Commit graph

1299 commits

Author SHA1 Message Date
Paul Elliott
21c3951139 Add reference to mbedtls_ecp_set_max_ops() to docs
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-16 12:15:39 +00:00
Paul Elliott
93d9ca83ea Move num_ops ECP abstraction fully into internal implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-16 12:15:39 +00:00
Paul Elliott
fe9e77ff7a Better formatting of include guard comments
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
84329464d5 Replace allocated hash buffer with array
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
c9774411d4 Ensure that operation is put into error state if error occurs
If an error occurs, calling any function on the same operation should return
PSA_ERROR_BAD_STATE, and we were not honouring that for all errors. Add extra
failure tests to try and ratify this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
f9c91a7fb5 Store the hash, rather than the pointer
For sign and verify, the pointer passed in to the hash is not guaranteed to
remain valid inbetween calls, thus we need to store the hash in the
operation. Added a test to ensure this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
1bc59df92c Rename curve_bytes to coordinate_bytes
Also remove unneeded instance from verify operation struct.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
ab7c5c8550 Change incorrect define for MAX_OPS_UNLIMITED
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
4ca521fcdb Remove obsolete comments
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
4684525ae9 Remove unrequired mpis from sign operation struct
These are only used at the output stage.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
a3a8abadff Fix operation initialisers if no algorithms defined
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
1b49ef5384 Fix abort documentation.
Make it clear that these functions reset the number of ops, and remove
statements that say they have no effect.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
90a91f041c Ensure structs are not empty even if ECDSA not supported
Also make previous changes apply to both interruptible sign hash operation
structures rather than just the one as it was.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
749dec54ef Clean up structure include guards
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
296ede99c9 Fix issues with get_{sign/verify}_num_ops
Move to accumulate ops in context rather than attempting to read straight out
of structures due to structure ops getting reset per operation, and also
issues with _abort clearing internal data. Fix usage of size_t in structures

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
588f8ed498 Add internal implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 23:34:29 +00:00
Paul Elliott
2d247923e5 Initial empty driver wrapper implementation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
Paul Elliott
1265f00494 First draft of PSA interruptible ECC signing design
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-15 12:13:17 +00:00
Gilles Peskine
ed73355d2e Make \retval commands non-empty
Pacify Clang >=15 which complained:
```
include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation]
 * \retval #PSA_SUCCESS
   ~~~~~~~~~~~~~~~~~~~^
```

This commit performs the following systematic replacement:
```
perl -i -0777 -p -e 's/([\\@])(retval +\S+)\n(?! *\*? *([^\n \\*\/]|\\[cp]\b))/$1$2 ${1}emptydescription\n/g' $(git ls-files '*.[hc]' '*.function' '*.jinja')
```
i.e. add an `\emptydescription` argument to `\retval` commands (or
`@retval`, which we don't normally used) that are followed by a single word,
unless the next line looks like it contains text which would be the
description.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-14 19:21:09 +01:00
Gilles Peskine
bba2630549 Add ECJPAKE secret input types to psa/crypto_config.h
Add PSA_WANT_KEY_TYPE_PASSWORD and PSA_WANT_KEY_TYPE_PASSWORD_HASH to
psa/crypto_config.h, since the types PSA_KEY_TYPE_PASSWORD and
PSA_KEY_TYPE_PASSWORD_HASH are used by ECJPAKE.

The two key types are always enabled, like PSA_KEY_TYPE_DERIVE.

Add the key types to the metadata test suite as well.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:19 +01:00
Gilles Peskine
ecaa7ca507 Add missing supported algorithm to psa/crypto_config.h
The following shell command lists features that seem to be supported, but
are missing from include/psa/crypto_config.h:
```
for x in $(grep -ho -Ew '(PSA_WANT|MBEDTLS_PSA_BUILTIN)_\w+_\w+' library/psa_crypto*.c | sed 's/^MBEDTLS_PSA_BUILTIN/PSA_WANT/' | sort -u); do grep -qw $x include/psa/crypto_config.h || echo $x; done
```
This looks for PSA_WANT_<kind>_<thing> macros that gate a part of the
library, as well as their MBEDTLS_PSA_BUILTIN_<kind>_<thing> counterparts.
This is not necessarily a complete list of identifiers that must appear
in the config file, since a few features are not gated.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:18 +01:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Gilles Peskine
a651607b37 Skip restyling of PSA macros also defined in psa-arch-tests
Some preprocessor macro definitions must have a specific expansion so that
the same macro name can be defined in different products. The definition of
having the same expansion (per the C language specification) means the same
sequence of tokens, and also the same absence/presence of spacing between
tokens.

Two macros are also defined in headers in the PSA Compliance test suite, so
the test suite would fail to build if we changed the definitions. Preserve
those definitions. Technically this is a bug in the test suite, since having
extra spaces (or even a completely different constant expression with the
same value) would still be compliant. Bug reported as
https://github.com/ARM-software/psa-arch-tests/issues/337

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-04 19:55:35 +01:00
Gilles Peskine
45873ceba3 Skip restyling of PSA error code definitions
Some preprocessor macro definitions must have a specific expansion so that
the same macro name can be defined in different products. The definition of
having the same expansion (per the C language specification) means the same
sequence of tokens, and also the same absence/presence of spacing between
tokens.

For PSA error code definitions, the specific expansion is mandated by the
PSA Status code specification and the PSA Crypto API specification. In
particular, there must not be a space between (psa_status_t) and the
numerical value (whereas K&R would put a space).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-04 19:50:27 +01:00
Manuel Pégourié-Gonnard
2b70a3f831
Merge pull request #6558 from lpy4105/6416-psa_macros_name_typo
check_names: extend typo check to PSA macro/enum names
2022-12-13 09:56:27 +01:00
Tom Cosgrove
1797b05602 Fix typos prior to release
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-04 17:19:59 +00:00
Gilles Peskine
5a34b36bbd Remove more now-redundant definitions of inline
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-25 13:26:44 +01:00
Przemek Stekiel
152ae07682 Change password ec j-pake operation fields to more suitable
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-17 13:24:36 +01:00
Przemek Stekiel
348410f709 Make a copy of the key in operation while setting pake password
Additionally use psa_get_and_lock_key_slot_with_policy() to obtain key.
This requires making this function public. This will have to be solved while adding driver dipatch for EC-JPAKE.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-11-15 22:22:07 +01:00
Pengyu Lv
c1ecb25d8a fix PSA_XXX typos detected by check_names.py
Fix the PSA_XXX typos detected by check_names.py.
PSA_WANT is actually not typo, but would cause a false negative
result. So PSA_WANT is reworded to PSA_WANT_xxx.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2022-11-08 18:22:53 +08:00
Manuel Pégourié-Gonnard
79617d99ae Fix namespacing issue
This macro is specific to the Mbed TLS implementation and not part of
the public API, so it shouldn't used the PSA_ namespace.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-05 12:55:50 +02:00
Manuel Pégourié-Gonnard
ec7012dbc7 Fix I/O format of PSA EC J-PAKE for compliance
The format used by the mbedtls_ecjpake_xxx() APIs and that defined by
the PSA Crypto PAKE extension are quite different; the former is
tailored to the needs of TLS while the later is quite generic and plain.
Previously we only addressed some part of this impedance mismatch: the
different number of I/O rounds, but failed to address the part where the
legacy API adds some extras (length bytes, ECParameters) that shouldn't
be present in the PSA Crypto version. See comments in the code.

Add some length testing as well; would have caught the issue.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-05 12:52:48 +02:00
Manuel Pégourié-Gonnard
f3f9e450b6
Merge pull request #6115 from AndrzejKurek/ecjpake-kdf-tls-1-2
Ad-hoc KDF for EC J-PAKE in TLS 1.2
2022-09-28 09:47:32 +02:00
Andrzej Kurek
e09aff8f5a Add information about ECJPAKE_TO_PMS output size expectations
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-26 10:59:31 -04:00
Andrzej Kurek
96b9f23853 Adjust ECJPAKE_TO_PMS macro value
This way the low 8 bits of the identifier indicate that this algorithm is used
with SHA-256.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-26 10:30:46 -04:00
Andrzej Kurek
3c4c514302 Remove PSA_ALG_IS_TLS12_ECJPAKE_TO_PMS
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-16 07:24:14 -04:00
Andrzej Kurek
1fafb1f778 Documentation clarifications for ECJPAKE-to-PMS
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-16 07:19:49 -04:00
Andrzej Kurek
18f8e8d62c Document the input size restriction for EC J-PAKE to PMS
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-14 08:44:34 -04:00
Andrzej Kurek
08d34b8693 Add an EC J-PAKE KDF to transform K -> SHA256(K.X) for TLS 1.2
TLS uses it to derive the session secret. The algorithm takes a serialized
point in an uncompressed form, extracts the X coordinate and computes
SHA256 of it. It is only expected to work with P-256.
Fixes #5978.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-09-14 08:39:26 -04:00
Neil Armstrong
fb3093a9cb Use PSA_PAKE_ROLE_NONE in PSA_PAKE_OPERATION_INIT macro instead of 0
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-09-08 14:59:32 +02:00
Neil Armstrong
ecb221b1ff Move operation buffer in operation struct and remove dynamic allocation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-09-08 11:21:07 +02:00
Neil Armstrong
a557cb8c8b Fixing XXX_ALG_ECJPAKE to XXX_ALG_JPAKE to match specification
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
7616ad28e3 Fix guard of ecjpake.h include in crypto_extra.h
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
63212ddf2f Fix formatting of PSA_PAKE_OPERATION_INIT macro
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
7aaa34a1ba Fix formatting of PSA_PAKE_OUTPUT_SIZE & PSA_PAKE_INPUT_SIZE macros
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
637d0a0290 Enable buildin PSA PAKE implementation when ECJPAKE_C is selected
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Neil Armstrong
35269d93da Fill psa_pake_operation and INPUT/OUTPUT min/max sizes for PSA PAKE builtin implementation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-08-31 10:49:18 +02:00
Tom Cosgrove
ce7f18c00b Fix a/an typos in doxygen and other comments
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-07-28 05:50:56 +01:00
Paul Elliott
0b5f4950cc
Merge pull request #5953 from tuvshinzayaArm/update-document-PSA_ALG_RSA_PSS
Update documentation of PSA_ALG_RSA_PSS
2022-07-14 10:40:21 +01:00
Manuel Pégourié-Gonnard
790ab52ee0
Merge pull request #5962 from gilles-peskine-arm/storage-format-doc-202206
Documentation about storage format compatibility
2022-07-01 12:21:17 +02:00
Gilles Peskine
955993c4b5 For status values, the macro expansions must not change either
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-29 14:37:17 +02:00
Gilles Peskine
7973399f7b Add compatibility notes regarding values embedded in the key store
Certain numerical values are written to the key store. Changing those
numerical values would break the backward compatibility of stored keys. Add
a note to the affected types. Add comments near the definitions of affected
values.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-20 18:41:20 +02:00
Gilles Peskine
f070a5e5d5 Document how PSA identifiers are generally constructed
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-20 18:40:45 +02:00
Gilles Peskine
36aeb7f163
Merge pull request #5834 from mprse/HKDF_1
HKDF 1: PSA: implement HKDF_Expand and HKDF_Extract algorithms
2022-06-20 15:27:46 +02:00
Tuvshinzaya Erdenekhuu
44baacd089 Update documenation of PSA_ALG_RSA_PSS
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
2022-06-17 12:10:35 +01:00
Przemek Stekiel
3e8249cde0 Add PSA_WANT_ALG_HKDF_EXPAND, PSA_WANT_ALG_HKDF_EXTRACT, adapt code and dependencies
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-03 16:18:15 +02:00
Przemek Stekiel
73f97d4841 PSA_ALG_HKDF: add salt processing warning
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-03 16:18:15 +02:00
Przemek Stekiel
a29b488296 Optimize code by adding PSA_ALG_IS_ANY_HKDF macro
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-03 16:18:09 +02:00
Przemek Stekiel
459ee35062 Fix typo and style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-02 11:16:52 +02:00
Janos Follath
07c2e5e6d5
Merge pull request #5860 from superna9999/4745-psa-jpake-api-fixes
PSA J-PAKE API has missing elements and confusing documentation
2022-05-31 08:27:32 +01:00
Neil Armstrong
ccffab38a3 Remove linkage documentation on PAKE cipher-suite helpers
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-30 15:49:21 +02:00
Neil Armstrong
5ed8a0ec73 Overall PSA PAKE API style issues fixes
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-27 09:47:53 +02:00
Neil Armstrong
5892aa69e3 Fix typo in PSA_ALG_JPAKE documentation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-27 09:44:47 +02:00
Summer Qin
f0b4253c68 Remove duplicated PSA_WANT_ALG_CMAC in crypto_config.h
Signed-off-by: Summer Qin <summer.qin@arm.com>
2022-05-26 09:38:33 +08:00
Neil Armstrong
ef15751f08 PSA PAKE API typos in documentation fixes
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-25 11:49:45 +02:00
Neil Armstrong
72ab56a1fe Overall PSA PAKE API style issues fixes
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-25 11:48:37 +02:00
Neil Armstrong
eb93a6f1d8 Use PSA_ALG_NONE in PSA_PAKE_OPERATION_INIT to init psa_algorithm_t
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-25 11:41:05 +02:00
Neil Armstrong
2056ce5111 Fix PSA_PAKE_OUTPUT_MAX_SIZE/PSA_PAKE_INPUT_MAX_SIZE commment about parameters to PSA_PAKE_OUTPUT_SIZE/PSA_PAKE_INPUT_SIZE
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-25 11:38:15 +02:00
Neil Armstrong
e9b4581b16 Clarify BAD_STATE return documentation on bad ordering of input and output steps for psa_pake_input() & psa_pake_output()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
0d24575ad0 Clarify BAD_STATE return documentation of psa_pake_set_peer()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
59fa8ee090 Update return documentation of psa_pake_abort()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
97d74b8abb Update return documentation of psa_pake_get_implicit_key()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
407b27b516 Update return documentation of psa_pake_input()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
664077e3ae Update return documentation of psa_pake_output()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
2a6dd9c2a8 Rename & update documentation of function, types, and macros for psa_pake_set_role() and associated
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:52:30 +02:00
Neil Armstrong
16ff788f9d Update return documentation of psa_pake_set_peer()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
3585168259 Update return documentation of psa_pake_set_user()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
71cae6121d Update return documentation of psa_pake_set_password_key()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
4721a6f33e Update return documentation of psa_pake_setup()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
1614537697 Fix password wording in PSA_ALG_JPAKE documentation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
7bc71e9c04 Fix output_size documentation of psa_pake_output()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
cd974d590b Fix return documentation of PSA_PAKE_OUTPUT_SIZE
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
d5a4825b84 Add missing psa_pake_cs_get_bits()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
ff9cac72e7 Add missing psa_pake_cs_get_family()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
0c8ef93c8e Add missing psa_pake_abort()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
799106b441 Pass input as const reference and fix documentation of psa_pake_input()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:22 +02:00
Neil Armstrong
47e700e7de Pass cipher_suite parameter of psa_pake_setup() by const reference
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:51:20 +02:00
Neil Armstrong
0151c55b56 Add documentation of PSA_PAKE_OPERATION_INIT
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:50:58 +02:00
Neil Armstrong
5ff6a7fa97 Add missing psa_pake_cipher_suite_init()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 11:50:57 +02:00
Neil Armstrong
fb99302726 Add missing PSA_PAKE_CIPHER_SUITE_INIT
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-20 10:45:01 +02:00
bootstrap-prime
6dbbf44d78
Fix typos in documentation and constants with typo finding tool
Signed-off-by: bootstrap-prime <bootstrap.prime@gmail.com>
2022-05-18 14:15:33 -04:00
Przemek Stekiel
b398d8693f Update descryption of HKDF-Extract/Expand algs and fix comment
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-18 15:43:54 +02:00
Manuel Pégourié-Gonnard
4014a0408e
Merge pull request #5617 from gilles-peskine-arm/chacha20-rfc7539-test-vector
PSA: ChaCha20: add RFC 7539 test vector with counter=1
2022-05-12 12:34:20 +02:00
Dave Rodgman
58f591526e
Merge pull request #5732 from daverodgman/warmsocks_spellingfixes
Fixed spelling and typographical errors found by CodeSpell
2022-05-12 09:26:29 +01:00
Andrzej Kurek
5c65c5781f Fix additional misspellings found by codespell
Remaining hits seem to be hex data, certificates,
and other miscellaneous exceptions.
List generated by running codespell -w -L 
keypair,Keypair,KeyPair,keyPair,ciph,nd

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-05-11 21:25:54 +01:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Przemek Stekiel
ebf6281ce6 crypto_values.h: fix description
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-11 14:16:05 +02:00
Przemek Stekiel
6b6ce3278e Add definitions for HKDF-Extract and HKDF-Expand algs
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-05-10 12:38:27 +02:00
Antonio de Angelis
6729474fbb Fix key_id and owner_id accessor macros
The accessor macros for key_id and owner_id in the mbedtls_svc_key_id_t
need to have the MBEDTLS_PRIVATE() specifier as these fields are private

Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
2022-05-05 18:45:31 +01:00
Gilles Peskine
2b5d898eb4
Merge pull request #5644 from gilles-peskine-arm/psa-storage-format-test-exercise
PSA storage format: exercise key
2022-04-28 18:20:02 +02:00
Przemek Stekiel
7f1c89d1d4 Provide other_secret, other_secret_length fields if MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS is defined
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-21 11:53:57 +02:00
Gilles Peskine
6d187afd8d psa_crypto does not support XTS
The cipher module implements XTS, and the PSA API specifies XTS, but the PSA
implementation does not support XTS. It requires double-size keys, which
psa_crypto does not currently support.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 11:10:14 +02:00
Przemek Stekiel
c4b814a9c2 psa_tls12_prf_key_derivation_state_t: add optional step to set other key
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-07 15:01:50 +02:00
Przemek Stekiel
f4e8f01964 psa_tls12_prf_key_derivation_t: add other_secret and other_secret_length fields to handle mixed PSK
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-07 15:01:50 +02:00
Przemek Stekiel
37c81c4f05 Extend PSA_ALG_TLS12_PSK_TO_MS alg (add #PSA_KEY_DERIVATION_INPUT_OTHER_SECRET input)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-07 15:01:50 +02:00
Dave Rodgman
017a19997a Update references to old Github organisation
Replace references to ARMmbed organisation with the new
org, Mbed-TLS, following project migration.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-03-31 14:43:16 +01:00
Manuel Pégourié-Gonnard
c11bffe989
Merge pull request #5139 from mprse/key_der_ecc
PSA: implement key derivation for ECC keys
2022-03-14 09:17:13 +01:00
Gilles Peskine
14d3554ff5 ChaCha20 (PSA): Document that we only support 12-byte nonces
Support for 8-byte nonces may be added in the future:
https://github.com/ARMmbed/mbedtls/issues/5615

Support for a 16-byte IV for ChaCha20 consisting of a 12-byte nonce and a
4-byte initial counter value may be added in the future:
https://github.com/ARMmbed/mbedtls/issues/5616

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-03-10 18:56:57 +01:00
Przemyslaw Stekiel
6d3d18b2dc psa_generate_derived_key_internal, psa_generate_derived_ecc_key_weierstrass_helper: optimize the code
Perform the following optimizations:
- fix used flags for conditional compilation
- remove redundant N variable
- move loop used to generate valid k value to helper function
- fix initial value of status
- fix comments

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2022-02-22 13:35:27 +01:00
Andrzej Kurek
f7c1f747e2 doxygen: merge multiple descriptions of the same return codes
Organize some of the errors in a better way.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-02-03 11:30:54 -05:00
Manuel Pégourié-Gonnard
c38c1f2411
Merge pull request #5268 from gilles-peskine-arm/struct_reordering_3.0
Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:09 +01:00
Gilles Peskine
392113434a
Merge pull request #5263 from ronald-cron-arm/psa-test-driver_3.x
Forward port to 3.x: Introduce PSA test driver library to test PSA configuration
2021-12-07 12:52:20 +01:00
Ronald Cron
ef6ffe3033 psa: Fix Mbed TLS hash operation definition
Use PSA_BUILTIN macros instead of the Mbed TLS ones
as in the hash operation contexts the context for a
given hash is needed only if the support for it
through PSA is enabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
7975fae6bd Move to separately compiled PSA test driver library
This commit removes the test_psa_crypto_config_basic
all.sh component that can no longer work without
adapting it to the separately compiled test driver
library. This component is replaced by several
components in the following commits to test various
type of acceleration independently.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-06 07:50:27 +01:00
Ronald Cron
fcaba24697 psa: Fix hash max sizes
The PSA max hash size has to be 64 if SHA512 or
SHA384 is supported by the library or an
accelerator, not just in case of the library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-03 18:55:33 +01:00
Antonio de Angelis
e2b6866e0b Align function parameter names for mbedtls_set_key_owner_id in PSA headers
static function mbedtls_set_key_owner() is declared in psa/crypto.h
and defined in psa/crypto_struct.h with different parameter name for
the  mbedtls_key_owner_id_t parameter and that may trigger errors
from static code analysis tool as cppcheck.

Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
2021-11-30 12:26:58 +00:00
Gilles Peskine
e3d9c9d99b PSA operation structures: move less-used fields to the end
Move fields around to have fewer accesses outside the 128-element Thumb
direct access window.

In psa_hkdf_key_derivation_t, move the large fields (output_block, prk,
hmac) after the state bit-fields. Experimentally, it's slightly better
to put hmac last.

Other operations structures don't go outside the window, at least when not
considering nested structures.

Results (arm-none-eabi-gcc 7.3.1, build_arm_none_eabi_gcc_m0plus build):
library/psa_crypto.o: 16510 -> 16434 (diff: 76)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-26 12:44:08 +01:00
Gilles Peskine
09c02ee95f Make PSA headers more self-contained
Several files among include/psa/crypto_*.h are not meant to be included
directly, and are not guaranteed to be valid if included directly. This
makes it harder to perform some static analyses. So make these files more
self-contained so that at least, if included on their own, there is no
missing macro or type definition (excluding the deliberate use of forward
declarations of structs and unions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-25 20:49:09 +01:00
Manuel Pégourié-Gonnard
087f04783d
Merge pull request #5076 from mstarzyk-mobica/psa_ccm_no_tag
PSA CCM*-no-tag
2021-11-10 10:18:55 +01:00
Gilles Peskine
f2fe31ab4e Reorder macro definitions
Definition before mention

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:48:15 +01:00
Gilles Peskine
f7b4137e69 Untangle PSA_ALG_IS_HASH_AND_SIGN and PSA_ALG_IS_SIGN_HASH
The current definition of PSA_ALG_IS_HASH_AND_SIGN includes
PSA_ALG_RSA_PKCS1V15_SIGN_RAW and PSA_ALG_ECDSA_ANY, which don't strictly
follow the hash-and-sign paradigm: the algorithm does not encode a hash
algorithm that is applied prior to the signature step. The definition in
fact encompasses what can be used with psa_sign_hash/psa_verify_hash, so
it's the correct definition for PSA_ALG_IS_SIGN_HASH. Therefore this commit
moves definition of PSA_ALG_IS_HASH_AND_SIGN to PSA_ALG_IS_SIGN_HASH, and
replace the definition of PSA_ALG_IS_HASH_AND_SIGN by a correct one (based
on PSA_ALG_IS_SIGN_HASH, excluding the algorithms where the pre-signature
step isn't to apply the hash encoded in the algorithm).

In the definition of PSA_ALG_SIGN_GET_HASH, keep the condition for a nonzero
output to be PSA_ALG_IS_HASH_AND_SIGN.

Everywhere else in the code base (definition of PSA_ALG_IS_SIGN_MESSAGE, and
every use of PSA_ALG_IS_HASH_AND_SIGN outside of crypto_values.h), we meant
PSA_ALG_IS_SIGN_HASH where we wrote PSA_ALG_IS_HASH_AND_SIGN, so do a
global replacement.
```
git grep -l IS_HASH_AND_SIGN ':!include/psa/crypto_values.h' | xargs perl -i -pe 's/ALG_IS_HASH_AND_SIGN/ALG_IS_SIGN_HASH/g'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 15:48:15 +01:00
Mateusz Starzyk
c5c5b93611 Add missing PSA_KEY_ID_NULL macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
7d262dd1ee Add missing PSA_HASH_BLOCK_LENGTH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
359b5ab6ea Add missing PSA_ALG_NONE macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Mateusz Starzyk
e6d3edaf32 Add missing PSA_ALG_IS_SIGN_HASH macro.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 15:47:03 +01:00
Manuel Pégourié-Gonnard
4313d3ac87
Merge pull request #5010 from gilles-peskine-arm/psa-rsa-pss_any_salt
PSA: fix salt length for PSS verification
2021-10-29 16:36:36 +02:00
Manuel Pégourié-Gonnard
136819fe6e
Merge pull request #4959 from gilles-peskine-arm/psa-add-aria
Add ARIA to the PSA API
2021-10-29 09:38:06 +02:00
Mateusz Starzyk
594215be6e Add support for CCM*-no-tag to PSA.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-10-21 11:33:41 +02:00
Gilles Peskine
f6892dec2a Readability improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 16:28:32 +02:00
Gilles Peskine
09c46da27e Implement PSA_WANT_KEY_TYPE_ARIA
Follow what has been done for CAMELLIA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-08 15:48:16 +02:00
Gilles Peskine
acd2d0e923 New algorithm PSA_ALG_RSA_PSS_ANY_SALT
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.

In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).

Changes in this commit:

* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
  PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
  PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
  generate_psa_constant_names).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-05 14:26:25 +02:00
Paul Elliott
c7e7fe5c05 Add missing MBEDTLS_PRIVATE
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-09-27 09:23:40 +01:00
Paul Elliott
5977bc9e39 Add MBEDTLS_PRIVATE to new structs
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-09-24 11:20:04 +01:00
Paul Elliott
71b0567c87 Merge remote-tracking branch 'upstream/development' into psa-m-aead-merge
Also fiixed the following merge problems:

crypto_struct.h   : Added MBEDTLS_PRIVATE to psa_aead_operation_s
                    members (merge conflict)
psa_crypto_aead.c : Added ciphertext_length to mbedtls_gcm_finish
                    call (change of API during development)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-09-24 11:18:13 +01:00
Gilles Peskine
6c12a1e9f2 Add ARIA to the PSA API
Use the encoding from an upcoming version of the specification.

Add as much (or as little) testing as is currently present for Camellia.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-21 11:59:39 +02:00
Gilles Peskine
69813477b0
Merge pull request #4758 from paul-elliott-arm/fix_cipher_output_size
Fix divide by zero if macro used with wrong key type
2021-07-30 18:56:18 +02:00
Paul Elliott
6603e2b81c Add fix to update output size macro as well.
Same issue with zero block length applies here.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-14 12:39:54 +01:00
Paul Elliott
c22950c9d0 Change PSA Cipher macro safety to use block length
Although checking if the key was symmetric was correct, its easier to
read if we just check the block length is not zero before we use it in a
division.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-14 12:39:54 +01:00
Archana
ef6aa5c46d Support Curve448 via the PSA API
Enable Curve448 support
Add test vectors to evaluate
* RFC 7748
* a known-answer public key export test.
* a known-answer ECDH (X448) test.

Signed-off-by: Archana <archana.madhavan@silabs.com>
2021-07-12 08:07:14 +05:30
Paul Elliott
a02003babe Fix divide by zero if macro used with wrong key
If PSA_CIPHER_ENCRYPT_OUTPUT_SIZE was called on a non symmetric key,
then a divide by zero could happen, as PSA_CIPHER_BLOCK_LENGTH will
return 0 for such a key, and PSA_ROUND_UP_TO_MULTIPLE will divide by the
block length.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-07 17:24:46 +01:00
Dave Rodgman
9f5774f56d
Merge pull request #4739 from gabor-mezei-arm/3258_fp30_implement_one-shot_MAC_and_cipher
Implement one-shot cipher
2021-06-30 17:04:23 +01:00
gabor-mezei-arm
47060db199 Give a better name for struct member
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:45:58 +02:00
gabor-mezei-arm
42cdb2a90b
Fix struct initialization
Fix initialization of mbedtls_psa_cipher_operation_t by not initializing the mbedtls_cipher_context_t typed field completely.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:49:00 +02:00
gabor-mezei-arm
43110b6b2c Do key usage policy extension when loading keys
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:05:49 +02:00
gabor-mezei-arm
86bf008782 Extend PSA_USAGE_SIGN/VERIFY_HASH key policies
According to the PSA specification the PSA_USAGE_SIGN_HASH has the
permission to sign a message as PSA_USAGE_SIGN_MESSAGE. Similarly the
PSA_USAGE_VERIFY_HASH has the permission to verify a message as
PSA_USAGE_VERIFY_MESSAGE. These permission will also be present when
the application queries the usage flags of the key.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:01:48 +02:00
Dave Rodgman
55a4d938d0
Merge pull request #4589 from bensze01/split_config
Add a level of indirection to config file inclusion
2021-06-28 17:54:51 +01:00
Janos Follath
8a88f6274c
Merge pull request #4726 from athoelke/at-pbkdf2-doc-fixes
Fixes for PBKDF2 documentation
2021-06-28 09:47:57 +01:00
Bence Szépkúti
bb0cfeb2d4 Rename config.h to mbedtls_config.h
This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^ChangeLog' | xargs sed -b -E -i '
s/((check|crypto|full|mbedtls|query)_config)\.h/\1\nh/g
s/config\.h/mbedtls_config.h/g
y/\n/./
'
mv include/mbedtls/config.h include/mbedtls/mbedtls_config.h
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:33 +01:00
Bence Szépkúti
c662b36af2 Replace all inclusions of config.h
Also remove preprocessor logic for MBEDTLS_CONFIG_FILE, since
build_info.h alreadyy handles it.

This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^include/mbedtls/build_info\.h$' | xargs sed -b -E -i '
/^#if !?defined\(MBEDTLS_CONFIG_FILE\)/i#include "mbedtls/build_info.h"
//,/^#endif/d
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:24:07 +01:00
Andrew Thoelke
52d18cd9a4
Remove trailing space
Signed-off-by: Andrew Thoelke <andrew.thoelke@arm.com>
2021-06-25 11:03:57 +01:00
Ronald Cron
3698fa1043
Merge pull request #4673 from gilles-peskine-arm/psa_crypto_spm-from_platform_h
Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
2021-06-25 09:01:08 +02:00
Andrew Thoelke
a0f4b595c5
Fixes for PBKDF2 documentation
Fix typos in the PBKDF2 documentation

Correct the constraints on PSA_KEY_USAGE_DERIVE and PSA_KEY_USAGE_VERIFY_DERIVATION, aligning them with the note against psa_key_derivation_input_key(). All key inputs must have the required usage flag to permit output or verification.

Correct the constraints on PSA_KEY_DERIVATION_INPUT_SECRET and PSA_KEY_DERIVATION_INPUT_PASSWORD, aligning them with 4feb611. psa_key_derivation_verify_key() does not require the secret/password input to be a key.

Signed-off-by: Andrew Thoelke <andrew.thoelke@arm.com>
2021-06-24 16:47:14 +01:00
Gilles Peskine
91466c8d3f Hopefully clarify the example
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
52bb83e6ad Fix mbedtls_svc_key_id_is_null when KEY_ID_ENCODES_OWNER
A null key id is a null key id even when it has an owner attached to it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:53:56 +02:00
Gilles Peskine
d133bb2909 New macro PSA_KEY_LIFETIME_IS_READ_ONLY
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-23 13:43:08 +02:00
Paul Elliott
7220cae93c Ensure generate nonce unavailable in decrypt
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-06-22 22:14:47 +01:00
Gilles Peskine
e96c5854d0 Move the inclusion of crypto_spe.h to psa/crypto_platform.h
This makes it easier to ensure that crypto_spe.h is included everywhere it
needs to be, and that it's included early enough to do its job (it must be
included before any mention of psa_xxx() functions with external linkage,
because it defines macros to rename these functions).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 11:43:58 +02:00
TRodziewicz
10e8cf5fef Remove MD2, MD4, RC4, Blowfish and XTEA
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:25 +02:00
Ronald Cron
c4c761e35e Merge remote-tracking branch 'mbedtls/development' into mbedtls_private_with_python
Conflicts:
    include/mbedtls/ssl.h
    include/psa/crypto_struct.h

Conflicts fixed by using the code from development branch
and manually re-applying the MBEDTLS_PRIVATE wrapping.
2021-06-14 16:17:32 +02:00
Janos Follath
1f0131844c Clarify PSA_PAKE_STEP_ZK_PROOF format
Removing reference to RFC 7748 as it is more confusing than helpful. (It
decodes the scalars after masking which is not part of the encoding we
want to specify. Also, it has the explanation what it means by little
endian in a preceding section that is not trivial to find.)

We also explicitly specify constraint on leading zeroes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:30:48 +01:00
Janos Follath
46c02375b7 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 15:22:51 +01:00
Janos Follath
0dcda95ac0 Make check-names.sh happy
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:52:05 +01:00
Janos Follath
33434a9f60 Fix parenthesis spacing in crypto_struct.h
crypto_struct.h is implementation-specific so it was intended to have
Mbed TLS whitespace style.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:51:40 +01:00
Janos Follath
55dd5dc355 PSA PAKE: Clarify the documentation of NIZKP steps
The expression "the masking is omitted" assumes familiarity with
Montgomery curve private key format and even then can be confusing and
ambiguous or confusing.

Describe directly what format we mean and add some more background
information and reference to the standard as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b384ec19d1 PSA PAKE: fix J-PAKE documentation code rendering
4-space indent is only guaranteed to result in a code block if there's a
blank line just before (details vary depending on the markdown
implementation, and doxygen isn't exactly markdown anyway). In a bullet
list, you need 8 spaces since the list itself is a nested construct
which takes a 4-space indent (even though you don't have to indent
continuation lines inside a bullet point by 4 spaces, 1 is enough).

Using \code...\encode which is rendering as intended.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
3293dae00e psa_pake_setup(): simplify documentation
This level of detail can be confusing and could require even more detail
to clear it up. Simplifying it instead in alignment wiht the
documentation of existing setup functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
b4db90fb27 PSA PAKE: improve documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
38d29db75f Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
a46e28f786 PSA PAKE: use neutral pronouns
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
ec83eb605e Fix copy+paste mistake
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
52f9efad22 Revert "Rename psa_pake_set_password()"
This reverts commit 03a5fd7780026b2ca0b4728352ded930f5a7cff9.

We're already calling the output of a PAKE a "shared secret". The
password is a shared secret (for PAKE where the verifier knows a
password-equivalent secret), but calling it "shared secret" or even just
"secret" would be confusing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
89ee05a805 Rename psa_pake_set_password()
Technically this function takes a low entropy secret as an input which
might or might not be the password. Using the term "secret" in the
function name is less misleading.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
559f05eefc PSA PAKE: remove psa_pake_set_password_stretch()
The password stretching (using slow and/or memory hard hashes) in PAKEs
usually serves two purposes:

- Defending against server compromise impersonation attacks. J-PAKE is an
augmented PAKE and as such, stores a password-equivalent and defending
against this class of attacks is out of scope.
- Preventing offline dictionary attacks. J-PAKE is proven to be zero
knowledge and leaks no information beyond the fact if the passwords
matched and offline dictionary attack is not possible.

In summary: J-PAKE does not benefit from pasword stretching and is
unlikely to be an input. This part of the API is not necessary at this
point and can be added later.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
7d69b3a993 PSA PAKE: add warning about stability
We are not confident about the stability of the PAKE interface (it is
just a proposal, not part of the standard yet).  So we should explicitly
document it as experimental, subject to change.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:37 +01:00
Janos Follath
702cf09ae9 PSA PAKE: move the API to crypto_extra.h
At this point this is a proposed PAKE interface for the PSA Crypto API
and not part of the official standard. Place the interface in
crypto_extra.h to make this clear.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:48:34 +01:00
Janos Follath
304766e11e PSA PAKE: make algorithm macro name consistent
The API has PSA_ALG_GCM and not PSA_ALG_AEAD_GCM, PSA_ALG_MD5 and not
PSA_ALG_HASH_MD5, etc., so PSA_ALG_PAKE_JPAKE should be PSA_ALG_JPAKE as
well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
a295918596 PSA PAKE: add input size macros
The caller is likely to receive the inputs on the wire, and having a
known size for which they can confidently reject longer inputs would be
helpful in cases where the application can't just use the input in
place.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Janos Follath
5e1948d2a3 PSA PAKE: define size macros as 0
Define the size macros to 0 rather than empty. That will lead to fewer
weird errors when we start implementing.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-08 14:40:57 +01:00
Mateusz Starzyk
2abe51cc75 Extend setup_and_run script to cover remaining configurations.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-07 11:08:01 +02:00
Janos Follath
79e1c47a54 PSA PAKE: explain implicit key confirmation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7c59b7a073 Improve psa_pake_set_peer()/user() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
56a4d7a59f Simplify PAKE input/output format documentation
Make input/output format documentation easier to find:
- Add direct reference to the steps from the input/output functions
- Move the format description directly to the step constants

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ead0e4fc7b PSA PAKE: Clarify J-PAKE algorithm documentation
- Transformed setup description to a more explicit pseudocode based
approach.
- Explained implicit vs explicit key confirmation

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
d416838ffd Rename psa_pake_set_password_mhf()
This step is not necessarily a memory-hard function. Memory-hard
functions are the best of the breed at the moment, but that's due to
current hardware designs, and CPU-hard-but-not-memory-hard functions
like PBKDF2 are acceptable as well. We're using “key stretching” as the
generic term for such functions.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
3ae6696811 Clarify psa_pake_setup() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
19271ea183 PSA PAKE: Clarify documentation of valid states
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
9a04aeaff5 PSA PAKE: improve and fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
7b8910322c PSA PAKE: refine documentation of return values
The key derivation operation passed to psa_pake_set_password_mhf() might
enter an error state before the function returns. If this happens, the
user needs to know about it so that they can properly abort it.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
e1a080f1f8 Improve psa_pake_set_password_mhf() documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
1062a24152 Fix psa_pake_set_password_mhf() parameter list
The type of the key derivation operation was incorrect.

Also neither the PAKE nor key_derivation algorithm knows how many bytes
to transfer at this stage.

There is no optimal or recommended size, PAKEs don't mandate it either
(with the exception of OPAQUE, but that uses it internally and won't be
using this interface).

Adding an input length parameter to allow the application to control how
many bytes the PAKE takes from the key derivation.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
14ce06afe2 PSA PAKE: fix documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ef816f37be Fix precedence in psa_pake_cs_set_primitive()
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:32 +01:00
Janos Follath
ed82716546 Remove always false comparison PSA_PAKE_PRIMITIVE
Always false comparison triggered compiler warnings. Removing comparison
while preserving semantics to achieve clean build.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
60fa7c59b2 PSA PAKE: document operation parameters
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
b0bcb633ff Link PSA_KEY_TYPE_PASSWORD in the documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
fe0c4493f5 Add psa_pake_set_password_mhf()
Using memory hard functions with PAKEs is the more secure option. It
should be as convenient and efficient to use as less secure options, but
so far it required creating an additional temporary key object.

With psa_pake_set_password_mhf() this eliminates the need for this.

Similarly we could add a convenience function to supply the password
directly from character strings, but that would make the less secure
option more convenient again and therfore we are not doing it now.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
56cc9ccc39 PSA PAKE: Align macro names with psa_pake_step_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
3c09c47333 PSA PAKE: remove redundant steps
PAKE constructions that have multiple key shares will always consume and
produce the key shares in numerical order. So using PSA_PAKE_DATA_XXX_X
would demand step-sequence validation, and provides no functional
utility over having only PSA_PAKE_DATA_XXX.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
a71811aa4c Fix typo
Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00
Janos Follath
78b9e40662 PSA PAKE: reintroduce psa_pake_primitive_t
If PSA_PAKE_OUTPUT_SIZE takes cipher_suite as a parameter and it is a
structure it can't be a compile-time constant anymore.

Reintroducing psa_pake_primitive_t, because it can be constructed as an
integral type and holds enough information to allow PSA_PAKE_OUTPUT_SIZE
calculating accurate estimates on the output size in compile time.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2021-06-03 12:37:31 +01:00