correct type 2018-09-14 10:02:28 +01:00
Darryl Green
8f8aa8f931 Add ifdef for MBEDTLS_ECP_C around ecc_group_to_psa functions
These are unused if MBEDTLS_ECP_C isn't defined.
2018-09-14 10:02:28 +01:00
Darryl Green
5cc689a821 Add handling for (sometimes) unused parameters 2018-09-14 10:02:28 +01:00
Gilles Peskine
9f900a8b25 Merge pull request #105 from ARMmbed/psa-derive_hkdf
PSA key derivation: simple-ish interface, HKDF
2018-09-12 16:50:07 +03:00
Gilles Peskine
08542d8037 Fix psa_generator_import_key for DES
In psa_generator_import_key, if generating a DES or 3DES key, set the
parity bits.

Add tests for deriving a DES key. Also test deriving an AES key while
I'm at it.
2018-09-12 16:50:07 +03:00
Gilles Peskine
d54931c7c4 HKDF: be more robust if we reach the maximum ouptut length
In psa_generator_hkdf_read, return BAD_STATE if we're trying to
construct more output than the algorithm allows. This can't happen
through the API due to the capacity limit, but it could potentially
happen in an internal call.

Also add a test case that verifies that we can set up HKDF with its
maximum capacity and read up to the maximum capacity.
2018-09-12 16:50:05 +03:00
Gilles Peskine
bef7f14f8e Implement HKDF 2018-09-12 16:44:05 +03:00
Gilles Peskine
ea0fb4975c Add framework for simple key derivation
New key type PSA_KEY_TYPE_DERIVE. New usage flag PSA_KEY_USAGE_DERIVE.
New function psa_key_derivation.

No key derivation algorithm is implemented yet. The code may not
compile with -Wunused.

Write some unit test code for psa_key_derivation. Most of it cannot be
used yet due to the lack of a key derivation algorithm.
2018-09-12 16:44:04 +03:00
Gilles Peskine
eab56e4159 Add generator API
Add an API for byte generators: psa_crypto_generator_t,
PSA_CRYPTO_GENERATOR_INIT, psa_crypto_generator_init,
psa_get_generator_capacity, psa_generator_read,
psa_generator_import_key, psa_generator_abort.

This commit does not yet implement any generator algorithm, it only
provides the framework. This code may not compile with -Wunused.
2018-09-12 16:41:12 +03:00
Gilles Peskine
9aa369eafb HMAC: improve robustness checks on hash/block size
In psa_mac_setup and psa_hmac_setup_internal, perform a sanity check
on the hash size and the hash block size respectively. These sanity
checks should only trigger on an incompletely or incorrectly
implemented hash function.

Remove the check on the block size in psa_hmac_finish_internal
because at this point it has already been checked and used.
2018-09-12 16:41:12 +03:00
Gilles Peskine
1e6bfdff5e psa_hmac_setup_internal: fix double call of psa_hash_setup
In the common case (key no longer than the block size), psa_hash_setup
was being called twice in succession. With current implementations
this is just a small performance loss, but potentially with
alternative implementations this could have lead to a memory leak.
2018-09-12 16:41:12 +03:00
Gilles Peskine
b3fc05d776 psa_asymmetric_{encrypt,decrypt}: reject salt when not allowed
In psa_asymmetric_encrypt and psa_asymmetric_decrypt, if the algorithm
does not use a salt, require the salt to be empty.
2018-09-12 16:41:12 +03:00
Gilles Peskine
ff94abdf3a Make psa_hmac_setup_internal more standalone
Call psa_hash_setup in psa_hmac_setup_internal rather than
psa_mac_init. This makes it easier to use psa_hmac_setup_internal on
its own (for the sake of using HMAC internally inside the library).
2018-09-12 16:41:12 +03:00
Gilles Peskine
b8be288374 psa_hmac_setup_internal: add some missing cleanup on failure
Clean ipad if hashing the key failed.
2018-09-12 16:41:12 +03:00
Gilles Peskine
9688997301 MAC setup: support 0-length HMAC key
Avoid undefined behavior when using a 0-length HMAC key (Asan
complained).
2018-09-12 16:41:12 +03:00
Gilles Peskine
072ac56a03 Implement OAEP
Implement RSAES-OAEP encryption and decryption.

Test it to the same level as PKCS#1 v1.5.
2018-09-12 16:41:12 +03:00
Gilles Peskine
01126fae7f Isolate HMAC code into its own functions
Create internal functions for HMAC operations. This prepares for two
things: separating crypto-sensitive code from argument decoding and
validation, and using HMAC for other purposes than a MAC inside the
library (e.g. HMAC_DRBG, HKDF).

No intended observable behavior change in this commit.
2018-09-12 16:41:12 +03:00
Gilles Peskine
71ac7b11a7 Allow RSA PSS with any input size
Although RSASSA-PSS defines its input as a message to be hashed, we
implement a sign-the-hash function. This function can take an input
which isn't a hash, so don't restrict the size of the input, any more
than Mbed TLS does.

Remove a redundant check that hash_length fits in unsigned int for the
sake of Mbed TLS RSA functions.

Test that PSS accepts inputs of various lengths. For PKCS#1 v1.5
signature in raw mode, test the maximum input length.
2018-09-12 16:41:12 +03:00
Gilles Peskine
94e44540ff psa_hash_update: robustify the case length=0
Don't require hash implementations to behave correctly on a
zero-length input, which may have an invalid pointer.
2018-09-12 16:41:12 +03:00
Gilles Peskine
af89fd771e psa_import_key: split RSA and ECP code into small functions
No intended behavior change except that some edge cases may have
swapped between INVALID_ARGUMENT and NOT_SUPPORTED.
2018-09-12 16:41:11 +03:00
Gilles Peskine
d8008d6dfe New macro PSA_KEY_TYPE_IS_RSA 2018-09-12 16:41:11 +03:00
Gilles Peskine
35da9a2f2e In psa_asymmetric_encrypt, allow public keys
The code was accepting key pairs only, even though encryption doesn't
require the private key.
2018-09-12 16:41:11 +03:00
Gilles Peskine
4c317f4b4c generate_key: define a structure type for RSA extra parameters 2018-09-12 16:41:11 +03:00
Gilles Peskine
53d991e655 generate_key: rename \p parameters to \p extra
\p parameters is a confusing name for a function parameter. Rename it
to \p extra.
2018-09-12 16:41:11 +03:00
Gilles Peskine
630a18a51e Don't break the rsa context abstraction
This would fail on alternative implementation.
2018-09-12 16:41:11 +03:00
Gilles Peskine
3ff2162d14 Remove salt from asymmetric_{sign,verify}
No common signature algorithm uses a salt (RSA-PKCS#1v1.5, RSA-PSS,
DSA, ECDSA, EdDSA). We don't even take an IV for MAC whereas MAC
algorithms with IV are uncommon but heard of. So remove the salt
parameter from psa_asymmetric_sign and psa_asymmetric_verify.
2018-09-12 16:41:11 +03:00
Gilles Peskine
aa7bc47f73 Add missing const on policy_get_xxx function parameter 2018-09-12 16:41:11 +03:00
Gilles Peskine
5d1888ebc5 Rename PSA_ALG_STREAM_CIPHER -> PSA_ALG_STREAM_CIPHER_BASE
Follow the usual naming convention: PSA_ALG_xxx_BASE for a constant
that isn't an algorithm, just used to build one.
2018-09-12 16:41:11 +03:00
Jaeden Amero
0794936411 Merge pull request #102 from ARMmbed/dev/Patater/fix-allsh
Fix various issues caught by all.sh
2018-09-12 16:41:11 +03:00
Jaeden Amero
b4fa8c9c6d psa: Fix Doxygen comment on psa_get_key_from_slot
We failed all.sh on the "test: doxygen markup outside doxygen blocks" due
to doxygen markup being outside a Doxygen block. Add an extra `*` to the
psa_get_key_from_slot comment to denote the comment as a Doxygen comment.
2018-09-12 16:41:11 +03:00
Gilles Peskine
fe11951c16 Rename psa cipher functions to psa_cipher_xxx
Make function names for multipart operations more consistent (cipher
edition).

Rename symmetric cipher multipart operation functions so that they all
start with psa_cipher_:

* psa_encrypt_setup -> psa_cipher_encrypt_setup
* psa_decrypt_setup -> psa_cipher_decrypt_setup
* psa_encrypt_set_iv -> psa_cipher_set_iv
* psa_encrypt_generate_iv -> psa_cipher_generate_iv
2018-09-12 16:41:11 +03:00
Gilles Peskine
2a91d612f5 Merge remote-tracking branch 'psa/pr/94' into feature-psa 2018-09-12 16:41:11 +03:00
Gilles Peskine
fbfac6867b Simplify algorithm checking logic in MAC functions
Use if-else-if chains rather than switch because many blocks apply to
a class of algoritmhs rather than a single algorithm or a fixed set
of algorithms.

Call abort on more error paths that were missed earlier.
2018-09-12 16:41:11 +03:00
Janos Follath
279ab8e69b Prevent leaking plaintext in psa_cipher_finish() 2018-09-12 16:41:11 +03:00
Gilles Peskine
5d0b864944 Streamline cleanup logic in MAC finish
Reorganize error handling code in psa_mac_finish_internal,
psa_mac_sign_finish and psa_mac_verify finish to ensure that:

* psa_mac_abort() is always called, on all success and error paths.
* psa_mac_finish places a safe value in the output parameters on
  all error paths, even if abort fails.
2018-09-12 16:41:11 +03:00
Janos Follath
315b51c22d Fix memory leak in psa_cipher_finish() 2018-09-12 16:41:11 +03:00
Gilles Peskine
89167cb597 Split psa_mac_setup -> psa_mac_{sign,verify}_setup
Make function names for multipart operations more consistent (MAC
setup edition).

Split psa_mac_setup into two functions psa_mac_sign_setup and
psa_mac_verify_setup. These functions behave identically except that
they require different usage flags on the key. The goal of the split
is to enforce the key policy during setup rather than at the end of
the operation (which was a bit of a hack).

In psa_mac_sign_finish and psa_mac_verify_finish, if the operation is
of the wrong type, abort the operation before returning BAD_STATE.
2018-09-12 16:41:11 +03:00
Gilles Peskine
acd4be36fa Rename psa_mac_{finish,verify} -> psa_mac_{sign,verify}_finish
Make function names for multipart operations more consistent (MAC
finish edition).
2018-09-12 16:41:11 +03:00
Gilles Peskine
da8191d1cd Rename psa_hash_start -> psa_hash_setup
Make function names for multipart operations more consistent (hash
edition).
2018-09-12 16:41:11 +03:00
Gilles Peskine
ab1d7ab89f Don't call psa_get_key_information internally
When you have a key slot pointer, read the key type directly, and call
psa_get_key_bits to get the bit size.
2018-09-12 16:41:11 +03:00
Mohammad Abo Mokh
a5c7b7d0dd Style fixes 2018-09-12 16:41:11 +03:00
Gilles Peskine
b870b188ad New internal function psa_get_key_bits
Isolate the code of psa_get_key_information that calculates the bit
size of a key into its own function which can be called by functions
that have a key slot pointer.
2018-09-12 16:41:11 +03:00
mohammad1603
2701005b46 Modifications for psa-crypto in order to integrate with SPM
Add required includes in tests and psa_crypto.c file in order to be able to compilef for the SPM solution.
Some functions needed to be deprecated from psa_crypto.c since they already implemented in the SPM.
2018-09-12 16:41:11 +03:00
Gilles Peskine
b0b255c82a Always access key slots through accessor functions
New functions psa_get_key_slot(), psa_get_empty_key_slot(),
psa_get_key_from_slot() to access a key slot object from a key slot
number. These functions perform all requisite validations:

* psa_get_key_slot() verifies that the key slot number is in range.
* psa_get_empty_key_slot() verifies that the slot is empty.
* psa_get_key_from_slot() verifies that the slot contains a key with
  a suitable policy.

Always use these functions so as to make sure that the requisite
validations are always performed.
2018-09-12 16:41:11 +03:00
Gilles Peskine
1d96fff61a In psa_mac_finish, write a safe output even in the BAD_STATE case 2018-09-12 16:41:11 +03:00
Gilles Peskine
aee13338b3 Fix safe output length in hash and mac finish
In psa_hash_finish and psa_mac_finish_internal, set the fallback
output length (which is reported on error) to the output buffer size,
not to the _expected_ buffer size which could be larger.
2018-09-12 16:41:11 +03:00
Gilles Peskine
1ae051409f Fix memory leak when importing an RSA key that is too large 2018-09-12 16:41:11 +03:00
Gilles Peskine
46f1fd7afd Handle null pointers safely when used as buffers of size 0
When the size of a buffer is 0, the corresponding pointer argument may
be null. In such cases, library functions must not perform arithmetic
on the pointer or call standard library functions such as memset and
memcpy, since that would be undefined behavior in C. Protect such
cases.

Refactor the storage of a 0-sized raw data object to make it store a
null pointer, rather than depending on the behavior of calloc(1,0).
2018-09-12 16:41:11 +03:00
Jaeden Amero
bbf97e3cf1 psa: Pass hash_length with explicit types
The RSA module uses unsigned int for hash_length. The PSA Crypto API
uses size_t for hash_length. Cast hash_length to unsigned int when
passed to the hash module.
2018-09-12 16:41:11 +03:00
Jaeden Amero
23bbb757ad psa: Pass the number of bits with explicit types
The GCM, CCM, RSA, and cipher modules inconsistently use int or unsigned
int for a count of bits. The PSA Crypto API uses size_t for counting
things. This causes issues on LLP64 systems where a size_t can hold more
than an unsigned int. Add casts for where key_bits and bits are passed to
mbedtls_* APIs.
2018-09-12 16:41:11 +03:00
Jaeden Amero
5390f69590 psa: Use type of block_size consistently
Use size_t for block_size in psa_mac_abort() because
psa_get_hash_block_size() returns a size_t. This also helps to avoid
compiler warnings on LLP64 systems.
2018-09-12 16:41:11 +03:00
Jaeden Amero
045bd50a78 psa: Use key slot type in mbedtls_psa_crypto_free()
To avoid a possible loss of precision, and to be semantically correct,
use psa_key_slot_t (which is 16 bits) instead of size_t (which is 32 or
64 bits on common platforms) in mbedtls_psa_crypto_free().
2018-09-12 16:41:11 +03:00
Jaeden Amero
65fb236799 psa: Make psa_set_key_lifetime() match declaration
Previously, the psa_set_key_lifetime() implementation did not match the
function declaration in psa/crypto.h. Value types don't need const,
since they are passed by value. Fix psa_set_key_lifetime()
implementation by making it match its declaration in the header.
2018-09-12 16:41:11 +03:00
Gilles Peskine
af3baabd05 Define max sizes for MAC and signatures
This requires defining a maximum RSA key size, since the RSA key size
is the signature size. Enforce the maximum RSA key size when importing
or generating a key.
2018-09-12 16:41:11 +03:00
Gilles Peskine
a26ff6a290 psa_asymmetric_sign: consistently fill unused output with '!'
Fill the unused part of the output buffer with '!', for consistency
with hash and mac.

On error, set the output length to the output buffer size and fill the
output buffer with '!', again for consistency with hash and mac. This
way an invalid output is more visible in a memory dump.

Restructure the error paths so that there is a single place where the
unused part of the output buffer is filled.

Also remove a redundant initialization of *signature_length to 0.
2018-09-12 16:41:11 +03:00
Gilles Peskine
2b450e3a01 Factor RSA sign/verify code into its own functions
This makes the functions smaller and makes error paths easier to read.
2018-09-12 16:41:11 +03:00
Gilles Peskine
eae6eee24c Change ECDSA signature representation to r||s
Change the representation of an ECDSA signature from the ASN.1 DER
encoding used in TLS and X.509, to the concatenation of r and s
in big-endian order with a fixed size. A fixed size helps memory and
buffer management and this representation is generally easier to use
for anything that doesn't require the ASN.1 representation. This is
the same representation as PKCS#11 (Cryptoki) except that PKCS#11
allows r and s to be truncated (both to the same length), which
complicates the implementation and negates the advantage of a
fixed-size representation.
2018-09-12 16:41:11 +03:00
Gilles Peskine
a81d85b732 Sort out ECDSA mechanisms
* Distinguish randomized ECDSA from deterministic ECDSA.
* Deterministic ECDSA needs to be parametrized by a hash.
* Randomized ECDSA only uses the hash for the initial hash step,
  but add ECDSA(hash) algorithms anyway so that all the signature
  algorithms encode the initial hashing step.
* Add brief documentation for the ECDSA signature mechanisms.
* Also define DSA signature mechanisms while I'm at it. There were
  already key types for DSA.
2018-09-12 16:24:51 +03:00
Gilles Peskine
526fab0066 Fix parameter name signature_size for psa_asymmetric_verify
It should have been signature_length, following our conventions.
2018-09-12 16:24:51 +03:00
Gilles Peskine
e9191ff90b Add missing const for signature parameter of psa_asymmetric_verify 2018-09-12 16:24:51 +03:00
Gilles Peskine
55bf3d1171 Sort out RSA mechanisms
* PSS needs to be parametrized by a hash.
* Don't use `_MGF1` in the names of macros for OAEP and PSS. No one
  ever uses anything else.
* Add brief documentation for the RSA signature mechanisms.
2018-09-12 16:24:51 +03:00
Gilles Peskine
7ed29c56f1 Rename PSA_ALG_RSA_GET_HASH to PSA_ALG_SIGN_GET_HASH
And don't use it for HMAC when there's a perfectly serviceable
PSA_ALG_HMAC_HASH. HMAC isn't hash-and-sign.
2018-09-12 16:24:50 +03:00
Gilles Peskine
c648d6949d psa_import_key: fix memory leak on error
Free the content of the pk object if an error occurs after the import.
2018-09-12 16:24:50 +03:00
Jaeden Amero
f24c7f80a0 psa_export_key: Always set a valid data length
Make psa_export_key() always set a valid data_length when exporting,
even when there are errors. This makes the API easier to use for buggy
programs (like our test code).

Our test code previously used exported_length uninitialized when
checking to see that the buffer returned was all zero in import_export()
in the case where an error was returned from psa_export_key().
Initialize exported_length to an invalid length, and check that it gets
set properly by psa_export_key(), to avoid this using export_length
uninitialized. Note that the mem_is_zero() check is still valid when
psa_export_key() returns an error, e.g. where exported_length is 0, as
we want to check that nothing was written to the buffer on error.

Out test code also previous passed NULL for the data_length parameter of
psa_export_key() when it expected a failure (in key_policy_fail()).
However, data_length is not allowed to be NULL, especially now that we
write to data_length from psa_export_key() even when there are errors.
Update the test code to not pass in a NULL data_length.
2018-09-12 16:24:50 +03:00
Gilles Peskine
8173631d7e psa_hash_abort: return PSA_SUCCESS if alg=0
Make psa_hash_abort consistent with psa_mac_abort and
psa_cipher_abort.

Add a comment explaining the reasoning.
2018-09-12 16:24:50 +03:00
Gilles Peskine
f9c2c09810 In abort functions, return BAD_STATE on obviously bad input
psa_hash_abort, psa_mac_abort and psa_cipher_abort now return
PSA_ERROR_BAD_STATE if operation->alg is obviously not valid, which
can only happen due to a programming error in the caller or in the
library. We can't detect all cases of calling abort on uninitialized
memory but this is dirt cheap and better than nothing.
2018-09-12 16:24:50 +03:00
Gilles Peskine
48c0ea14c6 Remove PSA_KEY_TYPE_IS_RAW_BYTES from crypto.h
It isn't used to define other macros and it doesn't seem that useful
for users. Remove it, we can reintroduce it if needed.

Define a similar function key_type_is_raw_bytes in the implementation
with a clear semantics: it's a key that's represented as a struct
raw_data.
2018-09-12 16:24:50 +03:00
Gilles Peskine
9ad29e2bee Add what little was missing to fully support DES
Also add what was missing in the test suite to support block ciphers
with a block size that isn't 16.

Fix some buggy test data that passed only due to problems with DES
support in the product.
2018-09-12 16:24:50 +03:00
Gilles Peskine
9a94480685 Convert ERR_ASN1 error codes to PSA
This fixes the error code when psa_export_key on an asymmetric key
reports that the output buffer is too small.
2018-09-12 16:24:50 +03:00
Gilles Peskine
b54979a297 Refuse non-byte-sized raw data keys
Since the key size is stored in bytes, we can't have a key whose size
isn't a whole number of bytes.
2018-09-12 16:24:50 +03:00
Gilles Peskine
c06e07128c Favor INVALID_ARGUMENT over NOT_SUPPORTED for bad algorithm types
In psa_hash_start, psa_mac_start and psa_cipher_setup, return
PSA_ERROR_INVALID_ARGUMENT rather than PSA_ERROR_NOT_SUPPORTED when
the algorithm parameter is not the right category.
2018-09-12 16:23:54 +03:00
Gilles Peskine
248051acb6 Add missing #ifdef guards around psa_hmac_start 2018-09-12 16:23:54 +03:00
Gilles Peskine
16c0f4f787 Fix potential memory corruption on MAC/cipher setup failure
When psa_mac_start(), psa_encrypt_setup() or psa_cipher_setup()
failed, depending on when the failure happened, it was possible that
psa_mac_abort() or psa_cipher_abort() would crash because it would try
to call a free() function uninitialized data in the operation
structure. Refactor the functions so that they initialize the
operation structure before doing anything else.

Add non-regression tests and a few more positive and negative unit
tests for psa_mac_start() and psa_cipher_setup() (the latter via
psa_encrypt_setip()).
2018-09-12 16:23:53 +03:00
Gilles Peskine
12313cd84c Implement psa_generate_key: AES, DES, RSA, ECP
In the test cases, try exporting the generated key and perform sanity
checks on it.
2018-09-12 16:22:51 +03:00
Gilles Peskine
e66ca3bbf3 psa_export_key: zero out potential garbage in the output buffer
In psa_export_key, ensure that each byte of the output buffer either
contains its original value, is zero, or is part of the actual output.
Specifically, don't risk having partial output on error, and don't
leave extra data at the end of the buffer when exporting an asymmetric
key.

Test that exporting to a previously zeroed buffer leaves the buffer
zeroed outside the actual output if any.
2018-09-12 16:22:51 +03:00
Gilles Peskine
0e2315859f psa_export_key: fix asymmetric key in larger buffer
Exporting an asymmetric key only worked if the target buffer had
exactly the right size, because psa_export_key uses
mbedtls_pk_write_key_der or mbedtls_pk_write_pubkey_der and these
functions write to the end of the buffer, which psa_export_key did not
correct for. Fix this by moving the data to the beginning of the
buffer if necessary.

Add non-regression tests.
2018-09-12 16:22:51 +03:00
Gilles Peskine
05d69890ee Implement psa_generate_random 2018-09-12 16:22:51 +03:00
Gilles Peskine
0ff4b0f7f9 psa_import_key: validate symmetric key size
When importing a symmetric key, validate that the key size is valid
for the given key type.

Non-supported key types may no longer be imported.
2018-09-12 16:22:51 +03:00
Gilles Peskine
e3b07d81d6 Fix build without CMAC
Add missing guard for MBEDTLS_CMAC_C.
2018-09-12 16:22:51 +03:00
Gilles Peskine
828ed149d5 Rename MBEDTLS_xxx macros in psa_crypto.c to placate check-names.sh 2018-09-12 16:22:51 +03:00
Gilles Peskine
34ef7f5a55 Check the curve of an elliptic curve key on import
psa_import_key must check that the imported key data matches the
expected key type. Implement the missing check for EC keys that the
curve is the expected one.
2018-09-12 16:19:04 +03:00
Gilles Peskine
b3e6e5deeb Rename hash max sizes for consistency
Use "hash" throughout the library, not "md" as in Mbed TLS.
2018-09-12 16:19:04 +03:00
Gilles Peskine
7bcfc0a9ae Be more consistent about blank lines 2018-09-12 16:18:04 +03:00
Gilles Peskine
803ce7402a Change sizeof(type) to sizeof(variable) 2018-09-12 16:18:04 +03:00
Gilles Peskine
c1bb6c8dcc Formatting improvements
Avoid lines longer than 80 columns.

Remove some redundant parentheses, e.g. change
    if( ( a == b ) && ( c == d ) )
to
    if( a == b && c == d )
which makes lines less long and makes the remaining parentheses more
relevant.

Add missing parentheses around return statements.

There should be no semantic change in this commit.
2018-09-12 16:18:02 +03:00
Gilles Peskine
2d2778650b Normalize whitespace
Normalize whitespace to Mbed TLS standards. There are only whitespace
changes in this commit.
2018-09-12 16:15:52 +03:00
Gilles Peskine
6de7a179c8 Fix file permissions
Some files were marked as executable but shouldn't have been.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
aa5aea0bac fix spaces and add braces 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
e9664c30f0 space and style fixes 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
9627241beb change macro PSA_HASH_BLOCK_SIZE to function psa_get_hash_block_size 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
5ca6547b77 Renamed hmac_ctx to opad and removed null check.
this array is now part of the struct and not dynamically allocated
so it can't be null.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
caec7f0c49 Fix rename issue missed by re-base 2018-09-12 16:13:49 +03:00
Gilles Peskine
d223b52a9a psa_hmac_start: reduce stack usage
Store the temporary key in the long-key case (where the key is first
hashed) directly into ipad. This reduces the stack usage a little, at
a slight cost in complexity.
2018-09-12 16:13:49 +03:00
Gilles Peskine
6a0a44e167 HMAC: clean up local variables containing key material
In psa_mac_start, the hash of the key and ipad contain material that
can be used to make HMAC calculations with the key, therefore they
must be wiped.

In psa_mac_finish_internal, tmp contains an intermediate value which
could reveal the HMAC. This is definitely sensitive in the verify case,
and marginally sensitive in the finish case (it isn't if the hash
function is ideal, but it could make things worse if the hash function
is partially broken).
2018-09-12 16:13:49 +03:00
Gilles Peskine
c102e3ce4b psa_hmac_start: simplify key_length logic in hash-the-key case 2018-09-12 16:13:49 +03:00
Gilles Peskine
e1bc6800cc psa_hmac_start: remove useless casts 2018-09-12 16:13:49 +03:00
Gilles Peskine
7e454bc19f Split out CMAC and HMAC code into auxiliary functions
Split algorithm-specific code out of psa_mac_start. This makes the
function easier to read.

The behavior is mostly unchanged. In a few cases, errors before
setting a key trigger a context wipe where they didn't. This is a
marginal performance loss but only cases that are an error in caller
code.
2018-09-12 16:13:49 +03:00
Gilles Peskine
99bc649760 Normalize whitespace to Mbed TLS standards
Only whitespace changes in this commit.
2018-09-12 16:13:49 +03:00
Gilles Peskine
ef057ac8ed Remove dead code
Remove an unused function and an unused variable. Now the code builds
with gcc -Wall -Wextra -Werror.
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
084832d65f replace get_block_size_from_hash_algorithm with PSA_HASH_BLOCK_SIZE macro 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
35dfbf4601 change hmac context to use statically allocated memory
1. removed dynamic allocation of stack context
2. moved ipad to stack
3. added defines for maximal sizes
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
0c9ec53a10 remove reliance on md_info context for hash information
1. remove reliance on md_info context for hash information by decoding locally
2. remove block_size field in context as this is dynamically computed
2018-09-12 16:13:49 +03:00
Nir Sonnenschein
eeace0bf7f Code style fix : changed keylen to key_length 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
7810be273a Code correction: remove unneeded sizeof 2018-09-12 16:13:49 +03:00
Nir Sonnenschein
dcd636a73f Commit changes to hmac to not use MD abstraction
this PR is part of efforts to use "lower level" mbedTLS APIs vs "higher level" abstract APIs.
2018-09-12 16:13:49 +03:00
Gilles Peskine
8605428dcf Merge remote-tracking branch 'psa/pr/27' into feature-psa 2018-09-05 12:46:19 +03:00
Gilles Peskine
c4def2f228 Add input length check in psa_asymmetric_decrypt
Remove output size check which is not needed here and was copypasta.

Add non-regression tests.
2018-09-05 12:44:18 +03:00
Gilles Peskine
b75e4f1314 Remove ECC boilerplate in asymmetric encrypt/decrypt
We don't have any encryption algorithm using ECC keys at the moment.
2018-09-05 12:44:17 +03:00
Gilles Peskine
beb4948d10 Add RSA PSS verification (untested) 2018-09-05 12:44:17 +03:00
Gilles Peskine
625b01c9c3 Add OAEP placeholders in asymmetric encrypt/decrypt
Replace PSS placeholders by OAEP placeholders. PSS is a signature
algorithm, not an encryption algorithm.

Fix typo in PSA_ALG_IS_RSA_OAEP_MGF1.
2018-09-05 12:44:17 +03:00
Gilles Peskine
8b18a4fef3 Rename verify_RSA_hash_input_and_get_md_type
Give it a shorter name that's more in line with our naming conventions.
2018-09-05 12:44:17 +03:00
Gilles Peskine
61b91d4476 Normalize whitespace to Mbed TLS standards
Only whitespace changes in this commit.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein
1c2a7ea4e2 Allow psa_asymmetric_verify and psa_asymmetric_encrypt to use public key only. 2018-09-05 12:44:17 +03:00
Nir Sonnenschein
d708260de4 add key policy enforcement implementation
add checks that keys have been set for the correct usage for asymmetric
functions.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein
ca466c89b0 Set output length to safe value 2018-09-05 12:44:17 +03:00
Nir Sonnenschein
c460291714 Re-Add ECC verification code which was not properly merged in re-base. 2018-09-05 12:44:17 +03:00
Nir Sonnenschein
4db79eb36b Extract common code
Make code easier to maintain.
2018-09-05 12:44:17 +03:00
Nir Sonnenschein
717a040df5 Remove duplicate / unneeded code
1. remove duplicate function introduced by re-base
2. remove unneeded code
2018-09-05 12:44:17 +03:00
Gilles Peskine
5b051bc608 Remove trailing whitespace
Only horizontal whitespace changes in this commit.
2018-09-05 12:44:12 +03:00
Gilles Peskine
6afe789d4c Finish renaming around PSA_ALG_IS_RSA_PKCS1V15
Now the code compiles. Some OAEP and PSS macros may still need to be fixed.
2018-09-05 12:41:53 +03:00
Gilles Peskine
d6125ca63b Merge remote-tracking branch 'psa/pr/24' into feature-psa 2018-09-05 12:41:53 +03:00
Nir Sonnenschein
4f594eca40 remove check for key pair (public key should be enough for verification) 2018-09-05 12:41:53 +03:00
Nir Sonnenschein
7f5a31915b code fixes for internal code review:
1. change to correct error code
2. removed unneeded comment
2018-09-05 12:41:53 +03:00
Nir Sonnenschein
39e59144f6 added support for PKCSv1.5 signature verification and encryption/decryption and very basic tests. 2018-09-05 12:41:53 +03:00
Gilles Peskine
bb1072f642 Fix use of mbedtls_cipher_info_from_psa
One branch added an extra argument, the other branch added a call of
this function. Pass the extra argument on the code from the other
branch.
2018-09-05 12:41:52 +03:00
Gilles Peskine
84861a95ca Merge remote-tracking branch 'psa/psa-wrapper-apis-aead' into feature-psa 2018-09-05 12:41:52 +03:00
Gilles Peskine
154bd95131 psa_destroy_key: return SUCCESS on an empty slot
Do wipe the slot even if it doesn't contain a key, to erase any metadata.
2018-09-05 12:41:52 +03:00
Gilles Peskine
71bb7b77f0 Switch PSA_HASH_FINAL_SIZE to PSA_HASH_SIZE
Make this macro work on derived algorithms as well (HMAC,
hash-and-sign, etc.).
2018-09-05 12:41:52 +03:00
mohammad1603
fc614b1e0e fix parentheses 2018-09-05 12:41:52 +03:00
mohammad1603
e109f21638 remove unnecessary check for block size 2018-09-05 12:41:52 +03:00
mohammad1603
a1d9801683 add slot validation 2018-09-05 12:41:52 +03:00
mohammad1603
e3cb8a8d8b return PSA_ERROR_BUFFER_TOO_SMALL intead of PSA_ERROR_INVALID_ARGUMENT 2018-09-05 12:41:52 +03:00
mohammad1603
6b4d98cf78 remove trailing spaces 2018-09-05 12:41:52 +03:00
mohammad1603
5ed0621dd4 aligned with coding standards - line length 2018-09-05 12:41:52 +03:00
mohammad1603
f14394b25f add policy checks 2018-09-05 12:41:52 +03:00
mohammad1603
96910d807e fix block size depending on algorithm 2018-09-05 12:41:51 +03:00
mohammad1603
60a64d079a remove unnecessary argument to the psa_aead_unpadded_locate_tag function 2018-09-05 12:41:51 +03:00
mohammad1603
15223a8b89 write the tag directly on the ciphertext buffer. 2018-09-05 12:41:51 +03:00
mohammad1603
4fc744f8af change the check of block size for all supported algorithms 2018-09-05 12:41:51 +03:00
mohammad1603
0f21465175 use mbedtls_cipher_info_from_psa to get cipher ID 2018-09-05 12:41:51 +03:00
mohammad1603
f58aa6ade6 use memset instead of mbedtils_zeroize 2018-09-05 12:41:51 +03:00
mohammad1603
554faad260 return NOT_SUPPORTED instead of INVLID_ARGUMENT 2018-09-05 12:41:51 +03:00
mohammad1603
95893f834d remove usless cast 2018-09-05 12:41:51 +03:00
mohammad1603
f08a550e68 set output length to zero to cover output length in error case 2018-09-05 12:41:51 +03:00
mohammad1603
f4f0d612ba change mbedtls_cipher_info_from_psa to provide cipher_id also 2018-09-05 12:41:51 +03:00
mohammad1603
9375f8403a fix code offsets after rebase 2018-09-05 12:41:51 +03:00
Gilles Peskine
ee652a344c Fix psa_aead_decrypt to read the tag at the end of the ciphertext 2018-09-05 12:41:51 +03:00
Gilles Peskine
a40d77477d Whitespace fixes
Changed indentation to match Mbed TLS style. Wrapped some lines to 80 columns.
2018-09-05 12:41:51 +03:00
mohammad1603
39574652ae add else for not supported algorithm 2018-09-05 12:38:18 +03:00
mohammad1603
5c8845f563 return invalid argument for unsupported algorithms 2018-09-05 12:38:18 +03:00
mohammad1603
e58e68458e fix condition over key type 2018-09-05 12:38:18 +03:00
mohammad1603
17638efc46 remove unused variable 2018-09-05 12:38:18 +03:00
mohammad1603
dad36fa855 add Key and Algorithm validation 2018-09-05 12:38:18 +03:00
mohammad1603
a7e6df76ea Validation fixes for key_type 2018-09-05 12:38:18 +03:00
mohammad1603
4f5eb7cb54 Fill the the output buffer with zero data in case of failure 2018-09-05 12:38:18 +03:00
mohammad1603
6bbd8c75dc Remove unnecessary cast
Remove unnecessary cast
2018-09-05 12:38:18 +03:00
mohammad1603
db6247315f Parameters validation fixes
Fix key_type validation test and no need to ask for place for tag in decryption
2018-09-05 12:38:18 +03:00
mohammad1603
ce5cba9a6a unify the concatenation of the tag and update output length 2018-09-05 12:38:18 +03:00
mohammad1603
9e5a515aa8 Fix parameter validation 2018-09-05 12:38:18 +03:00
mohammad1603
47ddf3d544 Concatenate the tag to the output buffer
Concatenate the tag to the output buffer.
2018-09-05 12:38:18 +03:00
mohammad1603
5955c98779 Initial implementation of the AEAD decrypt/encrypt APIs
Initial implementation for the AEAD APIs, missing the following:
* Concatenation of the tag to the output buffer.
* Updated documentation of the new functions.
* argument validations
* tests
2018-09-05 12:38:18 +03:00
Gilles Peskine
3aa8efb230 Merge remote-tracking branch 'psa/psa-wrapper-apis-march-12' into feature-psa 2018-09-05 12:38:17 +03:00
Gilles Peskine
2c5219a06d Whitespace normalization
No semantic change.
2018-09-05 12:14:29 +03:00
Gilles Peskine
5351420b3e Use block local variable for padding_mode for readability
No intended behavior change.
2018-09-05 12:14:29 +03:00
Moran Peker
7cb22b8327 abort operation before return + fix error checks 2018-09-05 12:14:29 +03:00
Gilles Peskine
89d789c9bc Refactor some argument checks for readability
No intended behavior change.
2018-09-05 12:14:29 +03:00
Gilles Peskine
7e9288520f Wrap lines to 80 columns 2018-09-05 12:14:29 +03:00
Gilles Peskine
e553c65cc3 Fix indentation and horizontal whitespace
Only whitespace changes in this commit.
2018-09-05 12:14:29 +03:00
Moran Peker
3520c2c4f7 unset iv_required to 0 (psa_encrypt_set_iv)and block_size (psa_cipher_setup) 2018-09-05 12:14:29 +03:00
Moran Peker
395db875e6 adjust indentation per Mbed TLS standards 2018-09-05 12:14:29 +03:00
Moran Peker
ae382791fb add missing psa_cipher_abort( operation ) 2018-09-05 12:14:28 +03:00
Moran Peker
70531163a9 fix compilation error - missing if 2018-09-05 12:14:28 +03:00
Moran Peker
a28258c594 adjust indentation per Mbed TLS standards 2018-09-05 12:14:28 +03:00
Moran Peker
2cab25aacf fix conditions in psa_cipher_finish function 2018-09-05 12:14:28 +03:00
Moran Peker
dc38ebc068 delete decrypt checks + fix memcpy& return value 2018-09-05 12:14:28 +03:00
Moran Peker
ad9d82cc0e add iv_required field to psa_cipher_operation_s and fix relevant functions 2018-09-05 12:14:28 +03:00
Moran Peker
71f19ae6f8 add missing call to psa_cipher_abort in cipher_setup func + iv_length check in cipher_set_iv func 2018-09-05 12:14:28 +03:00
Moran Peker
406008ab4c add missing check on output_size in psa_cipher_update func 2018-09-05 12:14:28 +03:00
Moran Peker
bed71a2b17 fix missing check on output_size in psa_cipher_finish func 2018-09-05 12:14:28 +03:00
Moran Peker
0071b873a3 add missing parameter output_size on psa_cipher_finish 2018-09-05 12:14:28 +03:00
Moran Peker
4c80d8331a adjust indentation per Mbed TLS standards 2018-09-05 12:14:28 +03:00
mohammad1603
b152d4d8b6 add test scenarios to decrypt and encrypt input and compare with given output 2018-09-05 12:14:28 +03:00
mohammad1603
89e0f468bf style 2018-09-05 12:14:28 +03:00
Moran Peker
41deec4494 partly pr fix 2018-09-05 12:14:28 +03:00
Moran Peker
e1210dcac3 remove unused parameter in psa_cipher_finish. 2018-09-05 12:14:28 +03:00
Moran Peker
3205a6592b tests fix 2018-09-05 12:14:28 +03:00
mohammad1603
16864af80b fix static function name 2018-09-05 12:14:28 +03:00
mohammad1603
8481e74ecc CR fixes
more fixes

Compilation fixes

Compilation fixes for PSA crypto code and tests
2018-09-05 12:14:28 +03:00
mohammad1603
efb0107fbe CR fix, remove exposing ECB 2018-09-05 12:14:27 +03:00
mohammad1603
990a18c2f0 add ecb to cipher algorithms 2018-09-05 12:14:27 +03:00
Gilles Peskine
5100318a92 Merge pull request #18 from ARMmbed/psa-wrapper-apis-export-publickey
Export public key implementation (#18)
2018-09-05 12:13:23 +03:00
mohammad1603
8275961178 warnings fixes 2018-09-05 12:13:23 +03:00
mohammad1603
503973bdf3 initial implementation for PSA symmetric APIs - missing tests and documentations 2018-09-05 12:13:23 +03:00
Moran Peker
8756763cf1 change error check on psa_internal_export_key func 2018-09-05 12:13:23 +03:00
Gilles Peskine
785fd55a39 Whitespace fixes; removed redundant parentheses
No semantic change.
2018-09-05 12:13:23 +03:00
Moran Peker
cceea98bfe adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker
d732659867 adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker
17e36e1bd9 fix conditions 2018-09-05 12:13:23 +03:00
Moran Peker
6036432617 adjust indentation per Mbed TLS standards 2018-09-05 12:13:23 +03:00
Moran Peker
a998bc6ac9 psa_internal_export_key function for common code.
create psa_internal_export_key function for common code in psa_export_key and psa_export_public_key.
2018-09-05 12:13:22 +03:00
Moran Peker
5010828fb6 adjust indentation per Mbed TLS standards 2018-09-05 12:13:22 +03:00
Moran Peker
b4d0ddd2d3 psa_export_public_key 2018-09-05 12:13:20 +03:00
Moran Peker
dd4ea38d58 export public key 2018-09-05 12:10:47 +03:00
itayzafrir
7b30f8b0c9 Added handling for MBEDTLS_ERR_ECP_XXX error codes
Added handling for MBEDTLS_ERR_ECP_XXX error codes
2018-09-05 12:10:47 +03:00
itayzafrir
5c7533923a ECDSA sign and verify implementation and tests
ECDSA sign and verify implementation and tests
2018-09-05 12:10:47 +03:00
Gilles Peskine
a0655c3501 Merge remote-tracking branch 'psa/pr/13' into feature-psa
Conflicts:
	library/psa_crypto.c
	tests/suites/test_suite_psa_crypto.data
	tests/suites/test_suite_psa_crypto.function

All the conflicts are concurrent additions where the order doesn't
matter. I put the code from feature-psa (key policy) before the code
from PR #13 (key lifetime).
2018-09-05 12:10:43 +03:00
mohammad1603
ea0500936e Change behavior of psa_get_key_lifetime()
psa_get_key_lifetime() behavior changed regarding empty slots, now
it return the lifetime of and empty slots. Documentation in header
file updated accordingly.
2018-09-05 12:01:37 +03:00
mohammad1603
5d7ec2033d fix key lifetime set implementation , tests accordingly 2018-09-05 12:01:37 +03:00
mohammad1603
ba178511f4 Remove unused and duplicated erros, fix documentation and tests
Remove unused and duplicated erros, fix documentation and tests
2018-09-05 12:01:37 +03:00
mohammad1603
060ad8ac34 Compilation and tests fixes 2018-09-05 12:01:37 +03:00
mohammad1603
804cd71bf8 initial key lifetime implementation and tests 2018-09-05 12:01:37 +03:00
Gilles Peskine
c63b6ba754 Merge remote-tracking branch 'psa/pr/14' into feature-psa
Conflict resolution:

* `tests/suites/test_suite_psa_crypto.data`: in the new tests from PR #14,
  rename `PSA_ALG_RSA_PKCS1V15_RAW` to `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` as
  was done in PR #15 in the other branch.
2018-09-05 12:01:34 +03:00
Gilles Peskine
47c1bc0458 Correct some return codes 2018-09-05 11:53:26 +03:00
mohammad1603
38a622b68b Function psa_get_key_policy() now return policy value for empty slots
Function psa_get_key_policy() now return policy value for empty slots
2018-09-05 11:53:26 +03:00
mohammad1603
5feda72d7a Remove usage of PSA_ERROR_INVALID_KEY_POLICY
use PSA_ERROR_INVALID_ARGUMENT instead of INVALID_KEY_POLICY error
2018-09-05 11:53:26 +03:00
mohammad1603
6df908f234 Add static internal MAC finish function
add new psa_mac_finish_internal() to be called by psa_mac_finish() and
psa_mac_verify() in order to be able to check key usage separatly.
2018-09-05 11:53:26 +03:00
Gilles Peskine
a59262338a Rename PKCS1V15 to PKCS1V15_SIGN
There's PKCS1V15_CRYPT as well (to be added soon).
2018-09-05 11:53:26 +03:00
mohammad1603
4eed757901 add new test scenarios 2018-09-05 11:53:26 +03:00
mohammad1603
06e7920be5 integrate policy key usage in export and asymmetric sign functions 2018-09-05 11:53:26 +03:00
mohammad1603
8cc1ceec3e Key Policy APIs implementation 2018-09-05 11:53:26 +03:00
Gilles Peskine
dc2fc8443f Rename xxx_of_psa functions to xxx_from_psa
Be consistent with how similar functions are named in Mbed TLS.
2018-09-05 11:53:25 +03:00
Gilles Peskine
3c6e970752 Fix memory leak in psa_destroy_key 2018-09-05 11:53:25 +03:00
Gilles Peskine
6d9121381a Add some comments to document some non-obvious coding choices 2018-09-05 11:53:25 +03:00
Gilles Peskine
e4ebc12fcd psa_crypto_init: set the global initialized flag 2018-09-05 11:53:25 +03:00
Gilles Peskine
8c9def3e7f PSA: Implement MAC functions
Implement psa_mac_start, psa_mac_update and psa_mac_final.

Implement HMAC anc CMAC.

Smoke tests.
2018-09-05 11:53:25 +03:00
Gilles Peskine
9ef733faa0 Implement hash functions
New header file crypto_struct.h. The main file crypto.sh declares
structures which are implementation-defined. These structures must be
defined in crypto_struct.h, which is included at the end so that the
structures can use types defined in crypto.h.

Implement psa_hash_start, psa_hash_update and psa_hash_final. This
should work for all hash algorithms supported by Mbed TLS, but has
only been smoke-tested for SHA-256, and only in the nominal case.
2018-09-05 11:53:25 +03:00
Gilles Peskine
a590529938 Greatly expanded mbedtls_to_psa_error
It now covers most cryptography algorithm modules (missing: bignum,
DHM, everything ECC, HMAC_DRBG).
2018-09-05 11:53:24 +03:00
Gilles Peskine
93aa0334d9 PSA asymmetric signature: set *signature_length = 0 on failure 2018-09-05 11:53:24 +03:00
Gilles Peskine
20035e3579 PSA crypto: asymmetric signature (RSA PKCS#1v1.5 only)
Define hash algorithms and RSA signature algorithms.

New function psa_asymmetric_sign.

Implement psa_asymmetric_sign for RSA PKCS#1 v1.5.
2018-09-05 11:53:24 +03:00
Gilles Peskine
c66ea6a921 PSA key import: support RSA public keys
Use different key types for private keys and public keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine
969ac726d9 PSA RSA key import: don't rely on pk so much
Don't use the pk module except as required for pkparse/pkwrite. The
PSA crypto layer is meant to work alongside pk, not on top of it.

Fix the compile-time dependencies on RSA/ECP handling in
psa_export_key, psa_destroy_key and psa_get_key_information.
2018-09-05 11:53:24 +03:00
Gilles Peskine
2f9c4dc5ad Add key management functions
Define psa_key_type_t and a first stab at a few values.

New functions psa_import_key, psa_export_key, psa_destroy_key,
psa_get_key_information. Implement them for raw data and RSA.

Under the hood, create an in-memory, fixed-size keystore with room
for MBEDTLS_PSA_KEY_SLOT_COUNT - 1 keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine
e59236fc17 Add PSA crypto module
New module psa_crypto.c (MBEDTLS_PSA_CRYPTO_C):
Platform Security Architecture compatibility layer on top of
libmedcrypto.

Implement psa_crypto_init function which sets up a RNG.

Add a mbedtls_psa_crypto_free function which deinitializes the
library.

Define a first batch of error codes.
2018-09-05 10:59:00 +03:00