Setting the dh_flag to 1 used to indicate that the caller requests safe
primes from mbedtls_mpi_gen_prime. We generalize the functionality to
make room for more flags in that parameter.
If some algorithms are excluded in the build, it's ok for the corresponding
macros not to give the correct results. Therefore the corresponding test cases
should depend on the implementation of the algorithm. For example, it's ok for
PSA_HASH_MAX_SIZE to be less than PSA_HASH_SIZE(PSA_ALG_SHA_512) if we build
without SHA-512 support, and we indeed do this. It's even ok for an
implementation to return 0 for PSA_ALG_IS_HASH(PSA_ALG_SHA_512) if it doesn't
support SHA-512; we return 1 anyway but the tests are less
implementation-specific if we don't enforce it.
This commit adds dependencies on symbols that don't exist in Mbed TLS,
for algorithms that Mbed TLS doesn't implement. These are:
MBEDTLS_SHA512_256 for SHA-512/256, MBEDTLS_SHA3_C for SHA-3,
MBEDTLS_DSA_C and MBEDTLS_DSA_DETERMINISTIC for DSA, and
MBEDTLS_ECP_DP_xxx_ENABLED for elliptic curves that have a PSA
encoding but are not supported in Mbed TLS.
For all key types, validate feature test macros (PSA_KEY_TYPE_IS_xxx).
For asymmetric keys (public key or key pair), validate the
corresponding public/pair type.
For ECC keys, validate GET_CURVE.
For all algorithms, validate feature test macros (PSA_ALG_IS_xxx).
For hash algorithms, validate the exact hash size, and validate
xxx_GET_HASH macros on dependent algorithms.
For MAC algorithms, validate the MAC size. For AEAD algorithms,
validate the tag size.
There is a separate test case for each HMAC algorithm, which is
necessary because each has its own MAC size. For other hash-dependent
algorithms, there is no interesting variation to test here, so only
one hash gets tested.
None of the currently defined MAC algorithms have a MAC size that
depends on the key size, so the key_bits parameter is unused. The
key_type parameter may be unused on an implementation where there is
no block cipher MAC. Declare the key_type and key_bits parameters as
used so that callers who define a variable just for this don't risk
getting "unused variable" warnings.
The macro was used under the name PSA_ALG_IS_BLOCK_CIPHER_MAC but
defined as PSA_ALG_IS_CIPHER_MAC. That wouldn't have worked if we used
this macro (we currently don't but it may become useful).
TLS now defines named curves in the "TLS Supported Groups registry",
but we're using the encoding only for elliptic curves, so don't
include values that aren't named curve.
While we're at it, upgrade the reference to the shiny new RFC 8422.
OFB and CFB are streaming modes. XTS is a not a cipher mode but it
doesn't use a separate padding step. This leaves only CBC as a block
cipher mode that needs a padding step.
Since CBC is the only mode that uses a separate padding step, and is
likely to remain the only mode in the future, encode the padding mode
directly in the algorithm constant, rather than building up an
algorithm value from a chaining mode and a padding mode. This greatly
simplifies the interface as well as some parts of the implementation.
Mbed TLS distinguishes "invalid padding" from "valid padding but the
rest of the signature is invalid". This has little use in practice and
PSA doesn't report this distinction. We just report "invalid
signature".
Don't rely on static initialization of a flexible array member, that's
a GNU extension. The previous code also triggered a Clang warning
"suggest braces around initialization of subobject" (-Wmissing-braces)
for `struct {char a[]} = {"foo"}`.
This is not useful to validate the implementation when importing
canonical input, which is the case for most import/export test cases,
but it helps validate the sanity checks themselves.
Implement sanity checks of exported public keys, using ASN.1 parsing.
Rewrite the sanity checks of key pairs using ASN.1 parsing, so as to
check more things with simpler code.
