Commit graph

8774 commits

Author SHA1 Message Date
Gilles Peskine
9e1be6a246 Create the NV seed file for the tests if needed
Write an all-bits-zero NV seed file for the tests. Without this, if
the seed file is not present when this test suite is executed, the
PSA module initialization will fail, causing most test cases to fail.

Also write an all-bits-zero NV seed file at the end. The test cases in
this test suite mess with the file, but subsequent test suites may
need it.
2018-11-23 22:58:40 +01:00
Gilles Peskine
0fce4c5830 Add init tests with entropy from NV seed 2018-11-23 22:58:40 +01:00
Gilles Peskine
0b3b5733fc Support NV seed enabled at compile time but not at runtime
When testing with custom entropy sources, if MBEDTLS_ENTROPY_NV_SEED
is enabled at compile time but the NV seed source is not used at
runtime, mbedtls_entropy_func makes a second pass anyway. Cope with
this in the test code by telling the entropy module not to make this
second pass.
2018-11-23 22:58:40 +01:00
Gilles Peskine
ebe770c693 Add tests with a fake entropy source
Add tests with a fake entropy source to check that the required amount
of entropy is one block, fed in one or more steps.
2018-11-23 22:58:40 +01:00
Gilles Peskine
5e76952235 Add a facility to configure entropy sources
Add a function to configure entropy sources. For testing only.

Use it to test that the library initialization fails properly if there is no
entropy source.
2018-11-23 22:58:38 +01:00
Gilles Peskine
c6b6907066 Make library init and deinit more robust to errors
Allow mbedtls_psa_crypto_free to be called twice, or without a prior
call to psa_crypto_init. Keep track of the initialization state more
precisely in psa_crypto_init so that mbedtls_psa_crypto_free knows
what to do.
2018-11-22 13:46:51 +01:00
Gilles Peskine
445e225745 Test that deinit deactivates random generation and key slots 2018-11-22 13:41:38 +01:00
Gilles Peskine
b309eec4a5 Move library initialization tests to a new test suite 2018-11-22 13:41:38 +01:00
Gilles Peskine
a678f233a7
Merge pull request #197 from netanelgonen/entropy-inject
Add entropy inject API (#197)
2018-11-21 19:21:05 +01:00
avolinski
0d2c266c06 change MBEDTLS_RANDOM_SEED_ITS define to be PSA_CRYPTO_ITS_RANDOM_SEED_UID 2018-11-21 17:31:07 +02:00
avolinski
1c66205df6 Remove trailing space in psa_crypto.c 2018-11-21 16:54:09 +02:00
Gilles Peskine
83146e10bb
Merge pull request #211 from ARMmbed/bug_fix_210
Fix memory allocation check in psa_save_generated_persistent_key (#211)
2018-11-21 15:51:07 +01:00
avolinski
13beb100c2 Adjust psa entropy inject tests to take as minimum seed size
the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE
2018-11-21 16:24:53 +02:00
avolinski
7cc8229d80 Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID
Update mbedtls_psa_inject_entropy function documentation
2018-11-21 16:24:53 +02:00
avolinski
4d27c94aee Adding testcase for PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM 2018-11-21 16:24:53 +02:00
Netanel Gonen
21f37cbbec Add Tests for psa crypto entropy incjection
Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option
2018-11-21 16:24:52 +02:00
Gilles Peskine
ee2ffd311b Document the maximum seed size as well as the minimum 2018-11-21 16:23:42 +02:00
Gilles Peskine
0338ded2f4 Improve documentation of mbedtls_psa_inject_entropy
Explain what the function does, why one would use it, how to use it,
how to handle its input, and what the status codes mean.
2018-11-21 16:23:42 +02:00
Netanel Gonen
212a793217 add MBEDTLS_PSA_HAS_ITS_IO to config.h 2018-11-21 16:23:42 +02:00
Netanel Gonen
9468bb241c Add Tests for psa crypto entropy incjection 2018-11-21 16:23:41 +02:00
Netanel Gonen
2bcd312cda Add entropy injection function to psa cripto APIs 2018-11-21 16:15:14 +02:00
itayzafrir
910c76b3d1 Check that memory allocation was successful in psa_save_generated_persistent_key 2018-11-21 16:10:33 +02:00
Gilles Peskine
3d5d8372a5
Merge pull request #198 from ARMmbed/psa_crypto_its
PSA Crypto Storage backend implementation over PSA ITS APIs (#198)
2018-11-21 15:04:03 +01:00
Jaeden Amero
dbb83ac5f7
Merge pull request #194 from ARMmbed/dev/Patater/enable-use-as-submodule-only
Enable use as submodule only (no removal of non-crypto)
2018-11-21 12:53:12 +00:00
Jaeden Amero
3c7cc5eb18 Makefile: Install PSA headers
When running `make install`, it can be desirable for the PSA Crypto header
files to get installed as well, so that the PSA portions of the library are
usable.
2018-11-21 12:17:31 +00:00
Jaeden Amero
852dac2df8 README: Update with the CMake build option
Note that one can also use CMake and doesn't strictly require GNU Make. For
instance, telling CMake to output Visual Studio project files and using
those would preclude the need for GNU Make.
2018-11-21 12:17:31 +00:00
Jaeden Amero
a49ba5ea5f README: Specify that C99 is required 2018-11-21 12:17:31 +00:00
Jaeden Amero
11293ccced README: Update with how to use as a subproject 2018-11-21 12:17:31 +00:00
Jaeden Amero
c6e4ab00a8 Use parent module includes when used as a submodule
For Makefiles, enable overriding where includes can come from in order to
enable the parent module to set the include path. This allows the parent
module to specify that its config.h should be used, even when the submodule
when built standalone would use a different config.h.

For CMake, always look in the parent's include folder and our own. List the
parent's include folder first, so that preference is given to parent
include files.
2018-11-21 12:17:31 +00:00
Jaeden Amero
74a04cdd59 Remove exporter script
We no longer need an exporter script as we'll use our existing tooling in
the top level directory for builds and releases.
2018-11-21 12:17:29 +00:00
Jaeden Amero
c74fe6a3e7 Add Mbed Crypto README.md
Move our Mbed Crypto README out from the crypto folder and up to the top
level for better visibility when using Mbed Crypto as a submodule of Mbed
TLS.
2018-11-21 12:16:40 +00:00
Jaeden Amero
5ae1fb6f69 CMake: Don't build non-crypto when a subproject
When building Mbed Crypto as a subproject, don't add targets for
libmbedx509 or libmbedtls, as the parent project should build these. The
parent project will define USE_CRYPTO_SUBMODULE variable when using Mbed
Crypto as a submodule, so we can depend on that variable to control whether
or not we build non-crypto libraries.
2018-11-21 12:16:40 +00:00
Jaeden Amero
3a45d9e13b CMake: psa: Enable installing of headers
When installing via CMake, also install PSA headers so that PSA APIs can be
more easily used from the installed library.
2018-11-21 12:16:40 +00:00
Moran Peker
a26d764bae Add new PSA Crypto Storage backend implementation using ITS APIs
The new file is conditionally compiled with the new mbedtls
configuration option that  Mbed OS would set by default -
`MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C`.

-
2018-11-21 13:28:10 +02:00
Moran Peker
a90abf13b6 add MBEDTLS_PSA_HAS_ITS_IO
update config.h,config-psa-crypto.h, version_features.c and config.pl
2018-11-21 13:28:09 +02:00
Moran Peker
4611956560 Add new MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C configuration option
- update configuration requires
- update check_config.h to include MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
- update con and config.h
2018-11-21 13:28:09 +02:00
Jaeden Amero
6b58b2c02a
Merge pull request #92 from ARMmbed/dev/dgreen-arm/import-export-merge
Persistent key import/export
2018-11-21 11:22:53 +00:00
Darryl Green
0c6575a84d psa: Extend psa_generate_key to support persistent lifetimes 2018-11-20 15:40:32 +00:00
Darryl Green
dd8fb777ce psa: Refactor psa_internal_export_key to use slot, rather than key
When generating keys that have persistent lifetime, we will need
the keys to be in the exported format to save to persistent storage.
This refactoring to separate checking the slots usage from the
exporting of the key data will be necessary for using
psa_internal_export_key in psa_generate_key.
2018-11-20 15:40:32 +00:00
Darryl Green
d49a499d03 psa: Implement persistent keys
Allow use of persistent keys, including configuring them, importing and
exporting them, and destroying them.

When getting a slot using psa_get_key_slot, there are 3 scenarios that
can occur if the keys lifetime is persistent:

1. Key type is PSA_KEY_TYPE_NONE, no persistent storage entry:
   -  The key slot is treated as a standard empty key slot
2. Key type is PSA_KEY_TYPE_NONE, persistent storage entry exists:
   -  Attempt to load the key from persistent storage
3. Key type is not PSA_KEY_TYPE_NONE:
   -  As checking persistent storage on every use of the key could
      be expensive, the persistent key is assumed to be saved in
      persistent storage, the in-memory key is continued to be used.
2018-11-20 15:40:25 +00:00
Darryl Green
40225ba709 psa: Refactor psa_destroy_key()
Create a new function psa_remove_key_from_memory() from psa_destroy_key().
This is needed as psa_destroy_key() will remove all key data, including
persistent storage. mbedtls_psa_crypto_free() will now only free in-memory
data and not persistent data.
2018-11-20 15:21:22 +00:00
Darryl Green
06fd18de37 psa: Move get_key_slot functions
Move the psa_get_key_slot and related static functions as they will need
to call psa_import_key_into_slot() for persistent keys.
2018-11-20 15:21:22 +00:00
Darryl Green
940d72c3e8 psa: Refactor psa_import_key()
Create a new function psa_import_key_into_slot() from psa_import_key().
This is common functionality that will be used both when importing a
key and loading a key from persistent storage.
2018-11-20 15:21:22 +00:00
Moran Peker
96ebf9efcf psa: Add magic header to storage backend
Add a magic header to the storage format used with files. The
header is used as an initial check that the data is what we expect,
rather than garbage data.
2018-11-20 15:21:22 +00:00
Darryl Green
db2b8db715 psa: Add storage implementation for files
Add new functions, psa_load_persistent_key(),
psa_free_persistent_key_data(), and psa_save_persistent_key(), for
managing persistent keys. These functions load to or save from our
internal representation of key slots. Serialization is a concern of the
storage backend implementation and doesn't abstraction-leak into the
lifetime management code.

An initial implementation for files is provided. Additional storage
backends can implement this interface for other storage types.
2018-11-20 15:21:22 +00:00
Darryl Green
d9eee3b417 Add library as valid header file location
The persistent key implementation will be split across multiple
files as it will eventually be implementing multiple storage
backends. As these internal functions will need to be callable by
other files, we will add the headers in the library folder. This
commit adds this include location to the necessary scripts.

For tests, the library is added as an include location as testing
on-target with Mbed OS is not possible with paths including ".."
2018-11-20 15:21:22 +00:00
Jaeden Amero
09909bc00d
Merge pull request #206 from ARMmbed/psa-test-config-default
Add config-default to test-ref-configs.pl
2018-11-20 12:23:05 +00:00
Gilles Peskine
76a449ba49 Add config-default.h to test-ref-configs.pl
This commit adds the default upstream configuration to the set of
tests we run on CI, which was long overdue.

config-default is a copy of the Mbed TLS upstream config.h. It's
useful for two things: to compare our local changes to
include/mbedtls/config.h, and to test that we aren't breaking the
default upstream configuration.

Run a subset of the TLS tests that focus on exercising cryptographic
algorithms as used from TLS. Don't run the full set of TLS tests
because they're unlikely to be affected by changes in the PSA branch.
2018-11-20 12:05:51 +01:00
Jaeden Amero
d6c91282df
Merge pull request #200 from ARMmbed/dev/Patater/merge-mbedtls-2.14.0-rc1
Merge mbedtls-2.14.0
2018-11-20 11:00:09 +00:00
Jaeden Amero
9989b5e662 Update config-default.h to latest default config
Upstream mbedtls maintains the default configuration in
include/mbedtls/config.h. We maintain the default configuration in
configs/config-default.h, and our PSA-specific configuration in
include/mbedtls/config.h. This means, each time we update Mbed TLS, we need
to update the default configuration file (configs/config-default.h)
manually using the copy from mbedtls.
2018-11-20 10:33:45 +00:00